1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Frustrating Cleanup of Win2k Machine. HJT log included

Discussion in 'Malware and Virus Removal Archive' started by Scott Smith, 2005/10/27.

  1. 2005/10/27
    Scott Smith

    Scott Smith Inactive Alumni Thread Starter

    Joined:
    2002/01/12
    Messages:
    1,950
    Likes Received:
    4
    I have went as far as I can go and keep my sanity with this one.

    Things I have done so far:

    Removed the drive and scanned with Trend Micro PC Cillin Internet Security 2005 in a healthy machine.

    Ran Adaware with current Defs
    Ran Spy Bot S&D with current defs
    Ran Ewido with current defs

    See HJT log below

    Logfile of HijackThis v1.99.1
    Scan saved at 7:42:07 AM, on 10/27/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    C:\WINNT\netvw32.exe
    C:\WINNT\system32\netut32.exe
    C:\WINNT\system32\mshta.exe
    C:\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\sceqf.dll/sp.html#94115
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sceqf.dll/sp.html#94115
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\sceqf.dll/sp.html#94115
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\sceqf.dll/sp.html#94115
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sceqf.dll/sp.html#94115
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\sceqf.dll/sp.html#94115
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\sceqf.dll/sp.html#94115
    R3 - Default URLSearchHook is missing
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Class - {DE0AF230-FA5B-FBEB-0A68-99EDB4CBB61D} - C:\WINNT\system32\javacu.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe "
    O4 - HKLM\..\Run: [netut32.exe] C:\WINNT\system32\netut32.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: Network Security Service ( 11Fßä#·ºÃ„Ö`I) - Unknown owner - C:\WINNT\netvw32.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    All of the R1s, R0, and R3s will be back as soon as I run a new HJT scan without even opening IE or connecting machine to network.
     
    Scott Smith,
    #1
  2. 2005/10/27
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    Looks like a cool web search thingy. CWShredder & About Buster are usually needed in addition to the other goodies you've used. Even then, this thing morphs so quickly that it almost needs someone who is on the anti-virus forums daily to be sure what is needed. Dave (noahdfear) is about the only one we have these days who stays really up to date.

    Not sure it will help but a run with RootKitRevealer from www.sysinternals.com might point out some rogue entries that are doing a good job of hiding themselves from your cleaning efforts.
     
    Newt,
    #2


  3. to hide this advert.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...