A spyware disaster [Archive] - The PC Guide Discussion Forums

classicsoftware

06-06-2006, 02:42 PM

Symptoms:

Unable to access Task Manager from the task bar or CTRL+ALT+DEL
Unable to get on line via AOL
Multiple command windows pop-up with a title of svchost. Amywhere from 2-5 windows at a time
Programs encounter errors and need to be closed

Hijackthis log:
Logfile of HijackThis v1.99.0
Scan saved at 10:35:59 AM, on 6/6/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\wanmpsvc.exe
C:\PROGRA~1\TEXASI~1\WFTPDP~1\WFTPD.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\inet20026\winlogon.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\winpatrol.exe
C:\WINNT\system32\0mcamcap.exe
D:\gcasDtServ.exe
C:\WINNT\system32\rpcc.exe
C:\WINNT\inet20026\socks.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\F?nts\spool32.exe
C:\WINNT\system32\vxgame6.exe3072.exe
C:\Program Files\Common Files\AOL\1127840011\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1127840011\ee\AOLServiceHost.exe
D:\Program Files\Distillr\AcroTray.exe
C:\Program Files\Common Files\AOL\1127840011\ee\AOLServiceHost.exe
D:\Program Files\SecCopy\SecCopy.exe
E:\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\inet20026\winlogon.exe
O1 - Hosts: 192.1.1.3 nsplus
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\winpatrol.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127840011\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels8.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [Second Copy 2000] "D:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Ouwa] C:\WINNT\system32\F?nts\spool32.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINNT\system32\vxgame6.exe3072.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet20026\winlogon.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\America Online 8.0\aoltray.exe
O4 - Global Startup: Command WorkStation 4.lnk = D:\Command WorkStation 4\CWS 4.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Texas Hold'em Poker by pogo - [url]http://game1.pogo.com/applet-6.4.2.30/holdem/holdem-ob-assets.cab[/url]
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - [url]http://winfixer.com/pages/scanner/WinFixer2005ScannerInstall.cab[/url]
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_20.dll
O23 - Service: avast! iAVS4 Control Service - Unknown - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Promise RAID message agent - Unknown - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: WFTPD Pro - Texas Imperial Software - C:\PROGRA~1\TEXASI~1\WFTPDP~1\WFTPD.EXE
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

classicsoftware

06-06-2006, 02:44 PM

Ewido found the following:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:01:33 PM, 6/6/2006
+ Report-Checksum: F92F7031

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34} -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\MediaTickets -> Adware.PurityScan : Cleaned with backup
HKU\S-1-5-21-1764432414-1709181013-118909372-500\Software\AHExe -> Adware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1764432414-1709181013-118909372-500\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
[220] C:\WINNT\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
[1612] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Cleaned with backup
[1680] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[1704] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[1740] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[1624] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[1712] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[1772] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[1272] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[1820] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[1840] C:\WINNT\system32\0mcamcap.exe -> Proxy.Small.bo : Cleaned with backup
[1888] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[1896] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[2028] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[2120] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[2172] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[2216] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[2240] C:\WINNT\system32\vxgame6.exe3072.exe -> Downloader.Tiny.cp : Cleaned with backup
[2272] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[2336] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[2344] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[2444] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
[1400] C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Error during cleaning
C:\Documents and Settings\Administrator\Application Data\Microsoft\dcom_20.dll -> Proxy.Xmiler.b : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3605.0000 -> Downloader.PurityScan.ce : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3615.0000 -> Downloader.PurityScan.cb : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3625.0000 -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3635.0000 -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3665.0000 -> Downloader.PurityScan.cc : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3675.0000 -> Downloader.PurityScan.bj : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3705.0000 -> Downloader.PurityScan.ck : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3755.0000 -> Downloader.PurityScan.cg : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3765.0000 -> Downloader.PurityScan.cg : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3775.0000 -> Downloader.PurityScan.cg : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3805.0000 -> Downloader.PurityScan.cl : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3815.0000 -> Downloader.PurityScan.cl : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3825.0000 -> Downloader.PurityScan.cl : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\WіnSxS\WіnSxS\!update-3835.0000 -> Downloader.PurityScan.cl : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\!update.exe -> Downloader.PurityScan.co : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\13B.tmp -> Dropper.Agent.aqc : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\143.tmp -> Worm.Locksky.as : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\144.tmp -> Dropper.Agent.aqc : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\14D.tmp -> Downloader.Agent.afl : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\2.dlb -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\6.dlb -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\7.dlb -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\qvxt2.game -> Trojan.BKClient : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\qvxt3.game -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\win32.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\inet20026\3.03.00.dll -> Adware.Ihbo : Cleaned with backup
C:\WINNT\inet20026\alg.exe -> Worm.Delf.i : Cleaned with backup
C:\WINNT\inet20026\alg.exe.bak -> Worm.Delf.i : Cleaned with backup
C:\WINNT\inet20026\select.exe -> Proxy.Small.em : Cleaned with backup
C:\WINNT\inet20026\select.exe.bak -> Proxy.Small.em : Cleaned with backup
C:\WINNT\inet20026\services.exe -> Downloader.CWS.s : Cleaned with backup
C:\WINNT\inet20026\socks.exe -> Proxy.Small.bt : Cleaned with backup
C:\WINNT\inet20026\socks.exe.bak -> Proxy.Small.bt : Cleaned with backup
C:\WINNT\inet20026\winlogon.exe -> Downloader.CWS.s : Cleaned with backup
C:\WINNT\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup
C:\WINNT\OEM.exe.bak -> Proxy.Agent.jw : Cleaned with backup
C:\WINNT\system32\0mcamcap.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINNT\system32\comdlg64.dll -> Proxy.Agent.ji : Cleaned with backup
C:\WINNT\system32\dcom_20.dll -> Proxy.Xmiler.b : Cleaned with backup
C:\WINNT\system32\dlh9jkdq2.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\system32\dlh9jkdq6.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\system32\dlh9jkdq7.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\system32\fkco.dll -> Adware.PurityScan : Cleaned with backup
C:\WINNT\system32\ipod.raw.exe -> Proxy.Lager.bh : Cleaned with backup
C:\WINNT\system32\kernels8.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\system32\loader8.exe -> Downloader.Small.cxz : Cleaned with backup
C:\WINNT\system32\loader8.exe3072.exe -> Downloader.Tiny.cp : Cleaned with backup
C:\WINNT\system32\oins.exe -> Downloader.PurityScan.au : Cleaned with backup
C:\WINNT\system32\qvxgamet2.exe -> Trojan.BKClient : Cleaned with backup
C:\WINNT\system32\qvxgamet3.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\system32\rpcc.exe -> Worm.Locksky.as : Cleaned with backup
C:\WINNT\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\WINNT\system32\sysvx.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\system32\sysvx_.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\system32\taskdir.dll -> Proxy.Lager.aq : Cleaned with backup
C:\WINNT\system32\taskdir.exe -> Proxy.Lager.bh : Cleaned with backup
C:\WINNT\system32\TheMatrixHasYou.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINNT\system32\vxgame3.exe -> Downloader.CWS.s : Cleaned with backup
C:\WINNT\system32\vxgame4.exe -> Downloader.Small.ctk : Cleaned with backup
C:\WINNT\system32\vxgame6.exe -> Downloader.Small.cxz : Cleaned with backup
C:\WINNT\system32\vxgame6.exe3072.exe -> Downloader.Tiny.cp : Cleaned with backup
C:\WINNT\system32\vxgamet1.exe -> Downloader.Agent.hy : Cleaned with backup
C:\WINNT\system32\vxgamet2.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\system32\vxgamet3.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\sysvx_.exe -> Trojan.Small : Cleaned with backup

::Report End

classicsoftware

06-06-2006, 02:47 PM

New Hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 1:38:54 PM, on 6/6/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\wanmpsvc.exe
C:\PROGRA~1\TEXASI~1\WFTPDP~1\WFTPD.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\winpatrol.exe
D:\Program Files\SecCopy\SecCopy.exe
C:\WINNT\system32\ctfmon.exe
D:\Program Files\Distillr\AcroTray.exe
C:\Program Files\Common Files\AOL\1127840011\ee\AOLHostManager.exe
D:\Command WorkStation 4\CWS 4.exe
C:\Program Files\Common Files\AOL\1127840011\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1127840011\ee\AOLServiceHost.exe
D:\gcasDtServ.exe
D:\America Online 8.0\aol.exe
D:\America Online 8.0\waol.exe
D:\America Online 8.0\aolwbspd.exe
E:\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O1 - Hosts: 192.1.1.3 nsplus
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\winpatrol.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127840011\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [Second Copy 2000] "D:\Program Files\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = D:\America Online 8.0\aoltray.exe
O4 - Global Startup: Command WorkStation 4.lnk = D:\Command WorkStation 4\CWS 4.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C84F3611-F449-4E71-B8BE-3C4F96581584}: NameServer = 205.188.146.145
O23 - Service: avast! iAVS4 Control Service - Unknown - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Promise RAID message agent - Unknown - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: WFTPD Pro - Texas Imperial Software - C:\PROGRA~1\TEXASI~1\WFTPDP~1\WFTPD.EXE
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

[B][U]CWSHREDDER[/U]:[/B] Clean

The pop-up windows have stopped.
AOL is well AOL, but it works.
Still no access to task manager.
Programs encounter errors, just less frequently.

Okay, Budfred, MJC and David Eaton, what next.....????????????

Budfred

06-06-2006, 07:57 PM

I couldn't identify this:

O4 - Global Startup: Command WorkStation 4.lnk = D:\Command WorkStation 4\CWS 4.exe

it looks like you need to find and kill:

C:\WINNT\system32\comdlg64.dll

and you seem to have Avast and Norton running at the same time... Other than those issues, you probably need other scans... Try this:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

classicsoftware

06-06-2006, 09:26 PM

I couldn't identify this:

O4 - Global Startup: Command WorkStation 4.lnk = D:\Command WorkStation 4\CWS 4.exe

it looks like you need to find and kill:

C:\WINNT\system32\comdlg64.dll

The CWS 4.exe is the Xerox Command Work Station that communicates with a huge color copier.

I won't get back there until Thursday & I'll let you know then. Thanks for looking over my shoulder.

PrntRhd

06-06-2006, 11:19 PM

Yep, the Command Work Station goes to a Fiery server on the color copier.
Very familiar with those Linux servers.

classicsoftware

06-08-2006, 12:26 PM

Here is the Dr. Web log:
setup.exe;C:\Program Files\AOL\Installers\ASP 2.0;Probably BACKDOOR.Trojan;Incurable.Deleted.;
Dc1247.tmp;C:\RECYCLER\S-1-5-21-1764432414-1709181013-118909372-500;BackDoor.Uragan;Deleted.;
Dc1248.tmp;C:\RECYCLER\S-1-5-21-1764432414-1709181013-118909372-500;BackDoor.Uragan;Deleted.;
killer.exe;C:\RECYCLER\S-1-5-21-1764432414-1709181013-118909372-500\Dc1;Trojan.Killer;Deleted.;
killer.exe.bak;C:\RECYCLER\S-1-5-21-1764432414-1709181013-118909372-500\Dc1;Trojan.Killer;Deleted.;
mm5.exe;C:\RECYCLER\S-1-5-21-1764432414-1709181013-118909372-500\Dc1;Trojan.Proxy.951;Deleted.;
mm5.exe.bak;C:\RECYCLER\S-1-5-21-1764432414-1709181013-118909372-500\Dc1;Trojan.Proxy.951;Deleted.;
mm6.exe;C:\RECYCLER\S-1-5-21-1764432414-1709181013-118909372-500\Dc1;Trojan.Spambot;Deleted.;

Everything seems to be functioning OK. I'll double check in a couple of days.

Thanks Bud.