Any Hijack This! experts out there

[John V]

Hello,
I had W32/Randex on my system and (as far as I know) got
rid of it. All AVG scans come up clean. My system is still
acting REAL flaky (freezing, wont search from the IE
address line, won't shut down properly, won't disconnect
modem connections, etc). Could anyone tell me if they see
anything strange on the Hijack This! log?

Thanks in advance,


Logfile of HijackThis v1.97.7
Scan saved at 4:48:45 PM, on 2/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\syscfgx32.exe
C:\WINDOWS\system32\mscv.exe
C:\Program Files\Turbo\arteraui.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\dmsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dmsvc32.exe
C:\Program Files\Turbo\artera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://webcoast2coast.net/community
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer =
ftp=localhost:8081;http=localhost:8081;https=localhost:8081
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk
NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Com Port Manager] svch0st.exe
O4 - HKLM\..\Run: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\Run: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\Run: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\Run: [Microsoft Task Messenger Config]
mscv.exe
O4 - HKLM\..\Run: [Artera] C:\Program
Files\Turbo\arteraui.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6
\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Com Port Manager]
svch0st.exe
O4 - HKLM\..\RunServices: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\RunServices: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\RunServices: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\RunServices: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\RunServices: [Microsoft Task Messenger
Config] mscv.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI
Control) -
http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
..CAB?37960.8734143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F9FE97-0724-
41E5-8B3C-55B104731A58}: NameServer = 216.126.128.40
216.126.136.250

 

[Gerry Voras]

Have you made sure that your sigs are up to date? Also, have you run
something like Spybot Search and Destroy or AdAware?

Hello,
I had W32/Randex on my system and (as far as I know) got
rid of it. All AVG scans come up clean. My system is still
acting REAL flaky (freezing, wont search from the IE
address line, won't shut down properly, won't disconnect
modem connections, etc). Could anyone tell me if they see
anything strange on the Hijack This! log?

Thanks in advance,


Logfile of HijackThis v1.97.7
Scan saved at 4:48:45 PM, on 2/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\syscfgx32.exe
C:\WINDOWS\system32\mscv.exe
C:\Program Files\Turbo\arteraui.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\dmsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dmsvc32.exe
C:\Program Files\Turbo\artera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://webcoast2coast.net/community
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer =
ftp=localhost:8081;http=localhost:8081;https=localhost:8081
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk
NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Com Port Manager] svch0st.exe
O4 - HKLM\..\Run: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\Run: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\Run: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\Run: [Microsoft Task Messenger Config]
mscv.exe
O4 - HKLM\..\Run: [Artera] C:\Program
Files\Turbo\arteraui.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6
\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Com Port Manager]
svch0st.exe
O4 - HKLM\..\RunServices: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\RunServices: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\RunServices: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\RunServices: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\RunServices: [Microsoft Task Messenger
Config] mscv.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI
Control) -
http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
.CAB?37960.8734143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F9FE97-0724-
41E5-8B3C-55B104731A58}: NameServer = 216.126.128.40
216.126.136.250

 

[Steve N.]

Not an expert, just observant...

Possible suspects I see:

C:\Program Files\Turbo\artera.exe
C:\Program Files\Turbo\arteraui.exe

I've read that some TurboTax versions have some adware crap going on.
Not sure if that's TurboTax but worth a look.


C:\Program Files\Common Files\Real\Update_OB\realsched.exe

RealPlayer has always been a problem in my experience. If you have
WinAmp or the MS MPlayer there is no need for this.


C:\WINDOWS\System32\WBEM\WinMgmt.exe

While WinMgmt.exe is indeed a bonafide MS process I'm not sure it
belongs there, may be a rogue copy. Plus you got two of them going.
There are trojans out there that replace this.

Also check contents of C:\WINNT\System32\Drivers\Etc\Hosts file. If it
ain't:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost



Then it may have been hacked.

Steve

Hello,
I had W32/Randex on my system and (as far as I know) got
rid of it. All AVG scans come up clean. My system is still
acting REAL flaky (freezing, wont search from the IE
address line, won't shut down properly, won't disconnect
modem connections, etc). Could anyone tell me if they see
anything strange on the Hijack This! log?

Thanks in advance,


Logfile of HijackThis v1.97.7
Scan saved at 4:48:45 PM, on 2/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\syscfgx32.exe
C:\WINDOWS\system32\mscv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\dmsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dmsvc32.exe
C:\Program Files\Turbo\artera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://webcoast2coast.net/community
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer =
ftp=localhost:8081;http=localhost:8081;https=localhost:8081
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk
NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Com Port Manager] svch0st.exe
O4 - HKLM\..\Run: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\Run: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\Run: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\Run: [Microsoft Task Messenger Config]
mscv.exe
O4 - HKLM\..\Run: [Artera] C:\Program
Files\Turbo\arteraui.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6
\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Com Port Manager]
svch0st.exe
O4 - HKLM\..\RunServices: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\RunServices: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\RunServices: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\RunServices: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\RunServices: [Microsoft Task Messenger
Config] mscv.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI
Control) -
http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
.CAB?37960.8734143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F9FE97-0724-
41E5-8B3C-55B104731A58}: NameServer = 216.126.128.40
216.126.136.250

 

[John V]

Thanks for the input. The Artera is actually my webturbo
system and I know it's clean (I own it). I fouund
another bunch of spybots, remnants of virus fles, etc
running RAV antivirus online. After cleaning those up,
problems "appear" to be resolved. I ran spybot s&d and ad-
aware originally but they didn't catch the files that
flagged on RAV.

Thanks for the input

-----Original Message-----
Not an expert, just observant...

Possible suspects I see:

C:\Program Files\Turbo\artera.exe
C:\Program Files\Turbo\arteraui.exe

I've read that some TurboTax versions have some adware crap going on.
Not sure if that's TurboTax but worth a look.


C:\Program Files\Common Files\Real\Update_OB\realsched.exe

RealPlayer has always been a problem in my experience. If you have
WinAmp or the MS MPlayer there is no need for this.


C:\WINDOWS\System32\WBEM\WinMgmt.exe

While WinMgmt.exe is indeed a bonafide MS process I'm not sure it
belongs there, may be a rogue copy. Plus you got two of them going.
There are trojans out there that replace this.

Also check contents of C:\WINNT\System32 \Drivers\Etc\Hosts file. If it
ain't:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost



Then it may have been hacked.

Steve

Hello,
I had W32/Randex on my system and (as far as I know) got
rid of it. All AVG scans come up clean. My system is still
acting REAL flaky (freezing, wont search from the IE
address line, won't shut down properly, won't disconnect
modem connections, etc). Could anyone tell me if they see
anything strange on the Hijack This! log?

Thanks in advance,


Logfile of HijackThis v1.97.7
Scan saved at 4:48:45 PM, on 2/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\syscfgx32.exe
C:\WINDOWS\system32\mscv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\dmsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dmsvc32.exe
C:\Program Files\Turbo\artera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://webcoast2coast.net/community
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer =
ftp=localhost:8081;http=localhost:8081;https=localhost:8081
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk
NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Com Port Manager] svch0st.exe
O4 - HKLM\..\Run: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\Run: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\Run: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\Run: [Microsoft Task Messenger Config]
mscv.exe
O4 - HKLM\..\Run: [Artera] C:\Program
Files\Turbo\arteraui.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6
\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Com Port Manager]
svch0st.exe
O4 - HKLM\..\RunServices: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\RunServices: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\RunServices: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\RunServices: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\RunServices: [Microsoft Task Messenger
Config] mscv.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI
Control) -
http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
.CAB?37960.8734143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F9FE97-0724-
41E5-8B3C-55B104731A58}: NameServer = 216.126.128.40
216.126.136.250

.

 

[Steve Nielsen]

Good. Glad you made progress. What files did RAV find that AVG missed? I
wonder if it would have found infected files if run in Safe Mode. In
some cases with some viruses and worms I've had to run a/v in safe mode
to nail the sluethy little pests. I've also read things that indicate a
lot more worms and viruses are able to hide from popular a/v products,
if not outright disable them. Booting in Safe Mode seems to get around
that sort of thing.

Steve

Thanks for the input. The Artera is actually my webturbo
system and I know it's clean (I own it). I fouund
another bunch of spybots, remnants of virus fles, etc
running RAV antivirus online. After cleaning those up,
problems "appear" to be resolved. I ran spybot s&d and ad-
aware originally but they didn't catch the files that
flagged on RAV.

Thanks for the input

-----Original Message-----
Not an expert, just observant...

Possible suspects I see:

C:\Program Files\Turbo\artera.exe
C:\Program Files\Turbo\arteraui.exe

I've read that some TurboTax versions have some adware

crap going on.

Not sure if that's TurboTax but worth a look.


C:\Program Files\Common Files\Real\Update_OB\realsched.exe

RealPlayer has always been a problem in my experience. If

you have

WinAmp or the MS MPlayer there is no need for this.


C:\WINDOWS\System32\WBEM\WinMgmt.exe

While WinMgmt.exe is indeed a bonafide MS process I'm not

sure it

belongs there, may be a rogue copy. Plus you got two of

them going.

There are trojans out there that replace this.

Also check contents of C:\WINNT\System32

\Drivers\Etc\Hosts file. If it

ain't:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP

for Windows.

#
# This file contains the mappings of IP addresses to host

names. Each

# entry should be kept on an individual line. The IP

address should

# be placed in the first column followed by the

corresponding host name.

# The IP address and the host name should be separated by

at least one

# space.
#
# Additionally, comments (such as these) may be inserted

on individual

# lines or following the machine name denoted by a '#'
symbol.

#
# For example:
#
# 102.54.94.97 rhino.acme.com # source
server

# 38.25.63.10 x.acme.com # x

client host

127.0.0.1 localhost



Then it may have been hacked.

Steve


John V wrote:

Hello,
I had W32/Randex on my system and (as far as I know)

got

rid of it. All AVG scans come up clean. My system is

still

acting REAL flaky (freezing, wont search from the IE
address line, won't shut down properly, won't

disconnect

modem connections, etc). Could anyone tell me if they

see

anything strange on the Hijack This! log?

Thanks in advance,


Logfile of HijackThis v1.97.7
Scan saved at 4:48:45 PM, on 2/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\syscfgx32.exe
C:\WINDOWS\system32\mscv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\dmsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dmsvc32.exe
C:\Program Files\Turbo\artera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start

Page = http://webcoast2coast.net/community
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer =

ftp=localhost:8081;http=localhost:8081;https=localhost:8081

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk
NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Com Port Manager]

svch0st.exe

O4 - HKLM\..\Run: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\Run: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\Run: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\Run: [Microsoft Task Messenger Config]
mscv.exe
O4 - HKLM\..\Run: [Artera] C:\Program
Files\Turbo\arteraui.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6
\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Com Port Manager]
svch0st.exe
O4 - HKLM\..\RunServices: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\RunServices: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\RunServices: [Microsoft Mouse Driver Ver

3.0]

pointer32.exe
O4 - HKLM\..\RunServices: [Device Driver Patch]

Krnl686.exe

O4 - HKLM\..\RunServices: [Microsoft Task Messenger
Config] mscv.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/

sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}

(RdxIE

Class) - http://software-
dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57}

(MrSIDI

Control) -
http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}

(Update

Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl

.CAB?37960.8734143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swf

lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F9FE97-0724-
41E5-8B3C-55B104731A58}: NameServer = 216.126.128.40
216.126.136.250

.

 

[Guest]

Thanks Steve,
I had the following list that wasn't found in AVG (even in
safe mode):
GT.exe Backdoor:IRC/sdBot
syscfgx32.exe Win32/NetWorm
moo.dat Win32/NetWorm
payload.dat Win32/NetWorm
windl32.dat Backdoor:IRC/sdBot
dmsvc32.exe Win32/NetWorm
intdll32.exe Backdoor:IRC/sdBot
intdll.exe Backdoor:IRC/sdBot
mscv.exe Win32/NetWorm

Once these files were removed along with any registry
entries that reference them my problems seem to have gone
away. RAV online free edition puts things in pretty
generic terms and doesn't give the actual virus names for
what it finds (the sales hook!) Botton line AVG and Norton
didn't find these and they didn't get flagged by spybot
s&d or ad-aware.

Thanks again.....

cheers

-----Original Message-----
Good. Glad you made progress. What files did RAV find that AVG missed? I
wonder if it would have found infected files if run in Safe Mode. In
some cases with some viruses and worms I've had to run a/v in safe mode
to nail the sluethy little pests. I've also read things that indicate a
lot more worms and viruses are able to hide from popular a/v products,
if not outright disable them. Booting in Safe Mode seems to get around
that sort of thing.

Steve

Thanks for the input. The Artera is actually my webturbo
system and I know it's clean (I own it). I fouund
another bunch of spybots, remnants of virus fles, etc
running RAV antivirus online. After cleaning those up,
problems "appear" to be resolved. I ran spybot s&d and ad-
aware originally but they didn't catch the files that
flagged on RAV.

Thanks for the input

-----Original Message-----
Not an expert, just observant...

Possible suspects I see:

C:\Program Files\Turbo\artera.exe
C:\Program Files\Turbo\arteraui.exe

I've read that some TurboTax versions have some adware

crap going on.

Not sure if that's TurboTax but worth a look.


C:\Program Files\Common Files\Real\Update_OB\realsched.exe

RealPlayer has always been a problem in my experience.

If

you have

WinAmp or the MS MPlayer there is no need for this.


C:\WINDOWS\System32\WBEM\WinMgmt.exe

While WinMgmt.exe is indeed a bonafide MS process I'm

not

sure it

belongs there, may be a rogue copy. Plus you got two of

them going.

There are trojans out there that replace this.

Also check contents of C:\WINNT\System32

\Drivers\Etc\Hosts file. If it

ain't:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP

for Windows.

#
# This file contains the mappings of IP addresses to

host

names. Each

# entry should be kept on an individual line. The IP

address should

# be placed in the first column followed by the

corresponding host name.

# The IP address and the host name should be separated

by

at least one

# space.
#
# Additionally, comments (such as these) may be

inserted

on individual

# lines or following the machine name denoted by a '#'
symbol.

#
# For example:
#
# 102.54.94.97 rhino.acme.com #

source

server

# 38.25.63.10 x.acme.com # x

client host

127.0.0.1 localhost



Then it may have been hacked.

Steve


John V wrote:


Hello,
I had W32/Randex on my system and (as far as I know)
got

rid of it. All AVG scans come up clean. My system is
still

acting REAL flaky (freezing, wont search from the IE
address line, won't shut down properly, won't
disconnect

modem connections, etc). Could anyone tell me if they
see

anything strange on the Hijack This! log?

Thanks in advance,


Logfile of HijackThis v1.97.7
Scan saved at 4:48:45 PM, on 2/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common
Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\syscfgx32.exe
C:\WINDOWS\system32\mscv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\dmsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dmsvc32.exe
C:\Program Files\Turbo\artera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start

Page = http://webcoast2coast.net/community
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer =

ftp=localhost:8081;http=localhost:8081;https=localhost:8081

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk
NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Com Port Manager]
svch0st.exe

O4 - HKLM\..\Run: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\Run: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\Run: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\Run: [Microsoft Task Messenger Config]
mscv.exe
O4 - HKLM\..\Run: [Artera] C:\Program
Files\Turbo\arteraui.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6
\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Com Port Manager]
svch0st.exe
O4 - HKLM\..\RunServices: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\RunServices: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\RunServices: [Microsoft Mouse Driver Ver
3.0]

pointer32.exe
O4 - HKLM\..\RunServices: [Device Driver Patch]
Krnl686.exe

O4 - HKLM\..\RunServices: [Microsoft Task Messenger
Config] mscv.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/

sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}
(RdxIE

Class) - http://software-
dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57}
(MrSIDI

Control) -
http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}
(Update

Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl

.CAB?37960.8734143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swf

lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F9FE97-0724-
41E5-8B3C-55B104731A58}: NameServer = 216.126.128.40
216.126.136.250



.

.

 

[Steve Nielsen]

If you had both NAV and AVG current versions and up to date definitions,
this is not good news.

Steve

Thanks Steve,
I had the following list that wasn't found in AVG (even in
safe mode):
GT.exe Backdoor:IRC/sdBot
syscfgx32.exe Win32/NetWorm
moo.dat Win32/NetWorm
payload.dat Win32/NetWorm
windl32.dat Backdoor:IRC/sdBot
dmsvc32.exe Win32/NetWorm
intdll32.exe Backdoor:IRC/sdBot
intdll.exe Backdoor:IRC/sdBot
mscv.exe Win32/NetWorm

Once these files were removed along with any registry
entries that reference them my problems seem to have gone
away. RAV online free edition puts things in pretty
generic terms and doesn't give the actual virus names for
what it finds (the sales hook!) Botton line AVG and Norton
didn't find these and they didn't get flagged by spybot
s&d or ad-aware.

Thanks again.....

cheers

-----Original Message-----
Good. Glad you made progress. What files did RAV find

that AVG missed? I

wonder if it would have found infected files if run in

Safe Mode. In

some cases with some viruses and worms I've had to run

a/v in safe mode

to nail the sluethy little pests. I've also read things

that indicate a

lot more worms and viruses are able to hide from popular

a/v products,

if not outright disable them. Booting in Safe Mode seems

to get around

that sort of thing.

Steve

John V wrote:

Thanks for the input. The Artera is actually my

webturbo

system and I know it's clean (I own it). I fouund
another bunch of spybots, remnants of virus fles, etc
running RAV antivirus online. After cleaning those up,
problems "appear" to be resolved. I ran spybot s&d and

ad-

aware originally but they didn't catch the files that
flagged on RAV.

Thanks for the input


-----Original Message-----
Not an expert, just observant...

Possible suspects I see:

C:\Program Files\Turbo\artera.exe
C:\Program Files\Turbo\arteraui.exe

I've read that some TurboTax versions have some adware

crap going on.


Not sure if that's TurboTax but worth a look.


C:\Program Files\Common

Files\Real\Update_OB\realsched.exe

RealPlayer has always been a problem in my experience.

If

you have


WinAmp or the MS MPlayer there is no need for this.


C:\WINDOWS\System32\WBEM\WinMgmt.exe

While WinMgmt.exe is indeed a bonafide MS process I'm

not

sure it


belongs there, may be a rogue copy. Plus you got two of

them going.


There are trojans out there that replace this.

Also check contents of C:\WINNT\System32

\Drivers\Etc\Hosts file. If it


ain't:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP

for Windows.


#
# This file contains the mappings of IP addresses to

host

names. Each


# entry should be kept on an individual line. The IP

address should


# be placed in the first column followed by the

corresponding host name.


# The IP address and the host name should be separated

by

at least one


# space.
#
# Additionally, comments (such as these) may be

inserted

on individual


# lines or following the machine name denoted by a '#'

symbol.


#
# For example:
#
# 102.54.94.97 rhino.acme.com #

source

server


# 38.25.63.10 x.acme.com # x

client host


127.0.0.1 localhost



Then it may have been hacked.

Steve


John V wrote:



Hello,
I had W32/Randex on my system and (as far as I know)

got


rid of it. All AVG scans come up clean. My system is

still


acting REAL flaky (freezing, wont search from the IE
address line, won't shut down properly, won't

disconnect


modem connections, etc). Could anyone tell me if they

see


anything strange on the Hijack This! log?

Thanks in advance,


Logfile of HijackThis v1.97.7
Scan saved at 4:48:45 PM, on 2/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe


C:\WINDOWS\system32\syscfgx32.exe
C:\WINDOWS\system32\mscv.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\dmsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dmsvc32.exe
C:\Program Files\Turbo\artera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start


Page = http://webcoast2coast.net/community
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer =

ftp=localhost:8081;http=localhost:8081;https=localhost:8081

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk
NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Com Port Manager]

svch0st.exe


O4 - HKLM\..\Run: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer]
winlogin.exe
O4 - HKLM\..\Run: [Microsoft Mouse Driver Ver 3.0]
pointer32.exe
O4 - HKLM\..\Run: [Device Driver Patch] Krnl686.exe
O4 - HKLM\..\Run: [Microsoft Task Messenger Config]
mscv.exe
O4 - HKLM\..\Run: [Artera] C:\Program
Files\Turbo\arteraui.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6
\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Com Port Manager]
svch0st.exe
O4 - HKLM\..\RunServices: [syscfgx32] syscfgx32.exe
O4 - HKLM\..\RunServices: [Microsoft Internet

Explorer]

winlogin.exe
O4 - HKLM\..\RunServices: [Microsoft Mouse Driver Ver

3.0]


pointer32.exe
O4 - HKLM\..\RunServices: [Device Driver Patch]

Krnl686.exe


O4 - HKLM\..\RunServices: [Microsoft Task Messenger
Config] mscv.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows driver update]
C:\WINDOWS\system32\dmsvc32.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/

sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}

(RdxIE


Class) - http://software-
dl.real.com/1504d58377b8cfaaa619/netzip/RdxIE601.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57}

(MrSIDI


Control) -
http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}

(Update


Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl

.CAB?37960.8734143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swf

lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F9FE97-0724-
41E5-8B3C-55B104731A58}: NameServer = 216.126.128.40
216.126.136.250



.

.

 

[ken masterson]

Not an expert, just observant...

Possible suspects I see:

C:\Program Files\Turbo\artera.exe
C:\Program Files\Turbo\arteraui.exe

I've read that some TurboTax versions have some adware crap going on.
Not sure if that's TurboTax but worth a look.

TurboTax 2002 came with a copyright protection program called C-dilla. I
believe there's info about it, and how to remove it, on Cnet. Intuit has
stated that there's nothing like this in the 2003 version, but I switched
to TaxBrain just in case.