Router issues, possible virus, Win2K

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

clanning

Thread Starter
Joined
Jan 16, 2004
Messages
17
I posted under web connectivity - but it's old, not solved, and the problem looks more and more like virus/spyware than connectivity/hardware...

(See June 7 thread, "Browser issues: "Page cannot be displayed" requires multiple refreshes")

I use both Internet Explorer and Firefox. Every time I click on links, favourite, or when I start the browser and load my home page, I get the IE "Page cannot be displayed" error. However, when I click Refresh, the page will suddenly load just fine. Usually I have to click Refresh once then I'm OK within a domain.

I have same problem with BOTH IE ("The page cannot be displayed") and Firefox (URL "could not be found, Please check the name and try again"). Happens using Router (D-Link DI-524, 4 months old -- it was working fine until this problem started 2 days ago).

I have 2 computers running on the router. BOTH exhibited the problem!

Problem started, then I removed router (and thus the second computer) from the equation. Problem went away, then connection became slow/problematic. 1 hour with Sympatico tech support lost then brought back my WAN without the router. The original problem (having to refresh each new page) is still there with the router back in the loop -- 2nd computer (#2) also exhibiting the same problem again.

OS: Win 2000 Pro (both computers).
ISP: Bell Sympatico (Canada)
Hardware: SpeedStream DSL modem, D-Link DI-524 Wireless router (rev C).
Hijack This log for machine #1 follows at bottom (run after Panda ActiveScan log).

Strange thing happened - got following warnings from anti virus on computer #1. (Didn't receive emails at those times, and I wasn't visiting nasty sites.)

2005/07/09 10:11:41.390 File infection: C:\WINDOWS\iwnujdss2.exe is Win32.Slinbot.AGE worm. Deleted
2005/07/09 10:12:45.937 File infection: C:\WINDOWS\system32\wnplayer.exe is Win32.Slinbot.AFR worm. Deleted
2005/07/09 16:23:08.468 File infection: C:\WINDOWS\system32\wnplayer.exe is Win32.Slinbot.AFR worm. Deleted

I JUST (2 seconds ago, 2X) got 3 warnings from av software!

2005/07/09 10:11:41.390 File infection: C:\WINDOWS\iwnujdss2.exe is Win32.Slinbot.AGE worm. Deleted
2005/07/09 10:12:45.937 File infection: C:\WINDOWS\system32\wnplayer.exe is Win32.Slinbot.AFR worm. Deleted
2005/07/09 16:23:08.468 File infection: C:\WINDOWS\system32\wnplayer.exe is Win32.Slinbot.AFR worm. Deleted
2005/07/11 08:22:50.078 File infection: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IRKXYEOW\fuzion2k5[1].exe is Win32.Startpage.QQ trojan. Deleted
2005/07/11 08:22:50.328 File infection: C:\fuzion2k5.exe is Win32.Startpage.QQ trojan. Deleted
2005/07/11 08:22:50.343 File infection: C:\fuzion2k5.exe is Win32.Startpage.QQ trojan.
2005/07/11 08:22:50.359 File infection: C:\fuzion2k5.exe is Win32.Startpage.QQ trojan.
2005/07/11 08:22:50.375 File infection: C:\fuzion2k5.exe is Win32.Startpage.QQ trojan.
2005/07/11 08:24:24.250 File infection: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9G49D2OK\fuzion2k5[1].exe is Win32.Startpage.QQ trojan. Deleted
2005/07/11 08:24:24.468 File infection: C:\fuzion2k5.exe is Win32.Startpage.QQ trojan. Deleted
2005/07/11 08:24:24.468 File infection: C:\fuzion2k5.exe is Win32.Startpage.QQ trojan.
2005/07/11 08:24:24.484 File infection: C:\fuzion2k5.exe is Win32.Startpage.QQ trojan.
2005/07/11 08:24:24.500 File infection: C:\fuzion2k5.exe is Win32.Startpage.QQ trojan.


(For BOTH computers) subsequent Webroot Spy Sweeper scans are clean, and CA eTrust system scan is also clean.

Oddly enough I just ran Panda Software (http://www.pandasoftware.com/activescan/) on #1 yesterday and it reported several infections. (I don't know if "No Disinfected" means can't clean or not a threat.) #2 also gave me a minor infection, which it cleaned.

Here's the log for that:

START OF PANDA ACTIVESCAN LOG:
Computer #1, Scanned 10 July/05, approx 18:00

Incident Status Location

Adware:Adware/Gator No disinfected C:\WINDOWS\gator*.log

Adware:Adware/MyWebSearch No disinfected Windows Registry

Adware:Adware/Coupons No disinfected C:\My Download

Files\hijackthis\backup-20040119-225323-937.dll

Adware:Adware/FunWeb No disinfected C:\My Download

Files\hijackthis\backup-20050709-102259-935.inf

Adware:Adware/Gator No disinfected C:\Program Files\Common

Files\flocfdut\dtcrrscp\aqeqmsro.exe
Adware:Adware/Gator No disinfected C:\Program Files\Common

Files\flocfdut\fsqrafmlaq\nfebmtefu.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log

Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller.log

Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\missyou.exe[tetris.exe]

Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\missyou.exe[parady.exe]

Adware:Adware/Coupons No disinfected C:\_RESTORE\ARCHIVE\FS631.CAB[A0026154.CPY]

Virus:W32/Sobig.E Disinfected Personal Folders\Administration\Headwaters

work-related\Re: Application\your_details.zi[details.pif]

END OF PANDA ACTIVESCAN LOG

Start of HJT Log, computer #1 (should I post computer #2 as well??):

Logfile of HijackThis v1.97.7
Scan saved at 8:26:12 AM, on 11/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
C:\PROGRA~1\Bell\ACCESS~1\app\TangoManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\hrnsvc32.exe
C:\ia32asdf.exe
C:\My Download Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = Quicken\billmind.exe
O4 - Global Startup: HPAiODevice.lnk = Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = Quicken\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSxdm477YYCA
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\Installers\AuthorwareWebPlayer\awswax.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.1859722222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2ECDA29-08FE-4B7B-A0C4-FDB6069F515B}: NameServer = 207.164.234.44 206.47.244.57
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,199
Hi and welcome to TSG,

We are sorry that your thread got overlooked.

If you still require assistance, please post a new Hijack This log in this thread and I'd be happy to help.

:)
 

clanning

Thread Starter
Joined
Jan 16, 2004
Messages
17
Hi again -- been away (PEI) for 10 days -- just home 30 minutes ago.

Thanks for your reply. I appreciate any useful advice or qualified opinions -- and I have always found both here!

Well, Bell seems to be up and running without any difficulty now. I have run extensive sweeps and so maybe this cleared it as well.

Anyhow, were's my latest Hijack This log. Let me know if I should be concerned about anything (if anything jumps out at you).

___

Logfile of HijackThis v1.97.7
Scan saved at 11:55:36 PM, on 24/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Download Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = Quicken\billmind.exe
O4 - Global Startup: HPAiODevice.lnk = Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = Quicken\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSxdm477YYCA
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\Installers\AuthorwareWebPlayer\awswax.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.1859722222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,199
That is an older version of Hijack This. Please get the new one and post a new log. You can get it here:

HijackThis
 

clanning

Thread Starter
Joined
Jan 16, 2004
Messages
17
Strange -- clicked your link to download the file "hijackthis_sfx.exe" and almost simultaneously received this warning from my eTrust EZ Antivirus Realtime scanner:

2005/07/25 20:59:07.625 File infection: C:\ia32asdf.exe is Win32.Secdrop.HX trojan. Deleted
2005/07/25 20:59:07.734 File infection: C:\ia32asdf.exe is Win32.Secdrop.HX trojan.

Anyhow, here's the updated log:

Logfile of HijackThis v1.99.1
Scan saved at 8:59:46 PM, on 25/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\BRQIKMON.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\clanning\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup

Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Global Startup: Billminder.lnk = Quicken\billmind.exe
O4 - Global Startup: HPAiODevice.lnk = Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = Quicken\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSxdm477YYCA
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) -

file://D:\Installers\AuthorwareWebPlayer\awswax.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) -

http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -

http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust

EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -

C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy

Sweeper\WRSSSDK.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access

Manager\app\TangoService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
 

clanning

Thread Starter
Joined
Jan 16, 2004
Messages
17
Housecall results:

Virus Scan 0 virus cleaned, 1 virus deleted


Results:
We have detected 1 infected file(s) with 1 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 1 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\Backups from Old Drive D\temp\x.exe JOKE_SMALL Deletion successful




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 0 spyware program removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 3 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 3 spyware(s) passed, 0 spyware(s) no action available
- 0 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_45 Cookie Pass
COOKIE_1738 Cookie Pass
COOKIE_2060 Cookie Pass




Microsoft Vulnerability Check 1 vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 1 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Important A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected. MS05-004

Panda Activescan running now, I'll post in the morning.

Thanks!

Chuck L
 

clanning

Thread Starter
Joined
Jan 16, 2004
Messages
17
I let Pandascan run last night but my computer lost connectivity (!) -- I couldn't get to my detailed results and I have to re-run this morning.

Got another virus warning last evening as well:

2005/07/25 21:52:31.765 File infection: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\GOQZU2XR\uo[1].exe is Win32.Secdrop.HX trojan. Deleted
2005/07/25 21:52:32.875 File infection: C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IRKXYEOW\uo[1].exe is Win32.Secdrop.HX trojan. Deleted

I am running Pandascan now -- but I'm off to the office. I'll post results log tonight.

Thanks, Cookie!

Chuck
 

clanning

Thread Starter
Joined
Jan 16, 2004
Messages
17
Finally...

Here's the Activescan report:

______START_______

Incident Status Location

Adware:adware/mywebsearch No disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Adware:Adware/Coupons No disinfected C:\My Download Files\hijackthis\backup-20040119-225323-937.dll
Adware:Adware/FunWeb No disinfected C:\My Download Files\hijackthis\backup-20050709-102259-935.inf
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\flocfdut\dtcrrscp\aqeqmsro.exe
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\flocfdut\fsqrafmlaq\nfebmtefu.exe
Adware:Adware/Coupons No disinfected C:\_RESTORE\ARCHIVE\FS631.CAB[A0026154.CPY]

______END_______


The original problem cropped-up briefly yesterday but seems OK today. Very strange -- I am inclined to blame Sympatico just because I'm running out of ideas.

Are there any measures I can take to see if I am unwittingly spamming (i.e., I've become a zombie) or have become a server (a friend of mine has had people living in his computer several times now)? If you can throw me a good thread on these basic measures it would certainly help me.

Thanks, Cookie.

Chuck
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,199
here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.


Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.

Click here for info on how to boot to safe mode if you don't already know how.


Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


Restart your computer into safe mode now. Perform the following steps in safe mode:


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • NOTE: During some scans with Ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If Ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop


Start CCleaner and click Run Cleaner


Go to Control Panel - Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Restart back into Windows normally now and post a new HijackThis log and the log from Ewido please.
 

clanning

Thread Starter
Joined
Jan 16, 2004
Messages
17
Hi Cookie:

HijackThis and Ewido reports:


Logfile of HijackThis v1.99.1
Scan saved at 10:53:25 PM, on 27/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup

Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ

Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat

5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = Quicken\billmind.exe
O4 - Global Startup: HPAiODevice.lnk = Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = Quicken\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSxdm477YYCA
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) -

file://D:\Installers\AuthorwareWebPlayer\awswax.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) -

http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -

http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ

Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -

C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program

Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access

Manager\app\TangoService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. -

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:24:30 PM, 27/07/2005
+ Report-Checksum: 986E7727

+ Scan result:

:mozilla.16:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.45:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.46:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.50:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.78:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.84:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.85:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.94:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.95:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.97:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.117:C:\Documents and Settings\clanning\Application Data\Mozilla\Firefox\Profiles\3f585axi.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\[email protected][1].txt -> Spyware.Cookie.Track-star : Cleaned with backup
C:\Documents and Settings\kheney\Cookies\[email protected][1].txt -> Spyware.Cookie.Track-star : Cleaned with backup
C:\Documents and Settings\mike\Cookies\[email protected][1].txt -> Spyware.Cookie.Track-star : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\[email protected][1].txt -> Spyware.Cookie.Track-star : Cleaned with backup
C:\My Download Files\hijackthis\backup-20040119-225323-937.dll -> Spyware.Coupon : Cleaned with backup
C:\Program Files\Common Files\flocfdut\dtcrrscp\aqeqmsro.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\flocfdut\fsqrafmlaq\nfebmtefu.exe -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup


::Report End


Thanks

Chuck
 

clanning

Thread Starter
Joined
Jan 16, 2004
Messages
17
Hi Cookie:

Usually running fine now (although the problem recurred briefly this week) -- Bell? Me? I don't know anymore...

I have checked and "fixed" the 2 items you indicated, although I scanned again right away and the R0 item is still there (the 08 mywebsearch item was gone). I fixed it again, but it is still there.

Here's the log (below).

Have you seen any items that look like actual infection of some sort?

Thanks again for your help!

Chuck



-----------

Logfile of HijackThis v1.99.1
Scan saved at 8:28:51 AM, on 30/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = Quicken\billmind.exe
O4 - Global Startup: HPAiODevice.lnk = Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = Quicken\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\Installers\AuthorwareWebPlayer\awswax.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,199
Rescan in safe mode and have HijackThis fix this one:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

Reboot and post another log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top