MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: CBIT solutions Trust Certificate + popups
November 14, 2019, 07:01:13 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 14, 2019, 07:01:13 AM

Login with username, password and session length
 Featured Sites:
News
New  New Poll on our main page!
"My experience with Vista..."
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: CBIT solutions Trust Certificate + popups  (Read 3910 times)
jloudon
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« on: February 10, 2005, 11:03:10 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:Windows 2000 SP4 + latest critical patches
Problem Application Name & Version:CBIT solutions Trust certificate + popups together
Problem Hardware Make & Model:Compaq Proliant ML370 server
Error Messages: CBIT solutions Trust cerificate pops up and then various webpage search results and an offering to download Xringtones.exe



Hi,

I onder if anyone can help. We are having problems with 2 of our servers. They both keep getting horrible popups asking to Trust material from CBIT solutions and then various web search results pages appear followed by a mobile phone ringtone webpage asking to download Xringtone.exe. This happens about 3 times repeatedly. I have run the MS Antispyware program and it detects Real VNC (which we use) and also SearchMiracle.EliteBar. I have deleted this threat using the s/w but it just returns. I have now downloaded and run HiJackThis and followed some similar threads on what to do with the results, but the dreaded stuff still exists. Clearly I have missed something. Can someone please check my log and advise what i have mised or need to do differently? Below is the log:-

Logfile of HijackThis v1.99.0
Scan saved at 10:46:15, on 10/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\Program Files\NavNT\defwatch.exe
c:\program files\fourth shift\managed\fourthshift.remotingservice.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\locksrvr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\WINNT\svchst.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\backupexec.FRUTAROMUK\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.frutarom.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://nnn.nnn.nnn.nnn/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nnn.nnn.nnn.nnn
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Norton Personal Firewall] npfw32.exe
O4 - HKLM\..\Run: [SheduIer] C:\WINNT\svchst.exe /i
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteapw32.exe
O4 - HKLM\..\RunServices: [Norton Personal Firewall] npfw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://fourthshift.webex.com/client/v_mywebex/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.frutarom.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE8CA41-6A98-4AFE-B08E-DE89BA26FC98}: NameServer = nnn.nnn.nnn.nnn,nnn.nnn.nnn.nnn.nnn
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.frutarom.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.frutarom.com
O23 - Service: Backup Exec Remote Agent for Windows Servers - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Compaq NIC Agents - Compaq Computer Corp. - C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Remote Monitor Service - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Version Control Agent - Hewlett-Packard Company - C:\Compaq\vcagent\vcagent.exe
O23 - Service: Compaq Web Agent - HP Corporation - C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
O23 - Service: Compaq Foundation Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ExecView Communication Module (ECM) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: FINFP (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
O23 - Service: FINMR (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
O23 - Service: Fourth Shift Remoting Service - SoftBrands Manufacturing, Inc. - c:\program files\fourth shift\managed\fourthshift.remotingservice.exe
O23 - Service: Fourth Shift Lockserver - SoftBrands Manufacturing, Inc. - C:\WINNT\locksrvr.exe
O23 - Service: MAINFP (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
O23 - Service: MAINMR (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: VNC Server - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

Many thnks,

John Loudon
« Last Edit: February 11, 2005, 11:50:11 AM by jloudon » Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #1 on: February 11, 2005, 04:59:26 AM »

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

locksrvr.exe << DO YOU KNOW WHAT THIS IS? I COULD NOT FIND ANY INFO ON IT AT ALL
svchst.exe
eliteapw32.exe


Close all other open Windows and have HiJackThis Fix:




O4 - HKLM\..\Run: [SheduIer] C:\WINNT\svchst.exe /i

O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteapw32.exe




Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:


EliteBar


Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\WINNT\locksrvr.exe <<ONLY IF YOU DON"T KNOW WHAT IT IS
C:\WINNT\svchst.exe
C:\winnt\system32\eliteapw32.exe


Now, empty all your TEMP Folders / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.



Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Now re-run HJT and post a new logfile back here.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
jloudon
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #2 on: February 11, 2005, 08:56:47 AM »

Hi Cactus,

Thanks for the reply. Yes, I know what Locksvr.exe is. It is part of our MRP system which runs on this SQL server. I have followed your instructions and posted a fresh HijackThis logfile below.

Thanks,

John

Logfile of HijackThis v1.99.0
Scan saved at 08:52:51, on 11/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\Program Files\NavNT\defwatch.exe
c:\program files\fourth shift\managed\fourthshift.remotingservice.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\locksrvr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\backupexec.FRUTAROMUK\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frutarom.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.frutarom.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://nnn.nnn.nnn.nnn/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nnn.nnn.nnn.nnn
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Norton Personal Firewall] npfw32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteapw32.exe
O4 - HKLM\..\RunServices: [Norton Personal Firewall] npfw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://fourthshift.webex.com/client/v_mywebex/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.frutarom.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE8CA41-6A98-4AFE-B08E-DE89BA26FC98}: NameServer = nnn.nnn.nnn.nnn
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.frutarom.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.frutarom.com
O23 - Service: Backup Exec Remote Agent for Windows Servers - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Compaq NIC Agents - Compaq Computer Corp. - C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Remote Monitor Service - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Version Control Agent - Hewlett-Packard Company - C:\Compaq\vcagent\vcagent.exe
O23 - Service: Compaq Web Agent - HP Corporation - C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
O23 - Service: Compaq Foundation Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ExecView Communication Module (ECM) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: FINFP (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
O23 - Service: FINMR (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
O23 - Service: Fourth Shift Remoting Service - SoftBrands Manufacturing, Inc. - c:\program files\fourth shift\managed\fourthshift.remotingservice.exe
O23 - Service: Fourth Shift Lockserver - SoftBrands Manufacturing, Inc. - C:\WINNT\locksrvr.exe
O23 - Service: MAINFP (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
O23 - Service: MAINMR (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: VNC Server - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

« Last Edit: February 11, 2005, 11:52:42 AM by jloudon » Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #3 on: February 11, 2005, 03:40:57 PM »


Download the program Killbox. Unzip it to it's own folder.
Run the program.
In the bottom right hand corner you will see a drop-down box labelled (System Process.)
Drop that down, and select the active process that is likely to be your main infection reloader.
In your case, that will be: eliteapw32.exe
Once you have selected that file name, click the yellow triangle with the ! inside it to end that process.

Next, at the top of the window, use the folder icon to browse to: C:\windows\system32\eliteapw32.exe
Press the red X button to delete that file.


Do this in regular mode first. If it does not work, try it in Safe Mode, except that the exe will probably not be running as a system process in safe mode, so all you will need to do is delete them.


Now re-run HJT and have it FIX this line:

O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteapw32.exe

Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.


Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Now re-run HJT and post a new logfile back here.
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
jloudon
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #4 on: February 11, 2005, 04:08:28 PM »

Hi cactus,

Thanks for the info. I have done as suggested and posted another log file. Does all seem OK now?

Thanks for your help,

John Loudon

Logfile of HijackThis v1.99.0
Scan saved at 16:04:19, on 11/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\Program Files\NavNT\defwatch.exe
c:\program files\fourth shift\managed\fourthshift.remotingservice.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\locksrvr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\backupexec.FRUTAROMUK\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frutarom.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.frutarom.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://nnn.nnn.nnn.nnn/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nnn.nnn.nnn
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Norton Personal Firewall] npfw32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteapw32.exe
O4 - HKLM\..\RunServices: [Norton Personal Firewall] npfw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://fourthshift.webex.com/client/v_mywebex/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.frutarom.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE8CA41-6A98-4AFE-B08E-DE89BA26FC98}: NameServer = nnn.nnn.nnn.nnn
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.frutarom.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.frutarom.com
O23 - Service: Backup Exec Remote Agent for Windows Servers - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Compaq NIC Agents - Compaq Computer Corp. - C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Remote Monitor Service - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Version Control Agent - Hewlett-Packard Company - C:\Compaq\vcagent\vcagent.exe
O23 - Service: Compaq Web Agent - HP Corporation - C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
O23 - Service: Compaq Foundation Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents - Compaq Computer Corp. - C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ExecView Communication Module (ECM) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: FINFP (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
O23 - Service: FINMR (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlFin730.exe
O23 - Service: Fourth Shift Remoting Service - SoftBrands Manufacturing, Inc. - c:\program files\fourth shift\managed\fourthshift.remotingservice.exe
O23 - Service: Fourth Shift Lockserver - SoftBrands Manufacturing, Inc. - C:\WINNT\locksrvr.exe
O23 - Service: MAINFP (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
O23 - Service: MAINMR (Fourth Shift SQL Service) - SoftBrands Manufacturing, Inc. - C:\Program Files\Fourth Shift\SqlMss\FSSqlMfg730.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: VNC Server - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

Logged

 
jloudon
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #5 on: February 11, 2005, 04:11:05 PM »

Hi Cactus,

I just noticed that the line

O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteapw32.exe

still exists in the log file. When I ran killbox.exe, it was not listed in the drop down for services and the file doesnt exist on the server either. Now I'm confused?

Regards,

John
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #6 on: February 11, 2005, 04:17:06 PM »

Can you find and DELETE that file in SAFE MODE?
C:\winnt\system32\eliteapw32.exe

Run HJT in SAFE MODE and see if you can DELETE this line:

O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteapw32.exe

Cactus


Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
jloudon
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #7 on: February 11, 2005, 04:33:05 PM »

Hi Cactus,

It appears to let me delete it and now doesnt appear in the log file. I will keep my eye on that one and see what happens. The file definitely isnt there.

Thanks for your help.

Regards,

John
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #8 on: February 11, 2005, 04:50:15 PM »

Great.. Grin .. post back if it shows up again .. Wink

cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 21, 2019, 05:38:31 AM