Can't get IE to open

scalelar · 07-29-2006, 09:18 PM

Don't know what it is but here are the symptoms.
IExplorer will not open it says there is an iexplore.exe running as a process.
I can't get out to the internet so I can't run any of the online virus programs.
Adaware will not run in safe mode but will in normal mode. It found several thing and cleared them off.
The VX2cleaner will run in safe mode but found nothing.
CWShredder found nothing .
Spybot found several things and cleaned them off.

Windows 2000 operating system on an old dell lattitude.

I have a Symantec virus protection on this system that says scan engine returned error 0x20000058 when I try to do a scan.
It has also quarantined a file c886e747,exe 21 times. This file is running as a process.

Here is the HiJackThis log

Logfile of HijackThis v1.98.2
Scan saved at 11:08:14 PM, on 7/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\Explorer.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.twoplustwo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.78.41.120:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.mars;<local>
R3 - URLSearchHook: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O2 - BHO: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O4 - HKLM\..\Run: [c886e747.exe] C:\WINNT\system32\c886e747.exe
O4 - HKLM\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\testtestt.exe
O4 - HKCU\..\Run: [Nxbc] C:\WINNT\??crosoft.NET\m?dtc.exe
O4 - HKCU\..\Run: [Wlrs] "C:\WINNT\ECURIT~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [c886e747.exe] C:\Documents and Settings\LWS\Local Settings\Application Data\c886e747.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\LWS\LOCALS~1\Temp\4F.tmp3072.exe
O4 - HKCU\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O4 - HKCU\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = Internet Apps\WinZip 9.0\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F97B83-2FE0-4BAD-835B-9DFAD9C2C25D}: NameServer = 110.98.40.30,110.92.12.129,110.74.8.147
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1615399-1895-4765-8558-94C104E998DC}: NameServer = 110.98.40.30,110.92.12.129,110.74.8.147
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3012093-3B71-4370-B3ED-51A01AC2D1BC}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O20 - AppInit_DLLs: C:\WINNT\system32\dexplore.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: zrPRxDGgC - {98CCC060-3266-6ACA-09B6-8EC095FC6302} - C:\WINNT\system32\opp.dll (file missing)

Any help will be appreciated

scalelar · 07-31-2006, 07:39 AM

bump.

Ried · 07-31-2006, 11:31 AM

Hello scalelar,

Our apologies for the delay. We are a bit short-handed due to summer vacations.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

**********************************************************************************************************

Download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

----------------------

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

----------------------

Please download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your Desktop. Do not run it yet.

----------------------

Click Start > Control Panel > Add/Remove Programs

In the list of installed software, look for:
PuritySCAN By OIN
OuterInfo OIN
Snowballwars
Cowabunga or similar
If you find it:
Click on it and click Remove.
Reboot and delete the folder C:\Program Files\PurityScan and also delete the folders of any of the programs you found in the Add/Remove panel. These would be located in C:\Program Files.
if not:
Download and run the Oiuninstaller
There is a tutorial for the uninstaller available
When the uninstaller is done, reboot and delete the folder C:\Program Files\PurityScan (if it's still there)

--------------------------------------------------

Click Start->Run - type services.msc & then click on the OK button
*Locate the service - zrPRxDGgC
*Double-click on it to open the Properties dialog.
*Under the General tab:
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the zrPRxDGgC Click OK and allow reboot. Go directly to Safe Mode.

-----------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login on your usual account. Make sure to close any open browsers.

-----------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

BHO Plugin

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any)

R3 - URLSearchHook: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O2 - BHO: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll
O4 - HKLM\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O4 - HKLM\..\Run: [c886e747.exe] C:\WINNT\system32\c886e747.exe
O4 - HKLM\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\testtestt.exe
O4 - HKCU\..\Run: [Nxbc] C:\WINNT\??crosoft.NET\m?dtc.exe
O4 - HKCU\..\Run: [Wlrs] "C:\WINNT\ECURIT~1\alg.exe" -vt yazr
O4 - HKCU\..\Run: [c886e747.exe] C:\Documents and Settings\LWS\Local Settings\Application Data\c886e747.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\LWS\LOCALS~1\Temp\4F.tmp3072.exe
O4 - HKCU\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O4 - HKCU\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: zrPRxDGgC - {98CCC060-3266-6ACA-09B6-8EC095FC6302} - C:\WINNT\system32\opp.dll (file missing)

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Delete the following Files and Folder if they still exist.

C:\WINNT\system32\ rdtypk.dll
C:\WINNT\system32\ c886e747.exe
C:\WINNT\system32\ testtestt.exe
C:\Documents and Settings\LWS\Local Settings\Application Data\ c886e747.exe
C:\Program Files\ BHO Plugin

------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

------------------------------------------------

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
Click on see report. Then click Save report

----------------------

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Please include the following in your next reply:

Ewido results
Panda results
SmitfraudFix log
New HijackThis log

scalelar · 07-31-2006, 08:36 PM

First and foremost I would like to say thanks.
Everything went smooth till I ran ewido it would not scan in safe mode so i rebooted and ran it in normal mode.

Here are the logs.
Ewido.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:45:32 PM 7/31/2006

+ Scan result:

HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\LWS\My Documents\Τаsks\chkntfs.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\Program Files\RemoteAdministrator\radmin.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.21 : Ignored.
C:\WINNT\system32\2236_28.dll -> Trojan.Agent.pk : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).

::Report end

Panda

Incident Status Location

Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\LWS\My Documents\??sks\??sks\!update-4175.0000
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\unzipped\SmitfraudFix\SmitfraudFix\Process.exe
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20060728-162711.backup
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20060728-162712.backup
Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20060728-170842.backup
Potentially unwanted tool:Application/Processor Not disinfected G:\(E) Removable Disk\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Smit

SmitFraudFix v2.76

Scan done at 22:31:20.35, Mon 07/31/2006
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\LWS\Application Data

C:\Documents and Settings\LWS\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LWS\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

and Hijack

ogfile of HijackThis v1.99.1
Scan saved at 10:33:23 PM, on 7/31/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\winzip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.twoplustwo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.78.41.120:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.taps;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\winzip\WZQKPICK.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F97B83-2FE0-4BAD-835B-9DFAD9C2C25D}: NameServer = 110.98.40.30,110.92.12.129,10.64.8.147
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1615399-1895-4765-8558-94C104E998DC}: NameServer = 110.98.40.30,110.92.12.129,10.64.8.147
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3012093-3B71-4370-B3ED-51A01AC2D1BC}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe

Thanks again u guys do great work

Ried · 07-31-2006, 09:11 PM

Hi scalelar,

Thank you.

We're almost through here. Another nasty has now shown it's face--let's see if it will go quietly.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

********************************************

Reboot into Safe Mode.

-----------------------------------

Open HijackThis>Config>Misc Tools

Select 'Delete A File on Reboot...'
Copy/paste the following into the 'file name' field:

C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

Do not reboot yet!

-----------------------------------

Run a scan with HijackThis. Check the following entry:

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Delete the following Folder

C:\Documents and Settings\LWS\My Documents\ ??sks\??sks\!update-4175.0000 <-- The ?? can be any character. Make sure you're in the location as listed above and if you're not sure you have the correct folder, go ahead and open the folder--it will contain another folder within it ( ??asks ) and the file !!update-4175.0000

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Run another scan with HijackThis and post the log here.

How is your system behaving now?

scalelar · 08-01-2006, 04:32 PM

Thanks again
The system is performing much better.Still a little long on bootup but I think thats normal.
Here is the last log

Logfile of HijackThis v1.99.1
Scan saved at 6:32:10 PM, on 8/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\winzip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.twoplustwo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 110.78.41.120:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.taps;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\winzip\WZQKPICK.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F97B83-2FE0-4BAD-835B-9DFAD9C2C25D}: NameServer = 110.98.40.30,110.92.12.129,110.64.8.147
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1615399-1895-4765-8558-94C104E998DC}: NameServer = 110.98.40.30,110.92.12.129,110.64.8.147
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3012093-3B71-4370-B3ED-51A01AC2D1BC}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe

Thanks again

Ried · 08-01-2006, 07:33 PM

Hi scalelar,

Now that the file has been eliminated, the entry should go quietly.

From Normal Mode:

Close any open browsers. Run a scan with HijackThis. 'Check' the following entry:

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)

Click 'Fix Checked' and close HijackThis.

------------------------------

I'd like to do one more online scan as a second opinion:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

scalelar · 08-02-2006, 07:43 AM

Ried
My daughter got online thinking the problem was fixed(I wasn't here).
kaspersky found alot of entries
Wednesday, August 02, 2006 12:28:39 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 2/08/2006
Kaspersky Anti-Virus database records: 211498

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\

Scan Statistics
Total number of scanned objects 23400
Number of viruses found 12
Number of infected objects 40
Number of suspicious objects 0
Duration of the scan process 00:37:04

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03580000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03580001.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04F40000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05540000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05C40000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06200000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640000.VBN Infected: Backdoor.Win32.Agent.adr skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640001.VBN Infected: Backdoor.Win32.Agent.adr skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640002.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640003.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640004.VBN Infected: Trojan-Downloader.Win32.Tibs.gc skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640005.VBN Infected: Trojan-Downloader.Win32.Tibs.gc skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06740000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06A40000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06A80000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E00000.VBN/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E00000.VBN NSIS: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E00000.VBN CryptZ: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07100000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07100001.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07200000.VBN Infected: Trojan.Win32.ExitWin.z skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07240000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\073C0000.VBN Infected: Trojan-Proxy.Win32.Agent.df skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07780000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\077C0000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08600000.VBN Infected: Trojan-Downloader.Win32.Small.bsq skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08680000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\086C0000.VBN Infected: Trojan-Downloader.Win32.Tibs.gc skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\086C0001.VBN Infected: Trojan-PSW.Win32.Sinowal.ae skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08700001.VBN Infected: Backdoor.Win32.Agent.adr skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08800000.VBN Infected: Trojan-PSW.Win32.Sinowal.ah skipped

C:\Program Files\RemoteAdministrator\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped

C:\Program Files\RemoteAdministrator\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped

C:\RadminInst\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped

C:\RadminInst\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped

C:\RadminInst\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped

C:\RadminInst\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped

C:\RadminInst\RADMIN21.EXE Gentee: infected - 4 skipped

Scan process completed.

here is the HJ log

Logfile of HijackThis v1.99.1
Scan saved at 9:42:43 AM, on 8/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\winzip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.twoplustwo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.78.41.120:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.taps;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\winzip\WZQKPICK.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F97B83-2FE0-4BAD-835B-9DFAD9C2C25D}: NameServer = 10.78.40.30,10.82.12.129,10.64.8.147
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1615399-1895-4765-8558-94C104E998DC}: NameServer = 10.78.40.30,10.82.12.129,10.64.8.147
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3012093-3B71-4370-B3ED-51A01AC2D1BC}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing)
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe

Ried · 08-02-2006, 08:46 AM

Hi scalelar,

The Kaspersky finds are nothing malicious. Empty your Norton AntiVirus Corporate Edition Quarantine. The other entries are simply noting a non malicious tool.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links.

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected again will reduce dramatically.

scalelar · 08-02-2006, 07:10 PM

Thanks Ried
I'll be sending you guys a check.

07-29-2006, 09:18 PM	#1 (permalink)
scalelar Registered User Join Date: Oct 2005 Posts: 8 OS: XP	Can't get IE to open Don't know what it is but here are the symptoms. IExplorer will not open it says there is an iexplore.exe running as a process. I can't get out to the internet so I can't run any of the online virus programs. Adaware will not run in safe mode but will in normal mode. It found several thing and cleared them off. The VX2cleaner will run in safe mode but found nothing. CWShredder found nothing . Spybot found several things and cleaned them off. Windows 2000 operating system on an old dell lattitude. I have a Symantec virus protection on this system that says scan engine returned error 0x20000058 when I try to do a scan. It has also quarantined a file c886e747,exe 21 times. This file is running as a process. Here is the HiJackThis log Logfile of HijackThis v1.98.2 Scan saved at 11:08:14 PM, on 7/29/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\Explorer.EXE C:\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.twoplustwo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.78.41.120:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.;.mars;<local> R3 - URLSearchHook: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll O2 - BHO: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O4 - HKLM\..\Run: [c886e747.exe] C:\WINNT\system32\c886e747.exe O4 - HKLM\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\testtestt.exe O4 - HKCU\..\Run: [Nxbc] C:\WINNT\??crosoft.NET\m?dtc.exe O4 - HKCU\..\Run: [Wlrs] "C:\WINNT\ECURIT~1\alg.exe" -vt yazr O4 - HKCU\..\Run: [c886e747.exe] C:\Documents and Settings\LWS\Local Settings\Application Data\c886e747.exe O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\LWS\LOCALS~1\Temp\4F.tmp3072.exe O4 - HKCU\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O4 - HKCU\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE O4 - Global Startup: WinZip Quick Pick.lnk = Internet Apps\WinZip 9.0\WZQKPICK.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{70F97B83-2FE0-4BAD-835B-9DFAD9C2C25D}: NameServer = 110.98.40.30,110.92.12.129,110.74.8.147 O17 - HKLM\System\CCS\Services\Tcpip\..\{A1615399-1895-4765-8558-94C104E998DC}: NameServer = 110.98.40.30,110.92.12.129,110.74.8.147 O17 - HKLM\System\CCS\Services\Tcpip\..\{E3012093-3B71-4370-B3ED-51A01AC2D1BC}: NameServer = 192.168.1.254 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O20 - AppInit_DLLs: C:\WINNT\system32\dexplore.dll O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file) O21 - SSODL: zrPRxDGgC - {98CCC060-3266-6ACA-09B6-8EC095FC6302} - C:\WINNT\system32\opp.dll (file missing) Any help will be appreciated

07-31-2006, 07:39 AM	#2 (permalink)
scalelar Registered User Join Date: Oct 2005 Posts: 8 OS: XP	bump bump.

07-31-2006, 11:31 AM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Hello scalelar, Our apologies for the delay. We are a bit short-handed due to summer vacations. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ******************************************************************************************************** Download ewido anti-spyware from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete you will need run ewido and update the definition files. On the main screen select the icon "Update" then select the "Update now" link. Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close ewido anti-spyware, Do Not run a scan just yet, we will shortly. ---------------------- Download and install CleanUp! but do not run it yet. (Not Recommended for XP64). ---------------------- Please download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your Desktop. Do not run it yet. ---------------------- Click Start > Control Panel > Add/Remove Programs In the list of installed software, look for: PuritySCAN By OIN OuterInfo OIN Snowballwars Cowabunga or similar If you find it: Click on it and click Remove. Reboot and delete the folder C:\Program Files\PurityScan and also delete the folders of any of the programs you found in the Add/Remove panel. These would be located in C:\Program Files. if not: Download and run the Oiuninstaller There is a tutorial for the uninstaller available When the uninstaller is done, reboot and delete the folder C:\Program Files\PurityScan (if it's still there) -------------------------------------------------- Click Start->Run - type services.msc** & then click on the OK button Locate the service - zrPRxDGgC* Double-click on it to open the Properties dialog. Under the General tab: Stop the service by using the Stop* button. Change the Startup type to Disabled* & then click on the OK button Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in the zrPRxDGgC* Click OK and allow reboot. Go directly to Safe Mode. ----------------------------------- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login on your usual account. Make sure to close any open browsers. ----------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: BHO Plugin ----------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) R3 - URLSearchHook: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll O2 - BHO: (no name) - {D9093156-A296-F43E-CD4B-F6BAA86641C7} - C:\WINNT\system32\rdtypk.dll O4 - HKLM\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O4 - HKLM\..\Run: [c886e747.exe] C:\WINNT\system32\c886e747.exe O4 - HKLM\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\testtestt.exe O4 - HKCU\..\Run: [Nxbc] C:\WINNT\??crosoft.NET\m?dtc.exe O4 - HKCU\..\Run: [Wlrs] "C:\WINNT\ECURIT~1\alg.exe" -vt yazr O4 - HKCU\..\Run: [c886e747.exe] C:\Documents and Settings\LWS\Local Settings\Application Data\c886e747.exe O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\LWS\LOCALS~1\Temp\4F.tmp3072.exe O4 - HKCU\..\Run: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O4 - HKCU\..\RunServices: [vlansys] C:\DOCUME~1\LWS\LOCALS~1\Temp\4A.tmp O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file) O21 - SSODL: zrPRxDGgC - {98CCC060-3266-6ACA-09B6-8EC095FC6302} - C:\WINNT\system32\opp.dll (file missing) Click 'Fix Checked' and close HijackThis. ----------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. ----------------------------------- Delete the following Files and Folder if they still exist. C:\WINNT\system32\ rdtypk.dll C:\WINNT\system32\ c886e747.exe C:\WINNT\system32\ testtestt.exe C:\Documents and Settings\LWS\Local Settings\Application Data\ c886e747.exe C:\Program Files\ BHO Plugin ------------------------------------------------ WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files"* and uncheck the box for "Scan drives for file matching" if it's checked. Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. ------------------------------------------------ IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess: Lauch ewido-anti-spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". ewido will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan. Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner. ----------------------------------- Reboot into Normal Mode. ----------------------------------- Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report ---------------------- Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! Please include the following in your next reply: Ewido results Panda results SmitfraudFix log New HijackThis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-31-2006, 08:36 PM	#4 (permalink)
scalelar Registered User Join Date: Oct 2005 Posts: 8 OS: XP	Thanks First and foremost I would like to say thanks. Everything went smooth till I ran ewido it would not scan in safe mode so i rebooted and ran it in normal mode. Here are the logs. Ewido. --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 9:45:32 PM 7/31/2006 + Scan result: HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined). C:\Documents and Settings\LWS\My Documents\Τаsks\chkntfs.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined). C:\Program Files\RemoteAdministrator\radmin.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.21 : Ignored. C:\WINNT\system32\2236_28.dll -> Trojan.Agent.pk : Cleaned with backup (quarantined). C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined). ::Report end Panda Incident Status Location Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\LWS\My Documents\??sks\??sks\!update-4175.0000 Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\unzipped\SmitfraudFix\SmitfraudFix\Process.exe Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20060728-162711.backup Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20060728-162712.backup Virus:Trj/Qhost.gen Disinfected C:\WINNT\system32\drivers\etc\hosts.20060728-170842.backup Potentially unwanted tool:Application/Processor Not disinfected G:\(E) Removable Disk\SmitfraudFix.zip[SmitfraudFix/Process.exe] Smit SmitFraudFix v2.76 Scan done at 22:31:20.35, Mon 07/31/2006 Run from C:\unzipped\SmitfraudFix\SmitfraudFix OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\LWS\Application Data C:\Documents and Settings\LWS\Application Data\Install.dat FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LWS\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End and Hijack ogfile of HijackThis v1.99.1 Scan saved at 10:33:23 PM, on 7/31/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\Program Files\Common Files\Rockwell\EventServer.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE C:\PROGRA~1\NavNT\rtvscan.exe C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE C:\WINNT\system32\regsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe C:\Program Files\Common Files\Rockwell\RsvcHost.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe C:\Program Files\Common Files\Rockwell\RnaDirServer.exe C:\WINNT\Explorer.EXE C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe C:\Program Files\Apoint\Apoint.exe C:\PROGRA~1\NavNT\vptray.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE C:\winzip\WZQKPICK.EXE C:\Program Files\Apoint\Apntex.exe C:\WINNT\system32\wuauclt.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.twoplustwo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.78.41.120:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.;.taps;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\winzip\WZQKPICK.EXE O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{70F97B83-2FE0-4BAD-835B-9DFAD9C2C25D}: NameServer = 110.98.40.30,110.92.12.129,10.64.8.147 O17 - HKLM\System\CCS\Services\Tcpip\..\{A1615399-1895-4765-8558-94C104E998DC}: NameServer = 110.98.40.30,110.92.12.129,10.64.8.147 O17 - HKLM\System\CCS\Services\Tcpip\..\{E3012093-3B71-4370-B3ED-51A01AC2D1BC}: NameServer = 192.168.1.254 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing) O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe Thanks again u guys do great work

07-31-2006, 09:11 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Hi scalelar, Thank you. We're almost through here. Another nasty has now shown it's face--let's see if it will go quietly. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. ****************************************** Reboot into Safe Mode. ----------------------------------- Open HijackThis>Config>Misc Tools Select 'Delete A File on Reboot...' Copy/paste the following into the 'file name' field: C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll Do not reboot yet! ----------------------------------- Run a scan with HijackThis. Check the following entry: O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll Click 'Fix Checked' and close HijackThis. ----------------------------------- Delete the following Folder C:\Documents and Settings\LWS\My Documents\ ??sks\??sks\!update-4175.0000** <-- The ?? can be any character. Make sure you're in the location as listed above and if you're not sure you have the correct folder, go ahead and open the folder--it will contain another folder within it ( ??asks ) and the file !!update-4175.0000 ----------------------------------- Reboot into Normal Mode. ----------------------------------- Run another scan with HijackThis and post the log here. How is your system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 07-31-2006 at 09:12 PM.

08-01-2006, 04:32 PM	#6 (permalink)
scalelar Registered User Join Date: Oct 2005 Posts: 8 OS: XP	Thanks again The system is performing much better.Still a little long on bootup but I think thats normal. Here is the last log Logfile of HijackThis v1.99.1 Scan saved at 6:32:10 PM, on 8/1/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\Program Files\Common Files\Rockwell\EventServer.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE C:\PROGRA~1\NavNT\rtvscan.exe C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE C:\WINNT\system32\regsvc.exe C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe C:\WINNT\Explorer.EXE C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe C:\Program Files\Common Files\Rockwell\RsvcHost.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\Program Files\Apoint\Apoint.exe C:\WINNT\system32\svchost.exe C:\PROGRA~1\NavNT\vptray.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE C:\winzip\WZQKPICK.EXE C:\Program Files\Apoint\Apntex.exe C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe C:\Program Files\Common Files\Rockwell\RnaDirServer.exe C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe C:\unzipped\hijackthis\HijackThis.exe C:\WINNT\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.twoplustwo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 110.78.41.120:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.;.taps;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\winzip\WZQKPICK.EXE O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{70F97B83-2FE0-4BAD-835B-9DFAD9C2C25D}: NameServer = 110.98.40.30,110.92.12.129,110.64.8.147 O17 - HKLM\System\CCS\Services\Tcpip\..\{A1615399-1895-4765-8558-94C104E998DC}: NameServer = 110.98.40.30,110.92.12.129,110.64.8.147 O17 - HKLM\System\CCS\Services\Tcpip\..\{E3012093-3B71-4370-B3ED-51A01AC2D1BC}: NameServer = 192.168.1.254 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing) O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe Thanks again

08-01-2006, 07:33 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Hi scalelar, Now that the file has been eliminated, the entry should go quietly. From Normal Mode: Close any open browsers. Run a scan with HijackThis. 'Check' the following entry: O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing) Click 'Fix Checked' and close HijackThis. ------------------------------ I'd like to do one more online scan as a second opinion: Please perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with a new HijackThis log. * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-02-2006, 07:43 AM	#8 (permalink)
scalelar Registered User Join Date: Oct 2005 Posts: 8 OS: XP	Ried My daughter got online thinking the problem was fixed(I wasn't here). kaspersky found alot of entries Wednesday, August 02, 2006 12:28:39 AM Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 2/08/2006 Kaspersky Anti-Virus database records: 211498 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ Scan Statistics Total number of scanned objects 23400 Number of viruses found 12 Number of infected objects 40 Number of suspicious objects 0 Duration of the scan process 00:37:04 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03580000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03580001.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04F40000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05540000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05C40000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06200000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640000.VBN Infected: Backdoor.Win32.Agent.adr skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640001.VBN Infected: Backdoor.Win32.Agent.adr skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640002.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640003.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640004.VBN Infected: Trojan-Downloader.Win32.Tibs.gc skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640005.VBN Infected: Trojan-Downloader.Win32.Tibs.gc skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06740000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06A40000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06A80000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E00000.VBN/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E00000.VBN NSIS: infected - 1 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E00000.VBN CryptZ: infected - 1 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07100000.VBN Infected: Trojan-Downloader.Win32.Delf.ags skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07100001.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07200000.VBN Infected: Trojan.Win32.ExitWin.z skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07240000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\073C0000.VBN Infected: Trojan-Proxy.Win32.Agent.df skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07780000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\077C0000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\083C0000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08600000.VBN Infected: Trojan-Downloader.Win32.Small.bsq skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08680000.VBN Infected: Trojan-Downloader.Win32.Obfuscated.n skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\086C0000.VBN Infected: Trojan-Downloader.Win32.Tibs.gc skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\086C0001.VBN Infected: Trojan-PSW.Win32.Sinowal.ae skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08700001.VBN Infected: Backdoor.Win32.Agent.adr skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08800000.VBN Infected: Trojan-PSW.Win32.Sinowal.ah skipped C:\Program Files\RemoteAdministrator\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped C:\Program Files\RemoteAdministrator\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped C:\RadminInst\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped C:\RadminInst\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped C:\RadminInst\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped C:\RadminInst\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped C:\RadminInst\RADMIN21.EXE Gentee: infected - 4 skipped Scan process completed. here is the HJ log Logfile of HijackThis v1.99.1 Scan saved at 9:42:43 AM, on 8/2/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\Program Files\Common Files\Rockwell\EventServer.exe C:\WINNT\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE C:\PROGRA~1\NavNT\rtvscan.exe C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE C:\WINNT\system32\regsvc.exe C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe C:\Program Files\Common Files\Rockwell\RsvcHost.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe C:\Program Files\Common Files\Rockwell\RnaDirServer.exe C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\wuauclt.exe C:\Program Files\Apoint\Apoint.exe C:\PROGRA~1\NavNT\vptray.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE C:\winzip\WZQKPICK.EXE C:\Program Files\Apoint\Apntex.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.twoplustwo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.78.41.120:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.;.taps;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\winzip\WZQKPICK.EXE O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{70F97B83-2FE0-4BAD-835B-9DFAD9C2C25D}: NameServer = 10.78.40.30,10.82.12.129,10.64.8.147 O17 - HKLM\System\CCS\Services\Tcpip\..\{A1615399-1895-4765-8558-94C104E998DC}: NameServer = 10.78.40.30,10.82.12.129,10.64.8.147 O17 - HKLM\System\CCS\Services\Tcpip\..\{E3012093-3B71-4370-B3ED-51A01AC2D1BC}: NameServer = 192.168.1.254 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cin.na.taps,na.taps,taps O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE O23 - Service: RSLinx Enterprise (RSLinxNG) - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe" /service (file missing) O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe

08-02-2006, 08:46 AM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,798 OS: WinXP and Vista	Hi scalelar, The Kaspersky finds are nothing malicious. Empty your Norton AntiVirus Corporate Edition Quarantine. The other entries are simply noting a non malicious tool. Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links. Reset hidden/system files and folders Windows XP =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Enable Windows Auto Update Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under *Settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you do not already have them: Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items . Download Spyware Guard to catch and block spyware before it can execute. Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Follow this list and your potential for being infected again will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-02-2006, 07:10 PM	#10 (permalink)
scalelar Registered User Join Date: Oct 2005 Posts: 8 OS: XP	Thanks Ried I'll be sending you guys a check.