Re: [PCWorks] How do I get this out of my system tray?
- From: "Clint Hamilton-PCWorks Admin" <PCWorks@xxxxxxxxxxxxxxxxxxxxxxxx>
- To: "PCWorks@xxxxxxxxxxxxx" <pcworks@xxxxxxxxxxxxx>
- Date: Tue, 19 Aug 2008 08:11:11 -0500
Ok, so I've gone over the rest of the log. After you've fixed
your Trojan problem, you can look into these. Regarding the
following areas listed in the log:
CDANTSRV.EXE:
That does not need to be running. Any associated Service for
it can be set to disabled, and unchecked in Msconfig.
nvsvc32.exe:
That might not need to be running. Any associated Service for
it can be set to disabled, and unchecked in Msconfig. The
video card will still function the same, so you can try and
unload/disable it.
sqlwriter.exe:
That might not need to be running. Any associated Service for
it can be set to disabled (or maybe set to Manual if you need
to use it), and unchecked in Msconfig, IF it's not used for
some kind of backup program for your HD, like HD imaging, etc.
OtService.exe:
That should not need to be running all the time. Any
associated Service for it can be set to Manual, and unchecked
in Msconfig. You should only need that running when you scan
something. So if you scan, you'll probably have to manually
start the Service. If you rarely scan, that would be a good
thing to do.
StatusClient.exe:
This has been known to suck up a lot of CPU resources and
memory. It's from HP, experiment to see if it must be running
for the HP device to work. My guess is it does not, and it's
only for something like ink or toner status maybe (if it's a
printer). If so, then you can execute it when you want to
check ink/toner levels.
ctfmon.exe:
This can probably be shut down.
http://support.microsoft.com/kb/282599
http://www.howtogeek.com/howto/windows-vista/what-is-ctfmonexe-and-why-is-it-running/
wweb32.exe:
That might not need to be running. Any associated Service for
it can be set to disabled (or maybe set to Manual if you need
to use it), and unchecked in Msconfig. This is for a
thesaurus/dictionary, so it may or may not need to be running
for the thesaurus/dictionary to work.
All the rest you can click to add to the ignore list.
You need to look these up, these were the only ones I was not
familiar with:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost;<local>
R3 - Default URLSearchHook is missing
I've seen R3, but can't remember what to do about it (if
anything).
-Clint
----- Original Message -----
From: "Clint Hamilton-PCWorks Admin"
Here's another part of the Trojan:
O2 - BHO: (no name) - {300CF5C9-F02D-4CB8-ABED-9C229DA56825} -
C:\Program Files\Applications\iebt.dll
O3 - Toolbar: Internet Service -
{254B87BB-510D-41FA-A887-52C5FA9BE585} - C:\Program
Files\Applications\iebr.dll
O22 - SharedTaskScheduler: causes -
{0fe36c74-667b-454b-828e-75e4e72cbef8} -
C:\WINDOWS\system32\euwoeu.dll
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program
Files\Applications\iebtm.exe
I don't see how you missed that last one, according to that it
should be listed in the StartUp tab in MSCONFIG.
After you've done the research I mentioned below on how to
remove the Trojan, then let HJT remove those.
-Clint
----- Original Message -----
From: "Clint Hamilton-PCWorks Admin"
SB is free, that's their only version. So can you get updates
for Sygate?
This is probably your problem: iebtm.exe & iebtmm.exe, these
are backdoor Trojans.
http://www.fileresearchcenter.com/I/IEBTM.EXE-13001.html
http://www.bleepingcomputer.com/startups/iebtm.exe-23379.html
http://www.greatis.com/appdata/d/i/iebtmm.exe.htm
http://www.bleepingcomputer.com/startups/iebtm.exe-23379.html
Do a search on them for more info and how to remove it.
Obviously AVG missed it and I would use another AV program.
I wanted to post that now ASAP, I'll go over the rest next.
-Clint
God Bless
Clint Hamilton, Owner
http://www.OrpheusComputing.com
http://www.ComputersCustomBuilt.com
----- Original Message -----
From: "LarryB"
I may be going off the air as I am getting many warnings.
I will have to bring my computer from home to continue all I
can.
I am using the free version of SB and Sygate.
I am also using FF and did what you said in blocking thru
adblock in FF.
I have tried to run a virus scan but it takes hours. (using
AVG)
I'll download spyware blaster now also and run it.
I have run HiJackthis and here is the print out.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:40 AM, on 8/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\Program Files\Applications\iebtm.exe
C:\Program Files\Applications\iebtmm.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program
Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page
=
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page
=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {300CF5C9-F02D-4CB8-ABED-9C229DA56825} -
C:\Program Files\Applications\iebt.dll
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot -
Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: PrintMe - {97387E2B-B2FA-4E4A-A607-F3B5C134F71C} -
C:\Program Files\EFI\PrintMeToolbar\htpmcap.dll
O2 - BHO: SpyWarningBHO Class -
{F58FF278-2198-403b-9170-C95022A194C6}
- C:\Program Files\ASpyC\SpyWarning.dll (file missing)
O3 - Toolbar: PrintMe -
{97387E2B-B2FA-4E4A-A607-F3B5C134F71C} -
C:\Program Files\EFI\PrintMeToolbar\htpmcap.dll
O3 - Toolbar: Internet Service -
{254B87BB-510D-41FA-A887-52C5FA9BE585} - C:\Program
Files\Applications\iebr.dll
O4 - HKLM\..\Run: [SmcService]
C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
/STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program
Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
/auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program
Files\Applications\wcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program
Files\Applications\iebtm.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL
SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK
SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default
user')
O4 - Startup: WordWeb Pro.lnk = C:\Program
Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... -
res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) -
{9034A523-D068-4BE8-A284-9DF278BE776E}
- http://www.iexplorerfiles.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware -
{9034A523-D068-4BE8-A284-9DF278BE776E} -
http://www.iexplorerfiles.com/redirect.php (file missing)
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
- (no file)
O9 - Extra button: (no name) -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy
Configuration
- {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program
Files\Spybot -
Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) -
{e2e2dd38-d088-4134-82b7-f2ba38496583}
- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com
Configuration Class) -
http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8}
(ActiveDataInfo
Class) -
https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {4798E9EE-4524-4149-A852-2021309A579D} (WebCamX
Control) -
http://74.239.177.61/WebCamX.cab
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} -
http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
O16 - DPF: {4BF2E7B7-69F4-4178-B669-257C7C8A4072} (WebCamX
Control) -
http://74.239.177.61/WebCamX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
Class)
-
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121684550851
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl
Class)
-
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201700846590
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
(InstallShield
International Setup Player) -
http://www.broderbund.com/IFW/Cabs/isetup.cab
O16 - DPF: {9107A82A-248A-49E5-A7D2-4E12EAAD4DC2} (WebCamX
Control) -
http://69.15.111.218/WebCamX.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj
Class)
- https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95A161E7-F130-4BB6-A4A1-4241FD68B9ED} (WebCamX
Control) -
http://74.239.177.61/WebCamX.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller
Class)
-
http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.277069091796875&file=stamps.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader
Class) -
https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O20 - Winlogon Notify: avgwlntf -
C:\WINDOWS\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: causes -
{0fe36c74-667b-454b-828e-75e4e72cbef8} -
C:\WINDOWS\system32\euwoeu.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT,
s.r.o.
- C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT,
s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) -
GRISOFT,
s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd -
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International,
Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Logitech, Inc. - (no file)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero
7\Nero
BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc -
C:\Program
Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) -
Sygate
Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
=========================
The list's FAQ's can be seen by sending an email to
PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line.
To unsubscribe, subscribe, set Digest or Vacation to on or off, go to
//www.freelists.org/list/pcworks . You can also send an email to
PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line. Your
member list settings can be found at
//www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks . Once logged in, you have
access to numerous other email options.
The list archives are located at //www.freelists.org/archives/pcworks/ .
All email posted to the list will be placed there in the event anyone needs to
look for previous posts.
-zxdjhu-
Other related posts:
