Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

sp.dll problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

sp.dll problem

Unread postby paulfegan » February 4th, 2005, 1:00 pm

Hi Chris,
Posted as recommended by Tony. Hijackthis keeps closing on the scan when I try to get rid of an infection sp.dll any ideas.


Process list saved on 16:55:21, on 04/02/2005
Platform: WinNT 5.00.2195 SP4

[full path to filename] [file version] [company name]
C:\WINNT\System32\smss.exe 5.0.2195.6601 Microsoft Corporation
C:\WINNT\system32\winlogon.exe 5.0.2195.6898 Microsoft Corporation
C:\WINNT\system32\services.exe 5.0.2195.6700 Microsoft Corporation
C:\WINNT\system32\lsass.exe 5.0.2195.6902 Microsoft Corporation
C:\WINNT\system32\svchost.exe 5.0.2134.1 Microsoft Corporation
C:\WINNT\System32\svchost.exe 5.0.2134.1 Microsoft Corporation
C:\WINNT\system32\spoolsv.exe 5.0.2195.6659 Microsoft Corporation
C:\WINNT\System32\Ati2evxx.exe 4.18.1.4018
C:\Centenn.ial\Audit\CAgent32.exe 4.52.0.0 Centennial Software Limited
C:\Centenn.ial\Audit\xferwan.exe 4.52.0.0 Centennial Software Limited
C:\SQLLIB\bin\db2sec.exe 7.1.0.55 International Business Machines Corporation
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe 8.1.0.825 Symantec Corporation
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe 7.1.0.0 Hummingbird Ltd.
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe 7.1.0.0 Hummingbird Ltd.
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe 7.1.0.0 Hummingbird Ltd.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe 7.0.9064.9150 Microsoft Corporation
C:\Lotus\Notes\ntmulti.exe 6.5.20.4139 IBM Corp
C:\Program Files\JavaSoft\JRE\1.3.1_01\bin\javaw.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe 8.1.0.825 Symantec Corporation
C:\WINNT\system32\regsvc.exe 5.0.2195.6701 Microsoft Corporation
C:\WINNT\system32\MSTask.exe 4.71.2195.6704 Microsoft Corporation
C:\SQLLIB\bin\VWD.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe 1.50.1085.100 Microsoft Corporation
C:\WINNT\System32\mspmspsv.exe 7.1.0.3055 Microsoft Corporation
C:\WINNT\system32\svchost.exe 5.0.2134.1 Microsoft Corporation
C:\SQLLIB\bin\IWH2SERV.EXE
C:\WINNT\Explorer.EXE 5.0.3700.6690 Microsoft Corporation
C:\WINNT\system32\pctspk.exe 1.0.0.1
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe 6.0.20.0 Synaptics, Inc.
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 6.0.20.0 Synaptics, Inc.
C:\WINNT\system32\PRPCUI.exe 2.1.0.0 Intel Corporation
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe 5.3.0.107 Roxio
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe 5.3.0.107 Roxio
C:\Program Files\QuickTime\qttask.exe 6.4.0.29 Apple Computer, Inc.
C:\Program Files\Internet Explorer\IEXPLORE.EXE 5.0.2920.0 Microsoft Corporation
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe 8.1.0.825 Symantec Corporation
C:\WINNT\system32\ctfmon.exe 5.1.2409.7 Microsoft Corporation
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe 1.3.0.12 Safer Networking Limited
C:\IBM\IMNNQ\HTTPDL.exe
C:\IBM\IMNNQ\imnsvdem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE 5.0.2920.0 Microsoft Corporation
C:\PROGRA~1\WinZip8\winzip32.exe 13.0.0.0 WinZip Computing, Inc.
C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\IBProcMan.exe 1.1.0.1 Soeperman Enterprises Ltd.
paulfegan
Active Member
 
Posts: 8
Joined: February 4th, 2005, 12:54 pm
Advertisement
Register to Remove

Unread postby paulfegan » February 4th, 2005, 1:06 pm

Logfile of HijackThis v1.98.2
Scan saved at 17:10:14, on 04/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\SQLLIB\bin\db2sec.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\JavaSoft\JRE\1.3.1_01\bin\javaw.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\SQLLIB\bin\VWD.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\SQLLIB\bin\IWH2SERV.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\IBM\IMNNQ\HTTPDL.exe
C:\IBM\IMNNQ\imnsvdem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\IBProcMan.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\nNOTESMM.EXE
C:\Lotus\Notes\ntaskldr.EXE
C:\PROGRA~1\WinZip8\winzip32.exe
C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xansanet.xansa.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xansa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://settings.xansa.com/def55.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-cache.xansa.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;10.*.*.*;interact*;xansanet.*;*.xansa.*;*.figroup.co.uk;*.xansarecruitment.*;*.methodabc.com;192.168.*.*;*.lscdev.local;<local>
O1 - Hosts: 172.18.72.152 zmjuxy.mypc
O1 - Hosts: 172.18.71.149 rtw_ifx_01
O1 - Hosts: 172.18.71.150 rtwifx02
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C6222DD6-7AE4-47B4-948A-9233EE27DD6E} - C:\WINNT\system32\aejf.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [kix32msi] msiexec /fo c:\i386\installs\003005\003005.msi /q
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Start HTML Search Server.lnk = C:\SQLLIB\bin\db2nq.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xansanet.xansa.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xone.xansa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xone.xansa.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xone.xansa.com
O18 - Filter: text/html - {A8ED1417-F64E-41E5-AD9C-9E9931F179D8} - C:\WINNT\system32\aejf.dll
O18 - Filter: text/plain - {A8ED1417-F64E-41E5-AD9C-9E9931F179D8} - C:\WINNT\system32\aejf.dll
paulfegan
Active Member
 
Posts: 8
Joined: February 4th, 2005, 12:54 pm

Unread postby ChrisRLG » February 4th, 2005, 4:49 pm

OK

You have one of the current hardest infections to remove. Mostly hard because we need to run other programs to get information before we can kill it.

So I need you to do the following

Download Service Filter from here:
http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip
Extract it to it's own folder.
We will use this later in this process.

download rkfiles - put the two files in thier own folder - the folder canbe on the desktop if required.
http://skads.org/special/rkfiles.zip

double click the rkfiles.bat it will take a time to run and create a file log at c:\log.tx - copy the contents of that file as a reply here.
It will take a LONG time to run.

Find ServiceFilter that you downloaded earlier
Click on ServiceFilter.vbs
A text file called POST_THIS will be in the same folder
Please use Edit>Select all then Edit>Copy to obtain the contents
Save it in notepar or wordpad for posting laster.

Post the contents of those two files here please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby paulfegan » February 7th, 2005, 5:24 am

Chris,

Here's log.txt output

C:\Data\downloads\spybot\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

and here's the POST_THIS.txt

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195 Service Pack 4
Feb 7, 2005 09:27:19


---> Begin Service Listing <---

Unknown Service # 1
Service Name: Ati HotKey Poller
Display Name: Ati HotKey Poller
Start Mode: Auto
Start Name: LocalSystem
Description: Ati HotKey ...
Service Type: Own Process
Path: c:\winnt\system32\ati2evxx.exe
State: Running
Process ID: 592
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: CentennialClientAgent
Display Name: CentennialClientAgent
Start Mode: Auto
Start Name: LocalSystem
Description: CentennialClientAgent...
Service Type: Own Process
Path: "c:\centenn.ial\audit\cagent32.exe"
State: Running
Process ID: 688
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: CentennialIPTransferAgent
Display Name: CentennialIPTransferAgent
Start Mode: Auto
Start Name: LocalSystem
Description: CentennialIPTransferAgent...
Service Type: Own Process
Path: "c:\centenn.ial\audit\xferwan.exe"
State: Running
Process ID: 732
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 4
Service Name: DB2
Display Name: DB2 - DB2
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 - ...
Service Type: Own Process
Path: c:\sqllib\bin\db2syscs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 5
Service Name: DB2ControlCenterServer
Display Name: DB2 JDBC Applet Server - Control Center
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 JDBC Applet Server - Control ...
Service Type: Own Process
Path: c:\sqllib\bin\db2ccs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 6
Service Name: DB2CTLSV
Display Name: DB2 - DB2CTLSV
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 - ...
Service Type: Own Process
Path: c:\sqllib\bin\db2syscs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 7
Service Name: DB2DAS00
Display Name: DB2 - DB2DAS00
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 - ...
Service Type: Own Process
Path: c:\sqllib\bin\db2syscs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 8
Service Name: DB2GOVERNOR
Display Name: DB2 Governor
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 ...
Service Type: Own Process
Path: c:\sqllib\bin\db2govds.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 9
Service Name: DB2JDS
Display Name: DB2 JDBC Applet Server
Start Mode: Manual
Start Name: LocalSystem
Description: DB2 JDBC Applet ...
Service Type: Own Process
Path: c:\sqllib\bin\db2jds.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 10
Service Name: DB2LICD
Display Name: DB2 License Server
Start Mode: Manual
Start Name: LocalSystem
Description: DB2 License ...
Service Type: Own Process
Path: c:\sqllib\bin\db2licd.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 11
Service Name: DB2NTSECSERVER
Display Name: DB2 Security Server
Start Mode: Manual
Start Name: LocalSystem
Description: DB2 Security ...
Service Type: Own Process
Path: c:\sqllib\bin\db2sec.exe
State: Running
Process ID: 748
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #12
Service Name: DefWatch
Display Name: DefWatch
Start Mode: Auto
Start Name: LocalSystem
Description: DefWatch...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\defwatch.exe
State: Running
Process ID: 764
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 13
Service Name: Jconfigd
Display Name: Hummingbird Jconfig Daemon
Start Mode: Auto
Start Name: LocalSystem
Description: Hummingbird Jconfig ...
Service Type: Own Process
Path: c:\winnt\system32\hummingbird\connectivity\7.10\jconfig\jconfigdnt.exe
State: Running
Process ID: 820
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 14
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Machine Debug ...
Service Type: Own Process
Path: "c:\program files\common files\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 844
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 15
Service Name: Multi-user Cleanup Service
Display Name: Multi-user Cleanup Service
Start Mode: Auto
Start Name: LocalSystem
Description: Multi-user Cleanup ...
Service Type: Own Process
Path: c:\lotus\notes\ntmulti.exe
State: Running
Process ID: 872
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #16
Service Name: Norton AntiVirus Server
Display Name: Symantec AntiVirus Client
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec AntiVirus ...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\rtvscan.exe
State: Running
Process ID: 920
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 17
Service Name: Oracleorahome811Agent
Display Name: Oracleorahome811Agent
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811Agent...
Service Type: Own Process
Path: c:\oracle81\bin\dbsnmp.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 18
Service Name: Oracleorahome811ClientCache
Display Name: Oracleorahome811ClientCache
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811ClientCache...
Service Type: Own Process
Path: c:\oracle81\bin\onrsd.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 19
Service Name: Oracleorahome811CMAdmin
Display Name: Oracleorahome811CMAdmin
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811CMAdmin...
Service Type: Own Process
Path: c:\oracle81\bin\cmadmin.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 20
Service Name: Oracleorahome811CMan
Display Name: Oracleorahome811CMan
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811CMan...
Service Type: Own Process
Path: c:\oracle81\bin\cmgw.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 21
Service Name: Oracleorahome811DataGatherer
Display Name: Oracleorahome811DataGatherer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811DataGatherer...
Service Type: Own Process
Path: c:\oracle81\bin\vppdc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 22
Service Name: Oracleorahome811HTTPServer
Display Name: Oracleorahome811HTTPServer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811HTTPServer...
Service Type: Own Process
Path: c:\oracle81\apache\apache\apache.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 23
Service Name: Oracleorahome811ManagementServer
Display Name: Oracleorahome811ManagementServer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811ManagementServer...
Service Type: Own Process
Path: c:\oracle81\bin\omsntsrv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 24
Service Name: Oracleorahome811PagingServer
Display Name: Oracleorahome811PagingServer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811PagingServer...
Service Type: Own Process
Path: c:\oracle81/bin/pagntsrv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 25
Service Name: Oracleorahome811TNSListener
Display Name: Oracleorahome811TNSListener
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811TNSListener...
Service Type: Own Process
Path: c:\oracle81\bin\tnslsnr
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 26
Service Name: OracleServiceZMJUXY
Display Name: OracleServiceZMJUXY
Start Mode: Manual
Start Name: LocalSystem
Description: OracleServiceZMJUXY...
Service Type: Own Process
Path: c:\oracle81\bin\oracle.exe zmjuxy
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 27
Service Name: OracleSNMPPeerEncapsulator
Display Name: OracleSNMPPeerEncapsulator
Start Mode: Manual
Start Name: LocalSystem
Description: OracleSNMPPeerEncapsulator...
Service Type: Own Process
Path: c:\oracle81\bin\encsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 28
Service Name: OracleSNMPPeerMasterAgent
Display Name: OracleSNMPPeerMasterAgent
Start Mode: Manual
Start Name: LocalSystem
Description: OracleSNMPPeerMasterAgent...
Service Type: Own Process
Path: c:\oracle81\bin\agntsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 29
Service Name: RP32Service
Display Name: Remotely Possible/32
Start Mode: Manual
Start Name: LocalSystem
Description: Remotely ...
Service Type: Own Process
Path: c:\program files\avalan\remotely possible\rp32serv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 30
Service Name: vwd
Display Name: Warehouse agent daemon
Start Mode: Auto
Start Name: LocalSystem
Description: Warehouse agent ...
Service Type: Own Process
Path: "c:\sqllib\bin\vwd.exe"
State: Running
Process ID: 1040
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 31
Service Name: vwkernel
Display Name: Warehouse server
Start Mode: Auto
Start Name: LocalSystem
Description: Warehouse ...
Service Type: Own Process
Path: "c:\sqllib\bin\iwh2serv.exe"
State: Running
Process ID: 1176
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 32
Service Name: vwlogger
Display Name: Warehouse logger
Start Mode: Auto
Start Name: LocalSystem
Description: Warehouse ...
Service Type: Own Process
Path: "c:\sqllib\bin\iwh2log.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1067
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 90 Win32 services on this machine.
32 were unrecognized.

Script Execution Time: 3.136719 seconds.
paulfegan
Active Member
 
Posts: 8
Joined: February 4th, 2005, 12:54 pm

Unread postby ChrisRLG » February 7th, 2005, 5:35 am

Those look good - I will post a fix from you during my lunch time.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby paulfegan » February 7th, 2005, 6:05 am

Thanks Chris
paulfegan
Active Member
 
Posts: 8
Joined: February 4th, 2005, 12:54 pm

Unread postby ChrisRLG » February 7th, 2005, 9:10 am

Hi there,

Please download About:Buster from here: http://downloads.malwareremoval.com/AboutBuster.zip. Once it is downloaded extract it to c:\aboutbuster.
We will use that program later in this process.

Next download CWShredder, install. If you already have CWShredder, please delete it and download the latest version.
We will use that program later in this process.

====================

Please set your system to show all files; see here for how to do this if you're unsure.

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C6222DD6-7AE4-47B4-948A-9233EE27DD6E} - C:\WINNT\system32\aejf.dll
O18 - Filter: text/html - {A8ED1417-F64E-41E5-AD9C-9E9931F179D8} - C:\WINNT\system32\aejf.dll
O18 - Filter: text/plain - {A8ED1417-F64E-41E5-AD9C-9E9931F179D8} - C:\WINNT\system32\aejf.dll


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINNT\system32\aejf.dll
C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\(all contents- except any dated today)


Exit Explorer, reboot back to safe mode.

Then run cwshredder first, hit 'fix' as opposed to 'scan only'. Let it delete all it finds.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. (It does take a long time to run)

Reboot as normal afterwards.

Now do a new Hijackthis log and post that with the about:buster log and a new service filter log for me to see.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby paulfegan » February 8th, 2005, 11:37 am

Logfile of HijackThis v1.98.2
Scan saved at 15:37:53, on 08/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\SQLLIB\bin\db2sec.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\JavaSoft\JRE\1.3.1_01\bin\javaw.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\SQLLIB\bin\VWD.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\SQLLIB\bin\IWH2SERV.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\IBM\IMNNQ\HTTPDL.exe
C:\IBM\IMNNQ\imnsvdem.exe
C:\Data\downloads\spybot\New Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xansa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://settings.xansa.com/def55.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-cache.xansa.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;10.*.*.*;interact*;xansanet.*;*.xansa.*;*.figroup.co.uk;*.xansarecruitment.*;*.methodabc.com;192.168.*.*;*.lscdev.local;<local>
O1 - Hosts: 172.18.72.152 zmjuxy.mypc
O1 - Hosts: 172.18.71.149 rtw_ifx_01
O1 - Hosts: 172.18.71.150 rtwifx02
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [kix32msi] msiexec /fo c:\i386\installs\003005\003005.msi /q
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Start HTML Search Server.lnk = C:\SQLLIB\bin\db2nq.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xansanet.xansa.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xone.xansa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xone.xansa.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xone.xansa.com
Scanned at: 15:30:32 on: 08/02/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195 Service Pack 4
Feb 8, 2005 15:41:29


---> Begin Service Listing <---

Unknown Service # 1
Service Name: Ati HotKey Poller
Display Name: Ati HotKey Poller
Start Mode: Auto
Start Name: LocalSystem
Description: Ati HotKey ...
Service Type: Own Process
Path: c:\winnt\system32\ati2evxx.exe
State: Running
Process ID: 564
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: CentennialClientAgent
Display Name: CentennialClientAgent
Start Mode: Auto
Start Name: LocalSystem
Description: CentennialClientAgent...
Service Type: Own Process
Path: "c:\centenn.ial\audit\cagent32.exe"
State: Running
Process ID: 612
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: CentennialIPTransferAgent
Display Name: CentennialIPTransferAgent
Start Mode: Auto
Start Name: LocalSystem
Description: CentennialIPTransferAgent...
Service Type: Own Process
Path: "c:\centenn.ial\audit\xferwan.exe"
State: Running
Process ID: 624
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 4
Service Name: CWShredder Service
Display Name: CWShredder Service
Start Mode: Auto
Start Name: LocalSystem
Description: CWShredder ...
Service Type: Own Process
Path: c:\data\downloads\spybot\new stuff\cwshredder.exe service
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 5
Service Name: DB2
Display Name: DB2 - DB2
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 - ...
Service Type: Own Process
Path: c:\sqllib\bin\db2syscs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 6
Service Name: DB2ControlCenterServer
Display Name: DB2 JDBC Applet Server - Control Center
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 JDBC Applet Server - Control ...
Service Type: Own Process
Path: c:\sqllib\bin\db2ccs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 7
Service Name: DB2CTLSV
Display Name: DB2 - DB2CTLSV
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 - ...
Service Type: Own Process
Path: c:\sqllib\bin\db2syscs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 8
Service Name: DB2DAS00
Display Name: DB2 - DB2DAS00
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 - ...
Service Type: Own Process
Path: c:\sqllib\bin\db2syscs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 9
Service Name: DB2GOVERNOR
Display Name: DB2 Governor
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 ...
Service Type: Own Process
Path: c:\sqllib\bin\db2govds.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 10
Service Name: DB2JDS
Display Name: DB2 JDBC Applet Server
Start Mode: Manual
Start Name: LocalSystem
Description: DB2 JDBC Applet ...
Service Type: Own Process
Path: c:\sqllib\bin\db2jds.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 11
Service Name: DB2LICD
Display Name: DB2 License Server
Start Mode: Manual
Start Name: LocalSystem
Description: DB2 License ...
Service Type: Own Process
Path: c:\sqllib\bin\db2licd.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 12
Service Name: DB2NTSECSERVER
Display Name: DB2 Security Server
Start Mode: Manual
Start Name: LocalSystem
Description: DB2 Security ...
Service Type: Own Process
Path: c:\sqllib\bin\db2sec.exe
State: Running
Process ID: 652
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #13
Service Name: DefWatch
Display Name: DefWatch
Start Mode: Auto
Start Name: LocalSystem
Description: DefWatch...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\defwatch.exe
State: Running
Process ID: 664
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 14
Service Name: Jconfigd
Display Name: Hummingbird Jconfig Daemon
Start Mode: Auto
Start Name: LocalSystem
Description: Hummingbird Jconfig ...
Service Type: Own Process
Path: c:\winnt\system32\hummingbird\connectivity\7.10\jconfig\jconfigdnt.exe
State: Running
Process ID: 708
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 15
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Machine Debug ...
Service Type: Own Process
Path: "c:\program files\common files\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 744
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 16
Service Name: Multi-user Cleanup Service
Display Name: Multi-user Cleanup Service
Start Mode: Auto
Start Name: LocalSystem
Description: Multi-user Cleanup ...
Service Type: Own Process
Path: c:\lotus\notes\ntmulti.exe
State: Running
Process ID: 776
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #17
Service Name: Norton AntiVirus Server
Display Name: Symantec AntiVirus Client
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec AntiVirus ...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\rtvscan.exe
State: Running
Process ID: 848
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 18
Service Name: Oracleorahome811Agent
Display Name: Oracleorahome811Agent
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811Agent...
Service Type: Own Process
Path: c:\oracle81\bin\dbsnmp.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 19
Service Name: Oracleorahome811ClientCache
Display Name: Oracleorahome811ClientCache
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811ClientCache...
Service Type: Own Process
Path: c:\oracle81\bin\onrsd.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 20
Service Name: Oracleorahome811CMAdmin
Display Name: Oracleorahome811CMAdmin
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811CMAdmin...
Service Type: Own Process
Path: c:\oracle81\bin\cmadmin.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 21
Service Name: Oracleorahome811CMan
Display Name: Oracleorahome811CMan
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811CMan...
Service Type: Own Process
Path: c:\oracle81\bin\cmgw.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 22
Service Name: Oracleorahome811DataGatherer
Display Name: Oracleorahome811DataGatherer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811DataGatherer...
Service Type: Own Process
Path: c:\oracle81\bin\vppdc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 23
Service Name: Oracleorahome811HTTPServer
Display Name: Oracleorahome811HTTPServer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811HTTPServer...
Service Type: Own Process
Path: c:\oracle81\apache\apache\apache.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 24
Service Name: Oracleorahome811ManagementServer
Display Name: Oracleorahome811ManagementServer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811ManagementServer...
Service Type: Own Process
Path: c:\oracle81\bin\omsntsrv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 25
Service Name: Oracleorahome811PagingServer
Display Name: Oracleorahome811PagingServer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811PagingServer...
Service Type: Own Process
Path: c:\oracle81/bin/pagntsrv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 26
Service Name: Oracleorahome811TNSListener
Display Name: Oracleorahome811TNSListener
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811TNSListener...
Service Type: Own Process
Path: c:\oracle81\bin\tnslsnr
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 27
Service Name: OracleServiceZMJUXY
Display Name: OracleServiceZMJUXY
Start Mode: Manual
Start Name: LocalSystem
Description: OracleServiceZMJUXY...
Service Type: Own Process
Path: c:\oracle81\bin\oracle.exe zmjuxy
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 28
Service Name: OracleSNMPPeerEncapsulator
Display Name: OracleSNMPPeerEncapsulator
Start Mode: Manual
Start Name: LocalSystem
Description: OracleSNMPPeerEncapsulator...
Service Type: Own Process
Path: c:\oracle81\bin\encsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 29
Service Name: OracleSNMPPeerMasterAgent
Display Name: OracleSNMPPeerMasterAgent
Start Mode: Manual
Start Name: LocalSystem
Description: OracleSNMPPeerMasterAgent...
Service Type: Own Process
Path: c:\oracle81\bin\agntsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 30
Service Name: RP32Service
Display Name: Remotely Possible/32
Start Mode: Manual
Start Name: LocalSystem
Description: Remotely ...
Service Type: Own Process
Path: c:\program files\avalan\remotely possible\rp32serv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 31
Service Name: vwd
Display Name: Warehouse agent daemon
Start Mode: Auto
Start Name: LocalSystem
Description: Warehouse agent ...
Service Type: Own Process
Path: "c:\sqllib\bin\vwd.exe"
State: Running
Process ID: 952
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 32
Service Name: vwkernel
Display Name: Warehouse server
Start Mode: Auto
Start Name: LocalSystem
Description: Warehouse ...
Service Type: Own Process
Path: "c:\sqllib\bin\iwh2serv.exe"
State: Running
Process ID: 1140
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 33
Service Name: vwlogger
Display Name: Warehouse logger
Start Mode: Auto
Start Name: LocalSystem
Description: Warehouse ...
Service Type: Own Process
Path: "c:\sqllib\bin\iwh2log.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1067
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 91 Win32 services on this machine.
33 were unrecognized.

Script Execution Time: 1.574219 seconds.
paulfegan
Active Member
 
Posts: 8
Joined: February 4th, 2005, 12:54 pm

Unread postby ChrisRLG » February 8th, 2005, 11:47 am

Fix these with HJT as before - ensure ALL windows are closed except for HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

the reboot to safe mode and delete this file

C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\sp.dll

- you could clear all the temp folders while you are doing that.

Post back with a new HJT log please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby paulfegan » February 8th, 2005, 11:57 am

Logfile of HijackThis v1.98.2
Scan saved at 15:37:53, on 08/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\SQLLIB\bin\db2sec.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\JavaSoft\JRE\1.3.1_01\bin\javaw.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\SQLLIB\bin\VWD.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\SQLLIB\bin\IWH2SERV.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\IBM\IMNNQ\HTTPDL.exe
C:\IBM\IMNNQ\imnsvdem.exe
C:\Data\downloads\spybot\New Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xansa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://settings.xansa.com/def55.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-cache.xansa.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;10.*.*.*;interact*;xansanet.*;*.xansa.*;*.figroup.co.uk;*.xansarecruitment.*;*.methodabc.com;192.168.*.*;*.lscdev.local;<local>
O1 - Hosts: 172.18.72.152 zmjuxy.mypc
O1 - Hosts: 172.18.71.149 rtw_ifx_01
O1 - Hosts: 172.18.71.150 rtwifx02
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [kix32msi] msiexec /fo c:\i386\installs\003005\003005.msi /q
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Start HTML Search Server.lnk = C:\SQLLIB\bin\db2nq.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xansanet.xansa.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xone.xansa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xone.xansa.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xone.xansa.com
Scanned at: 15:30:32 on: 08/02/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195 Service Pack 4
Feb 8, 2005 15:41:29


---> Begin Service Listing <---

Unknown Service # 1
Service Name: Ati HotKey Poller
Display Name: Ati HotKey Poller
Start Mode: Auto
Start Name: LocalSystem
Description: Ati HotKey ...
Service Type: Own Process
Path: c:\winnt\system32\ati2evxx.exe
State: Running
Process ID: 564
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: CentennialClientAgent
Display Name: CentennialClientAgent
Start Mode: Auto
Start Name: LocalSystem
Description: CentennialClientAgent...
Service Type: Own Process
Path: "c:\centenn.ial\audit\cagent32.exe"
State: Running
Process ID: 612
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: CentennialIPTransferAgent
Display Name: CentennialIPTransferAgent
Start Mode: Auto
Start Name: LocalSystem
Description: CentennialIPTransferAgent...
Service Type: Own Process
Path: "c:\centenn.ial\audit\xferwan.exe"
State: Running
Process ID: 624
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 4
Service Name: CWShredder Service
Display Name: CWShredder Service
Start Mode: Auto
Start Name: LocalSystem
Description: CWShredder ...
Service Type: Own Process
Path: c:\data\downloads\spybot\new stuff\cwshredder.exe service
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 5
Service Name: DB2
Display Name: DB2 - DB2
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 - ...
Service Type: Own Process
Path: c:\sqllib\bin\db2syscs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 6
Service Name: DB2ControlCenterServer
Display Name: DB2 JDBC Applet Server - Control Center
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 JDBC Applet Server - Control ...
Service Type: Own Process
Path: c:\sqllib\bin\db2ccs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 7
Service Name: DB2CTLSV
Display Name: DB2 - DB2CTLSV
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 - ...
Service Type: Own Process
Path: c:\sqllib\bin\db2syscs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 8
Service Name: DB2DAS00
Display Name: DB2 - DB2DAS00
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 - ...
Service Type: Own Process
Path: c:\sqllib\bin\db2syscs.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 9
Service Name: DB2GOVERNOR
Display Name: DB2 Governor
Start Mode: Manual
Start Name: xone\zmjuxy
Description: DB2 ...
Service Type: Own Process
Path: c:\sqllib\bin\db2govds.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 10
Service Name: DB2JDS
Display Name: DB2 JDBC Applet Server
Start Mode: Manual
Start Name: LocalSystem
Description: DB2 JDBC Applet ...
Service Type: Own Process
Path: c:\sqllib\bin\db2jds.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 11
Service Name: DB2LICD
Display Name: DB2 License Server
Start Mode: Manual
Start Name: LocalSystem
Description: DB2 License ...
Service Type: Own Process
Path: c:\sqllib\bin\db2licd.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 12
Service Name: DB2NTSECSERVER
Display Name: DB2 Security Server
Start Mode: Manual
Start Name: LocalSystem
Description: DB2 Security ...
Service Type: Own Process
Path: c:\sqllib\bin\db2sec.exe
State: Running
Process ID: 652
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #13
Service Name: DefWatch
Display Name: DefWatch
Start Mode: Auto
Start Name: LocalSystem
Description: DefWatch...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\defwatch.exe
State: Running
Process ID: 664
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 14
Service Name: Jconfigd
Display Name: Hummingbird Jconfig Daemon
Start Mode: Auto
Start Name: LocalSystem
Description: Hummingbird Jconfig ...
Service Type: Own Process
Path: c:\winnt\system32\hummingbird\connectivity\7.10\jconfig\jconfigdnt.exe
State: Running
Process ID: 708
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 15
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Machine Debug ...
Service Type: Own Process
Path: "c:\program files\common files\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 744
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 16
Service Name: Multi-user Cleanup Service
Display Name: Multi-user Cleanup Service
Start Mode: Auto
Start Name: LocalSystem
Description: Multi-user Cleanup ...
Service Type: Own Process
Path: c:\lotus\notes\ntmulti.exe
State: Running
Process ID: 776
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #17
Service Name: Norton AntiVirus Server
Display Name: Symantec AntiVirus Client
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec AntiVirus ...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\rtvscan.exe
State: Running
Process ID: 848
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 18
Service Name: Oracleorahome811Agent
Display Name: Oracleorahome811Agent
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811Agent...
Service Type: Own Process
Path: c:\oracle81\bin\dbsnmp.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 19
Service Name: Oracleorahome811ClientCache
Display Name: Oracleorahome811ClientCache
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811ClientCache...
Service Type: Own Process
Path: c:\oracle81\bin\onrsd.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 20
Service Name: Oracleorahome811CMAdmin
Display Name: Oracleorahome811CMAdmin
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811CMAdmin...
Service Type: Own Process
Path: c:\oracle81\bin\cmadmin.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 21
Service Name: Oracleorahome811CMan
Display Name: Oracleorahome811CMan
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811CMan...
Service Type: Own Process
Path: c:\oracle81\bin\cmgw.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 22
Service Name: Oracleorahome811DataGatherer
Display Name: Oracleorahome811DataGatherer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811DataGatherer...
Service Type: Own Process
Path: c:\oracle81\bin\vppdc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 23
Service Name: Oracleorahome811HTTPServer
Display Name: Oracleorahome811HTTPServer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811HTTPServer...
Service Type: Own Process
Path: c:\oracle81\apache\apache\apache.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 24
Service Name: Oracleorahome811ManagementServer
Display Name: Oracleorahome811ManagementServer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811ManagementServer...
Service Type: Own Process
Path: c:\oracle81\bin\omsntsrv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 25
Service Name: Oracleorahome811PagingServer
Display Name: Oracleorahome811PagingServer
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811PagingServer...
Service Type: Own Process
Path: c:\oracle81/bin/pagntsrv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 26
Service Name: Oracleorahome811TNSListener
Display Name: Oracleorahome811TNSListener
Start Mode: Manual
Start Name: LocalSystem
Description: Oracleorahome811TNSListener...
Service Type: Own Process
Path: c:\oracle81\bin\tnslsnr
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 27
Service Name: OracleServiceZMJUXY
Display Name: OracleServiceZMJUXY
Start Mode: Manual
Start Name: LocalSystem
Description: OracleServiceZMJUXY...
Service Type: Own Process
Path: c:\oracle81\bin\oracle.exe zmjuxy
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 28
Service Name: OracleSNMPPeerEncapsulator
Display Name: OracleSNMPPeerEncapsulator
Start Mode: Manual
Start Name: LocalSystem
Description: OracleSNMPPeerEncapsulator...
Service Type: Own Process
Path: c:\oracle81\bin\encsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 29
Service Name: OracleSNMPPeerMasterAgent
Display Name: OracleSNMPPeerMasterAgent
Start Mode: Manual
Start Name: LocalSystem
Description: OracleSNMPPeerMasterAgent...
Service Type: Own Process
Path: c:\oracle81\bin\agntsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 30
Service Name: RP32Service
Display Name: Remotely Possible/32
Start Mode: Manual
Start Name: LocalSystem
Description: Remotely ...
Service Type: Own Process
Path: c:\program files\avalan\remotely possible\rp32serv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 31
Service Name: vwd
Display Name: Warehouse agent daemon
Start Mode: Auto
Start Name: LocalSystem
Description: Warehouse agent ...
Service Type: Own Process
Path: "c:\sqllib\bin\vwd.exe"
State: Running
Process ID: 952
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 32
Service Name: vwkernel
Display Name: Warehouse server
Start Mode: Auto
Start Name: LocalSystem
Description: Warehouse ...
Service Type: Own Process
Path: "c:\sqllib\bin\iwh2serv.exe"
State: Running
Process ID: 1140
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 33
Service Name: vwlogger
Display Name: Warehouse logger
Start Mode: Auto
Start Name: LocalSystem
Description: Warehouse ...
Service Type: Own Process
Path: "c:\sqllib\bin\iwh2log.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1067
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 91 Win32 services on this machine.
33 were unrecognized.

Script Execution Time: 1.574219 seconds.
paulfegan
Active Member
 
Posts: 8
Joined: February 4th, 2005, 12:54 pm

Unread postby ChrisRLG » February 8th, 2005, 12:07 pm

Hmmmm

Fix again - safe mode

Ensure teatimer is not running.

Then see if you can produce a 1.99.0 version log for me please - that may show other things.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby paulfegan » February 8th, 2005, 12:25 pm

Chris,

It all looks ok now. This is that last invocation of Hijackthis, by the way 1.99 won't run on my PC don't know whether this is a 2000 issue or just my companies build of 2000.

Logfile of HijackThis v1.98.2
Scan saved at 16:23:58, on 08/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\SQLLIB\bin\db2sec.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\JavaSoft\JRE\1.3.1_01\bin\javaw.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\SQLLIB\bin\VWD.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\SQLLIB\bin\IWH2SERV.EXE
C:\WINNT\System32\msiexec.exe
C:\WINNT\Installer\MSI3.tmp
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\IBM\IMNNQ\HTTPDL.exe
C:\IBM\IMNNQ\imnsvdem.exe
C:\Data\downloads\spybot\New Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xansanet.xansa.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xansa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://settings.xansa.com/def55.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-cache.xansa.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;10.*.*.*;interact*;xansanet.*;*.xansa.*;*.figroup.co.uk;*.xansarecruitment.*;*.methodabc.com;192.168.*.*;*.lscdev.local;<local>
O1 - Hosts: 172.18.72.152 zmjuxy.mypc
O1 - Hosts: 172.18.71.149 rtw_ifx_01
O1 - Hosts: 172.18.71.150 rtwifx02
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [kix32msi] msiexec /fo c:\i386\installs\003005\003005.msi /q
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Start HTML Search Server.lnk = C:\SQLLIB\bin\db2nq.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xansanet.xansa.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xone.xansa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xone.xansa.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xone.xansa.com
paulfegan
Active Member
 
Posts: 8
Joined: February 4th, 2005, 12:54 pm

Unread postby ChrisRLG » February 8th, 2005, 12:28 pm

That looks better - do a few reboots - opening IE and closing it.

Then post another log.

Can't see why v1.99.0 will not run - PM me your email address - I will send a copy of 1.99.1 beta over - dont give it to anyone else - but it does have some bug fixes that solve issues with 1.99.0
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 9th, 2005, 9:12 am

Paul provided this by PM.

Chris,

That version works.

Here's the output
Logfile of HijackThis v1.99.1 (BETA)
Scan saved at 08:20:28, on 09/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\SQLLIB\bin\db2sec.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\JavaSoft\JRE\1.3.1_01\bin\javaw.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\SQLLIB\bin\VWD.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\SQLLIB\bin\IWH2SERV.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\IBM\IMNNQ\HTTPDL.exe
C:\IBM\IMNNQ\imnsvdem.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\nNOTESMM.EXE
C:\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip8\winzip32.exe
C:\DOCUME~1\zmjuxy\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xansanet.xansa.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Xansa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://settings.xansa.com/def55.ins
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-cache.xansa.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;10.*.*.*;interact*;xansanet.*;*.xansa.*;*.figroup.co.uk;*.xansarecruitment.*;*.methodabc.com;192.168.*.*;*.lscdev.local;<local>
O1 - Hosts: 172.18.72.152 zmjuxy.mypc
O1 - Hosts: 172.18.71.149 rtw_ifx_01
O1 - Hosts: 172.18.71.150 rtwifx02
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [kix32msi] msiexec /fo c:\i386\installs\003005\003005.msi /q
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Start HTML Search Server.lnk = C:\SQLLIB\bin\db2nq.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xansanet.xansa.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xone.xansa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xone.xansa.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xone.xansa.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wzcnotif - C:\WINNT\SYSTEM32\wzcdlg.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Data\downloads\spybot\New Stuff\CWShredder.exe
O23 - Service: DB2 - DB2 (DB2) - International Business Machines Corporation - C:\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2 JDBC Applet Server - Control Center (DB2ControlCenterServer) - Unknown owner - C:\SQLLIB\bin\db2ccs.exe
O23 - Service: DB2 - DB2CTLSV (DB2CTLSV) - International Business Machines Corporation - C:\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2 - DB2DAS00 (DB2DAS00) - International Business Machines Corporation - C:\SQLLIB\bin\db2syscs.exe
O23 - Service: DB2 Governor (DB2GOVERNOR) - International Business Machines Corporation - C:\SQLLIB\bin\db2govds.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 License Server (DB2LICD) - International Business Machines Corporation - C:\SQLLIB\bin\db2licd.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\SQLLIB\bin\db2sec.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Oracleorahome811Agent - Oracle Corporation - c:\oracle81\bin\dbsnmp.exe
O23 - Service: Oracleorahome811ClientCache - Unknown owner - c:\oracle81\BIN\ONRSD.EXE
O23 - Service: Oracleorahome811CMAdmin - Unknown owner - c:\oracle81\BIN\CMADMIN.EXE
O23 - Service: Oracleorahome811CMan - Unknown owner - c:\oracle81\BIN\CMGW.EXE
O23 - Service: Oracleorahome811DataGatherer - Oracle Corporation - c:\oracle81\bin\vppdc.exe
O23 - Service: Oracleorahome811HTTPServer - Unknown owner - c:\oracle81\Apache\Apache\Apache.exe
O23 - Service: Oracleorahome811ManagementServer - Unknown owner - C:\Oracle81\bin\OMSNTsrv.exe
O23 - Service: Oracleorahome811PagingServer - Unknown owner - c:\oracle81/bin/pagntsrv.exe
O23 - Service: Oracleorahome811TNSListener - Unknown owner - c:\oracle81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceZMJUXY - Oracle Corporation - c:\oracle81\bin\ORACLE.EXE
O23 - Service: OracleSNMPPeerEncapsulator - Unknown owner - c:\oracle81\BIN\ENCSVC.EXE
O23 - Service: OracleSNMPPeerMasterAgent - Unknown owner - c:\oracle81\BIN\AGNTSVC.EXE
O23 - Service: Remotely Possible/32 (RP32Service) - Unknown owner - C:\Program Files\Avalan\Remotely Possible\rp32serv.exe
O23 - Service: Warehouse agent daemon (vwd) - Unknown owner - C:\SQLLIB\bin\VWD.EXE
O23 - Service: Warehouse server (vwkernel) - Unknown owner - C:\SQLLIB\bin\IWH2SERV.EXE
O23 - Service: Warehouse logger (vwlogger) - Unknown owner - C:\SQLLIB\bin\IWH2LOG.EXE
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 9th, 2005, 9:18 am

Notes to others who may read this topic.

This machine is on a works network with IT dept constraints on updates etc - SO they can't update IE from v5.0 etc.

==================================

Mike

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here:
    Managing Windows Millennium System Restore
    or
    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.

      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  4. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  8. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

May your God go with you..
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 302 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware