Hi all, I had the topsecurity.net spyware on my computer and tried cleaning it with ewido. After rebooting my computer the "explorer.exe" process, ie.. the windows shell, keeps restarting itself every 2-3 seconds. Unless someone here can help me try to get rid of any spyware remnants I'm afraid this laptop will have to be reinstalled from the ground up At the moment I'm surviving by killing the explorer.exe process, which stops it from respawning, and running all my applications directly from the task manager. Below is my HijackThis log. Thanks for any help. Logfile of HijackThis v1.99.1 Scan saved at 5:12:51 PM, on 24/06/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\VRCCfgService.exe C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\ESOE\ELogSrv.exe C:\Program Files\ESOE\ESrv.exe C:\WINNT\system32\hidserv.exe c:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe C:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe C:\PROGRA~1\NETMAN~1\APPS\NFS\wlpd.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\system32\PROT_SRV.EXE C:\WINNT\system32\pagents.exe C:\WINNT\system32\PSTARTSR.EXE c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe C:\WINNT\system32\MSTask.exe c:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe C:\WINNT\system32\FLRSERV.EXE C:\WINNT\system32\stisvc.exe C:\WINNT\system32\svchost.exe C:\Program Files\ESOE\EDMS\ECIS.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINNT\AGRSMMSG.exe C:\WINNT\system32\PRPCUI.exe C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Pointsec\P95tray.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\WINNT\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\ESOE\ELaunch.exe c:\Program Files\Hewlett-Packard\eWorkplace\eWLaunch.exe F:\temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.ericsson.se/page/hub_inside/index.jsp R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [SynTPEnh] C:\PROGRA~1\SYNAPT~1\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SynTPLpr] C:\PROGRA~1\SYNAPT~1\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [NetManageImport] "C:\PROGRA~1\NETMAN~1\setup\nmcpdata.exe" I O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 C:\Progra~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\progra~1\NETMAN~1\common\nmconfig.dll,StoreCleanup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SmcService] C:\progra~1\sygate\ssa\smc.exe -startgui O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe O4 - Global Startup: eWorkplace Control Center.lnk = C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe O4 - Global Startup: VN User Update.lnk = C:\Documents and Settings\anzaesoe\Application Data\NetManage\Data\VN User Update.exe O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O16 - DPF: Documentum Content Transfer 5.2.5 SP - https://eridoc.ericsson.se/eridoc/wdk/contentXfer/ContentXfer.cab O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javaconnect/JavaConnect.cab O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBroadCastClient/STBroadCastClient.cab O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDirectoryApplet/STDirectoryApplet.cab O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmeetingroomclient/STMeetingRoomClient.cab O16 - DPF: {1BD86198-EEBA-42AF-B89B-4050DEB5C47A} - http://eaubrnt061.epa.ericsson.se/ecc_install/default.cab O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javaconnect/STUrlConLoader.cab O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javaconnect/STAutoAwayLoader.cab O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMeetingRoomClient/STJNILoader.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eapac.ericsson.se O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eapac.ericsson.se O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eapac.ericsson.se O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINNT\system32\btxppanel.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: cfgmngr32 - C:\WINNT\g278772623.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - E:\Program Files\Visual Studio\Common7\Packages\Debugger\dbgproxy.exe (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: NetManage NFS Client (InterDrive) Helper (InterDrive) - NetManage, Inc. - C:\WINNT\System32\idr3hlpr.exe O23 - Service: eWorkplace Inventory (Inventory) - Hewlett-Packard Sverige AB - c:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe O23 - Service: eWorkplace Log (LogSvc) - TODO: <Company name> - C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe O23 - Service: NetManage LPD Service (LPD Server) - NetManage, Inc. - C:\PROGRA~1\NETMAN~1\APPS\NFS\wlpd.exe O23 - Service: NetManage FTP Server - NetManage, Inc. - C:\Program Files\NETMAN~1\apps\ftpd\ftpd.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe O23 - Service: eWorkplace Scheduler (Scheduler) - Hewlett-Packard Sverige AB - c:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe O23 - Service: Shared Folders Server (SFOLDER) - NetManage. - C:\WINNT\system32\FLRSERV.EXE O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\progra~1\sygate\ssa\smc.exe O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
And here is also my SmitFraud log: SmitFraudFix v2.62 Scan done at 17:21:30.35, Sat 24/06/2006 Run from F:\temp\SmitfraudFix OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\eeaklan\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\eeaklan\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater" [HKEY_CLASSES_ROOT\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InProcServer32] @="C:\WINNT\g278772623.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InProcServer32] @="C:\WINNT\g278772623.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
ok... fixed. Had to remove a piece of spyware using the MoveOnBoot utility. After that... no more explorer restarts.
