Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

winantivirus2006 Can someone check my Hijackthis log?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

winantivirus2006 Can someone check my Hijackthis log?

Unread postby gwl2tech » June 23rd, 2006, 10:42 pm

I have run several antivirus programs and Adaware. Can someone help?

Logfile of HijackThis v1.99.1
Scan saved at 9:38:36 PM, on 6/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\xpoint\agent\xicon.exe
C:\PROGRA~1\xpoint\pe\PCRECSA.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\astanley\Desktop\New Folder\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Xicon] C:\PROGRA~1\xpoint\agent\xicon.exe
O4 - HKLM\..\Run: [PCRecSA] C:\PROGRA~1\xpoint\pe\PCRECSA.EXE -noshow
O4 - HKLM\..\Run: [smbdpmi] C:\PROGRA~1\UMS\utils\smbdpmi.exe
O4 - HKLM\..\Run: [dllInit ibmasstw.dll] "C:\Program Files\UMS\utils\DLLINIT.EXE" ibmasstw.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [\\dfield_qc001\EPSON Stylus CX5400] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P34 "\\dfield_qc001\EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [\\Dfield_plt001\EPSON Stylus CX5400] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P35 "\\Dfield_plt001\EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [\\dfield_qc001\EPSON Stylus Shaun's Office] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P42 "\\dfield_qc001\EPSON Stylus Shaun's Office" /O6 "USB001" /M "Stylus CX5400"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\WINNT\system32\jkhhf.dll,CreateProtectProc
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.31.42/display/PopupSh.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlas.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = atlas.com
O20 - AppInit_DLLs: C:\WINNT\system32\win_04.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINNT\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\lotus\notes\ntmulti.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\xpoint\pe\pcradmin.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINNT\SYSTEM32\PLSRemote.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Director Support Program (TWGIPC) - IBM Corporation - C:\PROGRA~1\UMS\Director\bin\twgipcsv.exe
O23 - Service: Director Remote Control Service (TWGRCAGT) - Unknown owner - C:\PROGRA~1\UMS\Director\bin\TWGRMTWC.exe
O23 - Service: UMS HTTPServ (UMSHTTPD) - Unknown owner - C:\PROGRA~1\UMS\httpd.exe
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\xpoint\agent\Xpagent.exe
gwl2tech
Active Member
 
Posts: 5
Joined: June 23rd, 2006, 10:36 pm
Advertisement
Register to Remove

Unread postby random/random » June 24th, 2006, 3:03 am

Welcome to the MalwareRemoval forums. I am random/random and will be helping you with your malware issues

As I am an undergraduate all my posts will be checked by an expert, and this may cause a slight delay

I would ask that you continue to respond to this thread until I give you the All Clean
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Malware

Unread postby gwl2tech » June 24th, 2006, 3:23 am

Any help would be greatly appreciated!
gwl2tech
Active Member
 
Posts: 5
Joined: June 23rd, 2006, 10:36 pm

Unread postby random/random » June 25th, 2006, 5:40 am

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Unread postby gwl2tech » June 26th, 2006, 1:26 pm

Vundofix.exe will not reopen as a task. Should i run it regular. I have tried several times and waited. The program never reopens. What next?
gwl2tech
Active Member
 
Posts: 5
Joined: June 23rd, 2006, 10:36 pm

Unread postby random/random » June 26th, 2006, 2:02 pm

Please rename Hijackthis.exe to spyware.exe and post a new hijackthis log
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Unread postby gwl2tech » June 26th, 2006, 3:15 pm

Logfile of HijackThis v1.99.1
Scan saved at 2:18:55 PM, on 6/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\xpoint\agent\xicon.exe
C:\PROGRA~1\xpoint\pe\PCRECSA.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\spyware.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Xicon] C:\PROGRA~1\xpoint\agent\xicon.exe
O4 - HKLM\..\Run: [PCRecSA] C:\PROGRA~1\xpoint\pe\PCRECSA.EXE -noshow
O4 - HKLM\..\Run: [smbdpmi] C:\PROGRA~1\UMS\utils\smbdpmi.exe
O4 - HKLM\..\Run: [dllInit ibmasstw.dll] "C:\Program Files\UMS\utils\DLLINIT.EXE" ibmasstw.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [\\dfield_qc001\EPSON Stylus CX5400] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P34 "\\dfield_qc001\EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [\\Dfield_plt001\EPSON Stylus CX5400] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P35 "\\Dfield_plt001\EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [\\dfield_qc001\EPSON Stylus Shaun's Office] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P42 "\\dfield_qc001\EPSON Stylus Shaun's Office" /O6 "USB001" /M "Stylus CX5400"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\WINNT\system32\jkhhf.dll,CreateProtectProc
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.31.42/display/PopupSh.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlas.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = atlas.com
O20 - AppInit_DLLs: C:\WINNT\system32\win_04.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINNT\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\lotus\notes\ntmulti.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\xpoint\pe\pcradmin.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINNT\SYSTEM32\PLSRemote.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Director Support Program (TWGIPC) - IBM Corporation - C:\PROGRA~1\UMS\Director\bin\twgipcsv.exe
O23 - Service: Director Remote Control Service (TWGRCAGT) - Unknown owner - C:\PROGRA~1\UMS\Director\bin\TWGRMTWC.exe
O23 - Service: UMS HTTPServ (UMSHTTPD) - Unknown owner - C:\PROGRA~1\UMS\httpd.exe
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\xpoint\agent\Xpagent.exe
gwl2tech
Active Member
 
Posts: 5
Joined: June 23rd, 2006, 10:36 pm

Unread postby random/random » June 26th, 2006, 3:46 pm

Download VirtumundoBeGone by secured2k
http://secured2k.home.comcast.net/tools ... BeGone.exe
Save the file to your desktop
Close all running programs (including your Internet Browser)
Double-click VirtumundoBeGone.exe on the desktop
Read the introductory information, and then click Continue
Click Start
When asked if you want to continue, click Yes to run the fix
Click "Save Log"


Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and "copy/paste" a new HijackThis log file along with the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Unread postby gwl2tech » June 26th, 2006, 5:24 pm

Logfile of HijackThis v1.99.1
Scan saved at 4:26:24 PM, on 6/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\xpoint\agent\xicon.exe
C:\PROGRA~1\xpoint\pe\PCRECSA.EXE
C:\Program Files\UMS\utils\DLLINIT.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\spyware.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Xicon] C:\PROGRA~1\xpoint\agent\xicon.exe
O4 - HKLM\..\Run: [PCRecSA] C:\PROGRA~1\xpoint\pe\PCRECSA.EXE -noshow
O4 - HKLM\..\Run: [smbdpmi] C:\PROGRA~1\UMS\utils\smbdpmi.exe
O4 - HKLM\..\Run: [dllInit ibmasstw.dll] "C:\Program Files\UMS\utils\DLLINIT.EXE" ibmasstw.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [\\dfield_qc001\EPSON Stylus CX5400] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P34 "\\dfield_qc001\EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [\\Dfield_plt001\EPSON Stylus CX5400] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P35 "\\Dfield_plt001\EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [\\dfield_qc001\EPSON Stylus Shaun's Office] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P42 "\\dfield_qc001\EPSON Stylus Shaun's Office" /O6 "USB001" /M "Stylus CX5400"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\WINNT\system32\jkhhf.dll,CreateProtectProc
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.31.42/display/PopupSh.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlas.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlas.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = atlas.com
O20 - AppInit_DLLs: C:\WINNT\system32\win_04.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINNT\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\lotus\notes\ntmulti.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\xpoint\pe\pcradmin.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINNT\SYSTEM32\PLSRemote.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Director Support Program (TWGIPC) - IBM Corporation - C:\PROGRA~1\UMS\Director\bin\twgipcsv.exe
O23 - Service: Director Remote Control Service (TWGRCAGT) - Unknown owner - C:\PROGRA~1\UMS\Director\bin\TWGRMTWC.exe
O23 - Service: UMS HTTPServ (UMSHTTPD) - Unknown owner - C:\PROGRA~1\UMS\httpd.exe
O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\xpoint\agent\Xpagent.exe





[06/26/2006, 16:23:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\jgarrett\Desktop\VirtumundoBeGone.exe" )
[06/26/2006, 16:23:30] - Detected System Information:
[06/26/2006, 16:23:30] - Windows Version: 5.0.2195, Service Pack 4
[06/26/2006, 16:23:30] - Current Username: jgarrett (Admin)
[06/26/2006, 16:23:30] - Windows is in NORMAL mode.
[06/26/2006, 16:23:30] - Searching for Browser Helper Objects:
[06/26/2006, 16:23:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/26/2006, 16:23:30] - Finished Searching Browser Helper Objects
[06/26/2006, 16:23:30] - Finishing up...
[06/26/2006, 16:23:30] - Nothing found! Exiting...
gwl2tech
Active Member
 
Posts: 5
Joined: June 23rd, 2006, 10:36 pm

Unread postby random/random » June 27th, 2006, 11:47 am

Open up Hijackthis
Click on do as system scan only
Place a checkmark next to these lines(if still present)

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\WINNT\system32\jkhhf.dll,CreateProtectProc
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.31.42/display/PopupSh.ocx
O20 - AppInit_DLLs: C:\WINNT\system32\win_04.dll

Then close all windows except Hijackthis and click Fix Checked

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINNT\system32\jkhhf.dll into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

You will get a prompt that asks you this:
All files will be deleted on reboot

Click yes to that

You will then get this prompt:
files will be removed on reboot. Do you want to reboot now?

CLICK NO

Then, repeat the process..
enter C:\WINNT\system32\win_04.dll into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

You will get a prompt that asks you this:
All files will be deleted on reboot

Click yes to that

You will then get this prompt:
files will be removed on reboot. Do you want to reboot now?

Click Yes

Run Panda's ActiveScan from here and perform a full system scan.

1. Once you are on the Panda site click the
Scan your PC
button
2. A new window will open...click the big
Check Now
button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
10. Click on
Local Disks
to start the scan
11. Post Panda scan results in your next reply

Post back with the panda scan results and a new Hijackthis log
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm

Unread postby 'KotaGuy » July 4th, 2006, 2:46 pm

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware