system hangs, error loading hrcopul.dll, downloader.Agent.uj, HJT log

neelapalas · Jan 26, 2007

My system is infected with some virus which i am not able to get rid off. Please help me get rid of these virus.

Symptoms and observations:
- system hangs in 5-15 minutes. Acts as if it has its own brain.
- task manager shows 100% cpu usage in no time
- system makes beeping sound
- at start up i get "Error loading: C:/documents and settings/..../local settings/application data/hrcopul.dll" The specified module couldn't be found.
- Downloader.Agent.uj shows up no matter how many times i delete it in Anti spyware programs. Downloader.Agent.uj shows up in AVG Anti-spyware 7.x (latest version)
- at the system startup it directly starts without giving me an option to select 'Start using windows 2000 professional'. I am not sure if i am supposed to be concerned about this. However if i use F8 at system start up i get those options which would ask you if i need to start in safe mode, etc..

Threats that show up in AVG Anti-spyware program:
- Downloader.Agent.uj
- Downloader.small.buy
- Downloader.Tibs.jy
I also noticed Trojon, and some other worms before. I am not able to run my AVG Anti-spyware program long enough to get these worms show again.

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:59:41 AM, on 1/26/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\ccsrvc.exe
C:\Program Files\myCompanyName VPN Client\cvpnd.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\technesis\enterprise\service\tnSvcNT.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\atiptaxx.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Verizon\SMARTB~1\SBHookSvc.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\aexruncontrol.exe
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXInvSoln.exe
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\aexauditpls.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINNT\system32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {15651C7C-E812-44a2-A9AC-B467A2233E7D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,ptbjdsg.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - C:\WINNT\system32\nweipeg.dll (file missing)
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINNT\system32\BHOManager.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\kernels1118.exe
O4 - HKLM\..\Run: [hrcopul.dll] C:\WINNT\system32\rundll32.exe "C:\Documents and Settings\neelaps\Local Settings\Application Data\hrcopul.dll",vuljcec
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\Windows\xpupdate.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: myCompanyName VPN Client.lnk = C:\Program Files\myCompanyName VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165665269086
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{102240BD-2E4C-40AF-8F9C-6F40B2A8A34D}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{34B23320-7ECC-4B92-BC29-E83DF4DCE302}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{53D5B2E0-24B5-4F65-8102-CC7A91348871}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{C64E0CB7-AC74-4554-9606-35EB651BC984}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.110 85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\..\{102240BD-2E4C-40AF-8F9C-6F40B2A8A34D}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.110 85.255.112.151
O17 - HKLM\System\CS2\Services\Tcpip\..\{102240BD-2E4C-40AF-8F9C-6F40B2A8A34D}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.110 85.255.112.151
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINNT\system32\Hkjbmmmd.dll (file missing)
O21 - SSODL: wvLxmaatL - {50C836A0-FA62-9C0A-766A-0F4071FA1E22} - C:\WINNT\system32\cdab.dll (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINNT\system32\svchosts.exe" -e te-110-12-0000273 (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\myCompanyName VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FLEXlm Service 1 - Globetrotter Software Inc - C:\Program Files\ESRI\License\Lmgrd.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\Verizon\SMARTB~1\SBHookSvc.exe
O23 - Service: Technesis Services - Technesis - C:\WINNT\technesis\enterprise\service\tnSvcNT.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\atuvkvm.exe (file missing)
O23 - Service: SMS Remote Control Agent (Wuser32) - Unknown owner - C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe (file missing)

Anti-virus software programs that i have on my system
- AVG Anti-spyware 7.x version
- HijackThis
- Spybot
- CCleaner
- CwShredder
- Ad-Adware SE Personal
- Hoster
- KillBox (i haven't used this yet)
- Norton Anti-virus

AVG Anti-spyware program never runs completely without hanging up inbetween especially when i run a 'Complete system scan'.

I followed the scanning steps that were outlined at :http://www.techsupportforum.com/sec...lease-read-before-posting-hijackthis-log.html

Thanks in advance

tetonbob · Jan 28, 2007

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

That's quite a collection of nasties you have on your system. Let's see what we can do about cleaning it up.

This is but Round 1 of what could be several posts. Please see this thread through to completion.

From some of your comments, there may be more than malware related issues on this system, but we'll do our best to help.

---------------------------------------------------------------------------------------------

Download combofix.exe to your desktop.

* IMPORTANT !!! Place it on your Desktop.

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\combofix.exe" /v ldcore rpcc

When finished, it shall produce a log for you. Post that log in your next reply. It will be located at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

R3 - URLSearchHook: (no name) - {15651C7C-E812-44a2-A9AC-B467A2233E7D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,ptbjdsg.exe
O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - C:\WINNT\system32\nweipeg.dll (file missing)
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\kernels1118.exe
O4 - HKLM\..\Run: [hrcopul.dll] C:\WINNT\system32\rundll32.exe "C:\Documents and Settings\neelaps\Local Settings\Application Data\hrcopul.dll",vuljcec
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\Windows\xpupdate.exe
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{102240BD-2E4C-40AF-8F9C-6F40B2A8A34D}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{34B23320-7ECC-4B92-BC29-E83DF4DCE302}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{53D5B2E0-24B5-4F65-8102-CC7A91348871}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{C64E0CB7-AC74-4554-9606-35EB651BC984}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.110 85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\..\{102240BD-2E4C-40AF-8F9C-6F40B2A8A34D}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.110 85.255.112.151
O17 - HKLM\System\CS2\Services\Tcpip\..\{102240BD-2E4C-40AF-8F9C-6F40B2A8A34D}: NameServer = 85.255.115.110,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.110 85.255.112.151
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - (no file)
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINNT\system32\Hkjbmmmd.dll (file missing)
O21 - SSODL: wvLxmaatL - {50C836A0-FA62-9C0A-766A-0F4071FA1E22} - C:\WINNT\system32\cdab.dll (file missing)

Click FIX CHECKED. Close HijackThis.

In your next reply., please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ).

**If you receive an error message while trying to run FixWareout, copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder, and run FixWareout again.
----------------------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\WINNT\sysupd.exe
C:\Documents and Settings\neelaps\Local Settings\Application Data\hrcopul.dll
C:\Windows\xpupdate.exe
C:\WINNT\atuvkvm.exe
C:\WINNT\system32\svchosts.exe<<<NOTE!!! the exact spelling of this file. This is NOT the legit Microsoft file, C:\WINNT\system32\svchost.exe

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

Create an uninstall list:

With HiJackThis still open

Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

---------------------------------------------------------------------------------------------

Return with results from:

FixWareout (C:\FixWareout\report.txt)
ComboFix (C:\ComboFix.txt)
HijackThis
Uninstall list

Is myCompanyName.com your chosen domain?

neelapalas · Jan 28, 2007

Hello Sir,

I did exactly the way you instructed and here are the results.

Return with results from:

FixWareout (C:\FixWareout\report.txt)

Fixwareout
Last edited 1/27/2007
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINNT\system32\dmsho.exe will be moved to C:\WINNT\temp\dmsho.ren at reboot.
C:\WINNT\system32\csnvu.exe will be moved to C:\WINNT\temp\csnvu.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}DD968A1ECD81-92C9-50E4-1B75-5C83060A{"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}5E9B1BC344A5-EFBA-B904-AAC6-292228C6{"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}5F51C330222C-943B-4B04-07C8-27B6262D{"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "ntdll.dll"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "ohsmd"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "yqdm"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "dpid"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "pid"
...
Random Runs removed from HKLM
"dmsho.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
C:\WINNT\system32\{6C822292-6CAA-409B-ABFE-5A443CB1B9E5}.exe Deleted

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

»»»»» Current runs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"AtiPTA"="atiptaxx.exe"
"vptray"="C:\\PROGRA~1\\NavNT\\vptray.exe"
"SysUpd"="C:\\WINNT\\sysupd.exe"
"AClntUsr"="C:\\Altiris\\AClient\\AClntUsr.EXE"
"LTWinModem1"="ltmsg.exe 9"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_09\\bin\\jusched.exe"
"Netscape"="C:\\Program Files\\Common Files\\ISPCOMP\\InstallService.exe"
"NetscapeClient"=""
"VerizonServicepoint.exe"="C:\\Program Files\\Verizon\\Servicepoint\\VerizonServicepoint.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\Verizon\\SMARTB~1\\MotiveSB.exe"
"hrcopul.dll"="C:\\WINNT\\system32\\rundll32.exe \"C:\\Documents and Settings\\neelaps\\Local Settings\\Application Data\\hrcopul.dll\",vuljcec"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"PrinterSpool"=""
"SysOps"=""

ComboFix (C:\ComboFix.txt)

"neelaps" - Sun 01/28/2007 16:54:29 Service Pack 4
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\neelaps\desktop"
Command switches used :: /v ldcore rpcc

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

07-01-11 20:45 152 mjjik.dll.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\rpcc.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\dlh9jkd1q8.exe
C:\DOCUME~1\neelaps\Application Data\Install.dat
C:\Program Files\INSTALL.LOG
C:\WINNT\system32\unsvchosts.lzma
C:\INSTALL.LOG
C:\WINNT\emdat.tm
C:\WINNT\emdat.tmp
C:\DOCUME~1\DEFAUL~1\Application Data\NetMon
C:\Program Files\Common Files\{30C83~1
C:\Program Files\Common Files\{50C83~2
C:\Program Files\Common Files\{50C83~1
C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\InetGet2
C:\Program Files\Inetget2
C:\Program Files\Internet Optimizer
C:\Program Files\network monitor
C:\Program Files\Network Monitor
C:\Program Files\PSDream
C:\Program Files\psdream
C:\WINNT\system32\rpcc.dll

((((((((((((((((((((((((((((((( Files Created from 2006-12-28 to 2007-01-28 ))))))))))))))))))))))))))))))))))

2007-01-28 17:03 <DIR> d-------- C:\WINNT\erdnt
2007-01-22 17:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-22 17:36 <DIR> d-------- C:\DOCUME~1\neelaps\Application Data\Lavasoft
2007-01-21 14:17 <DIR> d-------- C:\Program Files\HijackThis
2007-01-18 18:07 <DIR> d-------- C:\Program Files\CCleaner
2007-01-16 21:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-14 11:19 <DIR> d-------- C:\WINNT\system32\Windows Media
2007-01-14 11:15 <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2007-01-14 11:15 <DIR> d-------- C:\WINNT\msiinst.tmp
2007-01-11 21:01 <DIR> d-------- C:\Program Files\Ultimate Cleaner
2007-01-11 20:40 <DIR> d-------- C:\Program Files\Ultimate Defender
2007-01-11 20:40 <DIR> d-------- C:\Program Files\softwa~1
2007-01-08 19:32 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-01-08 19:32 <DIR> d-------- C:\Program Files\Grisoft
2007-01-03 22:03 54,432 --a------ C:\WINNT\system32\game0.exe.exe
2006-12-29 17:38 54,423 --a------ C:\WINNT\system32\messenger.lib.exe
2006-12-28 17:46 <DIR> d--hs---- C:\WINNT\RGVicmEgRGVybWFu

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-22 20:28 -------- d--h----- C:\Program Files\bho plugin
2007-01-22 17:53 -------- d-------- C:\Program Files\mozilla firefox
2007-01-22 17:36 -------- d-------- C:\Documents and Settings\neelaps\Application Data\lavasoft
2007-01-12 07:05 -------- d-------- C:\Program Files\quicktime
2007-01-11 21:03 -------- d-------- C:\Program Files\navnt
2007-01-07 20:54 -------- d--h----- C:\Program Files\installshield installation information
2007-01-03 22:07 7952 --a------ C:\WINNT\system32\svchost.exe
2006-12-27 09:34 -------- d-a-s---- C:\Program Files\newdotnet
2006-12-27 09:34 -------- d-------- C:\Program Files\windows nt
2006-12-09 06:55 -------- d-ah----- C:\Program Files\windowsupdate
2006-12-07 20:02 2174976 --a------ C:\WINNT\system32\wmvcore.dll
2006-12-05 19:08 -------- d-------- C:\Program Files\verizon
2006-12-02 16:52 -------- d-------- C:\Documents and Settings\neelaps\Application Data\yahoo!
2006-12-01 19:15 -------- d-------- C:\Program Files\yahoo!
2006-11-29 18:30 -------- d-------- C:\Documents and Settings\neelaps\Application Data\motive
2006-11-06 12:47 596480 --a------ C:\WINNT\system32\inetcomm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"PrinterSpool"=""
"SysOps"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"AtiPTA"="atiptaxx.exe"
"vptray"="C:\\PROGRA~1\\NavNT\\vptray.exe"
"SysUpd"="C:\\WINNT\\sysupd.exe"
"AClntUsr"="C:\\Altiris\\AClient\\AClntUsr.EXE"
"LTWinModem1"="ltmsg.exe 9"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_09\\bin\\jusched.exe"
"Netscape"="C:\\Program Files\\Common Files\\ISPCOMP\\InstallService.exe"
"NetscapeClient"=""
"VerizonServicepoint.exe"="C:\\Program Files\\Verizon\\Servicepoint\\VerizonServicepoint.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\Verizon\\SMARTB~1\\MotiveSB.exe"
"hrcopul.dll"="C:\\WINNT\\system32\\rundll32.exe \"C:\\Documents and Settings\\neelaps\\Local Settings\\Application Data\\hrcopul.dll\",vuljcec"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="c:\winnt\system32\ldcore.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Internet Explorer"="{F28A40D7-AD0E-034A-C651-5F0ED76232E6}"
"wvLxmaatL"="{50C836A0-FA62-9C0A-766A-0F4071FA1E22}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN

Completion time: Sun 2007-01-28 17:09:40

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 5:52:50 PM, on 1/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\ccsrvc.exe
C:\Program Files\myCompanyName VPN Client\cvpnd.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\technesis\enterprise\service\tnSvcNT.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Verizon\SMARTB~1\SBHookSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINNT\system32\BHOManager.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: myCompanyName VPN Client.lnk = C:\Program Files\myCompanyName VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165665269086
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\myCompanyName VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FLEXlm Service 1 - Globetrotter Software Inc - C:\Program Files\ESRI\License\Lmgrd.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\Verizon\SMARTB~1\SBHookSvc.exe
O23 - Service: Technesis Services - Technesis - C:\WINNT\technesis\enterprise\service\tnSvcNT.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\atuvkvm.exe (file missing)
O23 - Service: SMS Remote Control Agent (Wuser32) - Unknown owner - C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe (file missing)

Uninstall list

Ad-Aware SE Personal
AdLib Publisher
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Illustrator 10.0.3
Adobe SVG Viewer 3.0
Altiris Application Metering Agent
Altiris Carbon Copy Agent 6.0
Altiris Patch Management Agent
Altiris Software Delivery Solution Agent
ArcGIS ArcObjects Developer Kit
ArcGIS ArcObjects Developer Kit
ArcGIS Desktop
ATI Display Driver
AVG Anti-Spyware 7.5
CCleaner (remove only)
HijackThis 1.99.1
Intel(R) PRO Ethernet Adapter and Software
InterVideo WinDVD
iPassConnect
Java 2 Runtime Environment, SE v1.4.2_09
Java 2 SDK, SE v1.4.2_09
Java Web Start
LiveUpdate 1.7 (Symantec Corporation)
Lucent Win Modem
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office 2000 SR-1 Professional
Microsoft Project 2000 SR-1
Microsoft Visual Basic .NET Standard - English
Mozilla Firefox (2.0)
MPL for Windows 4.2
MPL OptiMax 2000
MSN Messenger 7.0
MSN Toolbar
Netscape Internet Service
QuickTime
RealPlayer
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Sentinel System Driver
Spybot - Search & Destroy 1.4
Symantec AntiVirus Client
Technesis Workstation Application
Update Rollup 1 for Windows 2000 SP4
Verizon Broadband Toolbar
Verizon Online Help and Support
Verizon Servicepoint 1.3.21
VPN Client
WebEx
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB887797
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix (SP5) Q818043
Windows Installer 3.1 (KB893803)
Windows Media Player 7.1
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
WinRunner
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
ZipItFast Pro 3.0 - A Free, Fast All in One Archive Utility!

Is myCompanyName.com your chosen domain? NO
i replaced my real company name to say 'myCompanyName'. This is only change that i did to log that was posted earlier.

Observations:
In last 30 minutes my system didn't freeze and CPU usage is in single digit :smile: i can see the progress :smile:

Waiting for your further instructions.
I really appreciate your help.

tetonbob · Jan 29, 2007

Good job. Now that your system performance has improved, we can use other tools.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

---------------------------------------------------------------------------------------------------

I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run AVG Anti-Spyware

From the main screen, click on update, then click the Start
update button.
After the update finishes (the status bar at the bottom will display "Update
successful")
select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Exit AVG Anti-Spyware. DO NOT scan yet.

---------------------------------------------------------------------------------------------

Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

---------------------------------------------------------------------------------------------

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

@echo off
sc stop "Windows Overlay Components"
sc delete "Windows Overlay Components"
exit

Double click FixServices.bat. A window will open and close. This is normal.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Then, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Beside the scriptline to execute field click the folder icon

and select alcanshorty.bfu by double clicking on it.
Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\WINNT\system32\game0.exe.exe
C:\WINNT\system32\messenger.lib.exe
C:\WINNT\RGVicmEgRGVybWFu

---------------------------------------------------------------------------------------------

I see you have CCleaner installed. Run it's Cleaner now.

Open the program and Click on Options, then Advanced
Uncheck 'Only delete files in Windows Temp folders older than 48 hours'
Now click on the Cleaner button
Click on Run Cleaner
Once thats done it will clean out the TEMP folder.

Close the program.

Run AVG Anti-Spyware with it's updated definitions

...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

After the install is complete, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- [*]Downloaded Applets
  [*]Downloaded Applications
  [*]Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on

located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on

then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

AVG Anti-Spyware
Panda
HJT

neelapalas · Jan 29, 2007

below are the log files after running through the instructed steps.

Please return with logs from:

AVG Anti-Spyware

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:10:41 PM 1/28/2007

+ Scan result:

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050623.007\0000NAV~.TMP -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\newdotnet6_38.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\readme.html -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\uninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Windows NT\mezope.dll.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\Documents and Settings\neelaps\2file.tmp -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Program Files\Windows NT\mezope.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\Documents and Settings\neelaps\3file.tmp -> Downloader.Tibs.jy : Cleaned with backup (quarantined).
C:\Program Files\iPass\iPassConnect\idialer.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Program Files\BHO Plugin\uninstall.exe -> Hijacker.Small.ja : Cleaned with backup (quarantined).

::Report end

Panda

Incident Status Location

Adware:adware/showbehind Not disinfected c:\winnt\sbnet
Adware:adware/popper Not disinfected Windows Registry
Adware:adware/adrotator Not disinfected Windows Registry
Dialer:dialer.yy Not disinfected HKEY_CURRENT_USER\CLSID\{23273a1c-c870-43c4-a3e3-67dc98630ac6}

HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:35:38 PM, on 1/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\ccsrvc.exe
C:\Program Files\myCompanyName VPN Client\cvpnd.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\technesis\enterprise\service\tnSvcNT.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Verizon\SMARTB~1\SBHookSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINNT\system32\BHOManager.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: myCompanyName VPN Client.lnk = C:\Program Files\myCompanyName VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165665269086
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\myCompanyName VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FLEXlm Service 1 - Globetrotter Software Inc - C:\Program Files\ESRI\License\Lmgrd.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\Verizon\SMARTB~1\SBHookSvc.exe
O23 - Service: Technesis Services - Technesis - C:\WINNT\technesis\enterprise\service\tnSvcNT.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\atuvkvm.exe (file missing)
O23 - Service: SMS Remote Control Agent (Wuser32) - Unknown owner - C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe (file missing)

Awaiting further instructions.. Thanks

tetonbob · Jan 29, 2007

Good work, we seem to be making progress.

Please tell me the contents of these folders:

c:\winnt\sbnet
C:\Program Files\Windows NT

Delete this folder if present:

C:\Program Files\NewDotNet

This next item appears to have been incorrectly removed. iPassConnect is likely used by your company.

Open AVG Anti-Spyware
Click Infections at the top of the window.
Click on the Quarantine tab
Look for the following item(s):
C:\Program Files\iPass\iPassConnect\idialer.exe
When ONLY that item is highlighted, click Restore
A small window will open up asking you to confirm. Click Yes.

Close AVG Anti-Spyware.

---------------------------------------------------------------------------------------------

The malware service we're trying to remove seems resistant. Did you have any trouble performing the batch file instructions?

Let's do it this way.....

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Windows Overlay Components>
Double-click on it to open the Properties dialog.
- Under the General tab, note down the name of "Service name". We shall need it later.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in "Service name" & then click on the OK button

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

REGEDIT4

[-HKEY_CURRENT_USER\CLSID\{23273a1c-c870-43c4-a3e3-67dc98630ac6}]

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Restart your system.

---------------------------------------------------------------------------------------------

Download SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan using Internet Explorer at http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
    [*]Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save Report As button.
Select txt file from the dropdown menu, to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Please download this tool > http://www.kztechs.com/sreng/sreng2.zip

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it. You may have to rename SREngLOG.log to SREngLOG.txt to upload it.

---------------------------------------------------------------------------------------------

How's your system behaving?

neelapalas · Jan 30, 2007

contents of these folders:

c:\winnt\sbnet
removead.bat

C:\Program Files\Windows NT
This has 2 folders (Accessories and Pinball), and 3 files (dialer.exe, HTRN_JIS.DLL, hypertrm.exe)

Delete this folder if present:

C:\Program Files\NewDotNet
I didn’t find this folder.

Did you have any trouble performing the batch file instructions?
No. I didn’t notice anything that didn’t go well.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 29, 2007 9:34:31 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/01/2007
Kaspersky Anti-Virus database records: 263134
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 61653
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 03:01:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2cbd45082103eb305c5fa766a4e07947_fb1c96b7-0b86-4c11-be36-83feced2ed22 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5c95ac0ae2abc2d1fafe7161dc16c7e4_fb1c96b7-0b86-4c11-be36-83feced2ed22 Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\neelaps\Application Data\Verizon\VSP\client_gateway.log Object is locked skipped
C:\Documents and Settings\neelaps\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\neelaps\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\neelaps\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\neelaps\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\neelaps\Local Settings\History\History.IE5\MSHist012007012920070130\index.dat Object is locked skipped
C:\Documents and Settings\neelaps\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\neelaps\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\neelaps\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Altiris\AClient\AClient.log Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\PackageDownload\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Tasks\AeXTaskSchedulerLock\taskSchedulerLock.tmp Object is locked skipped
C:\Program Files\Verizon\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\SmartBridge.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_260.dat Object is locked skipped
C:\WINNT\Temp\tn21.tmp Object is locked skipped
C:\WINNT\Temp\tn8.tmp Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

SREngLOG.txt file attached.

How's system behaving?

-I noticed that the CPU usage fluctuates between 3% and 100%.
-Kaspersky online scan took 3 hours to complete. While it ran the cpu usage was consistently 100%.
-since last 20 minutes the cpu usage was consistently in single digit.
-System is not freezing anymore :smile:

Waiting for further instructions.

neelapalas · Jan 30, 2007

CPU Usage fluctuates between 3% to 100% at start up.

tetonbob · Jan 30, 2007

neelapalas said:
CPU Usage fluctuates between 3% to 100% at start up.

It's more than likely svchost.exe eating CPU time while all services load. That's not unusual for CPU to spike at boot time. As long as it settles down after all services are loaded, it's not a cause for concern.

This is a system running Windows 2000. Is it a bit older? Perhaps lower on RAM and CPU speed than many new programs require?

--------------------------------------

Delete the following:

c:\winnt\sbnet

---------------------------------------------------------------------------------------------

AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so:

Open AVG Anti-Spyware.

On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.

Hope that helps.

There's no more malware showing in those logs. I'd like to see one last HijackThis log, please.

neelapalas · Jan 30, 2007

Thank you so much for helping me with my system problem.

Is it a bit older? not really old.
Perhaps lower on RAM and CPU speed than many new programs require?
My system has 27 GB space.
768 mb RAM
CPU Speed - 1200 MHz
all these might be low compared to the now getting new systems.

Logfile of HijackThis v1.99.1
Scan saved at 5:25:59 PM, on 1/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\ccsrvc.exe
C:\Program Files\myCompanyName VPN Client\cvpnd.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\technesis\enterprise\service\tnSvcNT.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atiptaxx.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\ISPCOMP\InstallService.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Verizon\SMARTB~1\SBHookSvc.exe
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\aexruncontrol.exe
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\AeXInvSoln.exe
C:\Program Files\Altiris\Altiris Agent\Software Delivery\{01B54EB5-3679-4C73-9E10-E169D5A5EC59}\cache\aexauditpls.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINNT\system32\BHOManager.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: myCompanyName VPN Client.lnk = C:\Program Files\myCompanyName VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165665269086
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = myCompanyName.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = myCompanyName.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\myCompanyName VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FLEXlm Service 1 - Globetrotter Software Inc - C:\Program Files\ESRI\License\Lmgrd.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\Verizon\SMARTB~1\SBHookSvc.exe
O23 - Service: Technesis Services - Technesis - C:\WINNT\technesis\enterprise\service\tnSvcNT.exe
O23 - Service: SMS Remote Control Agent (Wuser32) - Unknown owner - C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe (file missing)

tetonbob · Jan 31, 2007

System specs seem adequate. You might want to consider changing some startup items, such as your Messenger programs.

These are Optional, to see if you can speed up your startup. The decision is up to you:

Fix these with HijackThis. This only prevents their startup with Windows load. You can still access these programs from Start>Programs

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE <<<known resource hog

Other than that, your logs appear clean.

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
MVPS HOST FILE[/COLOR]
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online antivirus scanners:

Anti-Spyware Tutorial

Here are two very good free Antivirus products which are available:
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 4 free ones available for personal use:

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

neelapalas · Jan 31, 2007

Hi,

I just ran AVG Anti-Spyware to see if it would detect any more virus and it detected the following cookies and a dialer:

TrackingCookie.Atdmt
TrackingCookie.Com
TrackingCookie.Hitslink
TrackingCookie.2o7
TrackingCookie.Zedo
Heuristic.Win32.Dialer

AVG Anti-Spyware report

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:54:13 PM 1/30/2007

+ Scan result:

C:\Program Files\iPass\iPassConnect\idialer.exe -> Heuristic.Win32.Dialer : Cleaned.
C:\Documents and Settings\neelaps\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\neelaps\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\neelaps\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\neelaps\Cookies\[email protected][1].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\neelaps\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned.

::Report end

i applied action to these cookies. Hopefully these are not so bad cookies.

I will follow your instructions in making my system safe. Thanks again.

tetonbob · Jan 31, 2007

That dialer is the same one I think is legit, and needed for your work environment. We restored it earlier.

If this is a work machine, ask someone in IT if iPassConnect is a required program for you.

Cookies will always be found.

All seems normal from here.

Safe Surfing to you! :wave:

system hangs, error loading hrcopul.dll, downloader.Agent.uj, HJT log

neelapalas

Registered

tetonbob

TSF Security Manager, Emeritus

neelapalas

Registered

tetonbob

TSF Security Manager, Emeritus

neelapalas

Registered

tetonbob

TSF Security Manager, Emeritus

neelapalas

Registered

Attachments

neelapalas

Registered

tetonbob

TSF Security Manager, Emeritus

neelapalas

Registered

tetonbob

TSF Security Manager, Emeritus

neelapalas

Registered

tetonbob

TSF Security Manager, Emeritus