Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help ME!


  • Please log in to reply
3 replies to this topic

#1 jcu1999

jcu1999

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 18 March 2005 - 12:13 PM

Every two-three minutes the IE (6.0) has been Hijack. I'm inundated with popups. Can you help me, please??? I'm the Hijack This logs:

Logfile of HijackThis v1.99.1
Scan saved at 11:55:37 AM, on 3/18/05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
c:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\SQLLIB\bin\db2jds.exe
C:\Program Files\SQLLIB\bin\db2sec.exe
C:\PROGRA~1\nav\DefWatch.exe
C:\WINNT\System32\daccess.exe
C:\WINNT\system32\enstart.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\WINNT\System32\mnmsrvc.exe
C:\PROGRA~1\nav\Rtvscan.exe
C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\javaw.exe
C:\win32app\nsr\bin\nsrexecd.exe
C:\orant\BIN\TNSLSNR80.EXE
C:\orant\bin\OWASTsvr.exe
C:\win32app\nsr\bin\portmap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
C:\WINNT\system\xvwlshnpxn.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\PROGRA~1\IBM\IMNNQ\HTTPDL.exe
C:\PROGRA~1\IBM\IMNNQ\imnsvdem.exe
C:\Notes\nlnotes.exe
C:\Notes\naldaemn.EXE
C:\Documents and Settings\PCAREY.CVGS\My Documents\toad\toad.exe
C:\WINNT\system32\cidaemon.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\PCAREY~1.CVG\LOCALS~1\Temp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Convergys
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = wms;pdc;pdclive;cinntiis1;synthesys;synweb.convergys.com;*.img.convergys.com;*.p2k.cbis.com;*.oz.convergys.com;metrics;chintiis1;orlntiis1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\LDCLIENT\SOFTMON.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [TaskPlus] C:\Program Files\TaskPlus\taskplus0.exe
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=CDCAW05:5007 /S=CDCAW05 /I=HTTP://CDCAW05/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [sirvmf] c:\winnt\system32\sirvmf.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Start HTML Search Server.lnk = C:\Program Files\SQLLIB\bin\db2nq.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .xs: C:\Program Files\Internet Explorer\PLUGINS\nphclx.dll
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cc...everContent.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://cinntiis1.cin.dhcp.img.convergys.co...rver/ezinit.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0033.exe
O16 - DPF: {B80F9FCE-DFDD-4A2A-8AA9-E05C6B7D4ED3} (SWToolBar Class) - http://www.smileyworld.com/toolbar/SmileyWorld.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://helpdeskreports.cmg.convergys.com/v...tivexviewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ahdweb.webmeeting.att.com/client/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.convergys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.convergys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cin.dhcp.img.convergys.com,oz.convergys.com,img.convergys.com,convergys.com,cmg.convergys.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.convergys.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cin.dhcp.img.convergys.com,oz.convergys.com,img.convergys.com,convergys.com,cmg.convergys.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cin.dhcp.img.convergys.com,oz.convergys.com,img.convergys.com,convergys.com,cmg.convergys.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk® Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - Unknown owner - C:\IBM Connectors\CICS\BIN\CCLSERV.EXE
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: DB2 JDBC Applet Server - Control Center (DB2ControlCenterServer) - Unknown owner - C:\Program Files\SQLLIB\bin\db2ccs.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\Program Files\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\bin\db2sec.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\nav\DefWatch.exe
O23 - Service: DiskAccess - Unknown owner - C:\WINNT\System32\daccess.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: enstart - Unknown owner - C:\WINNT\system32\enstart.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - Unknown owner - C:\IBM Connectors\CICS\BIN\CTGSERVICE.EXE
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\nav\Rtvscan.exe
O23 - Service: NetWorker Backup and Recover Server (nsrd) - Unknown owner - C:\win32app\nsr\bin\nsrd (file missing)
O23 - Service: NetWorker Remote Exec Service (nsrexecd) - Unknown owner - C:\win32app\nsr\bin\nsrexecd (file missing)
O23 - Service: OracleAgent80 - oracle - C:\orant\agentbin\DBSNMP.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleCMAdminService80 - Unknown owner - C:\orant\BIN\CMADM80.EXE
O23 - Service: OracleCManService80 - Unknown owner - C:\orant\BIN\CMGW80.EXE
O23 - Service: OracleConTextService80 - Oracle Corporation - C:\orant\BIN\CTXSVC80.EXE
O23 - Service: OracleDataGatherer - Unknown owner - C:\orant\bin\vppdc.exe
O23 - Service: OracleExtprocAgent - Unknown owner - C:\orant\BIN\EXTPROCT.EXE
O23 - Service: OracleNamesService80 - Unknown owner - C:\orant\BIN\NAMES80.EXE
O23 - Service: OraclePGMSService - Unknown owner - C:\orant\BIN\PGMS.EXE
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleStartORCL - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleTNSListener80 - Unknown owner - C:\orant\BIN\TNSLSNR80.EXE
O23 - Service: OracleWebAssistant - Oracle Corporation - C:\orant\bin\OWASTsvr.exe
O23 - Service: pcAnywhere Install Service - Unknown owner - C:\Program Files\Symantec\pcAnywhere\pca_run.exe (file missing)
O23 - Service: Storage Management Portmapper (portmap) - Unknown owner - C:\win32app\nsr\bin\portmap (file missing)


Thanks,
Pat

BC AdBot (Login to Remove)

 


#2 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 18 March 2005 - 03:15 PM

Your pc seems to be the 'roadster model' and managed by a company IT guy?
This makes it a bit awkward for this sort of thing as I won't always recognize some oddball software - so watch my back for me.

Get rid of spyware nuker (from Add/Remove programs if possible) - reboot if necessary.

These running processes are either undesirable or highly suspicious (you can double check on the enstart one for me)
C:\WINNT\system32\enstart.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
C:\WINNT\system\xvwlshnpxn.exe


This is the list of bad news startups
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [sirvmf] c:\winnt\system32\sirvmf.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cc...everContent.cab
O16 - DPF: {B80F9FCE-DFDD-4A2A-8AA9-E05C6B7D4ED3} (SWToolBar Class) - http://www.smileyworld.com/toolbar/SmileyWorld.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: enstart - Unknown owner - C:\WINNT\system32\enstart.exe


Empty the TIF (Temporary Internet Files)
To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

Download PocketKillbox from http://www.bleepingcomputer.com/files/spyware/KillBox.zip
Unzip it somewhere to keep - run it - choose Tools > Delete Temp Files and click OK


Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
but hold on to it for a moment rather than run it or update it

The nature of that NavLogon entry makes me think you have a VX2 infection

Let's cut to the chase
Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file somewhere and double click the downloaded l2mfix.exe.
Install it to extract the files.
Open the newly added l2mfix folder on your desktop.
Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter.
This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.
Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you post back!
Post a fresh HJT log with the log from l2mfix

#3 jcu1999

jcu1999
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 18 March 2005 - 05:46 PM

Here is the lm2fix.bat log
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
**********************************************************************************
useragent:
**********************************************************************************
Shell Extension key:
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2CF9-E2C2

Directory of C:\WINNT\System32

01/05/05 03:52p <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 27,168,681,984 bytes free
-------------------------------

and here is the the HJT logs:
Logfile of HijackThis v1.99.1
Scan saved at 5:44:11 PM, on 3/18/05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
c:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\SQLLIB\bin\db2jds.exe
C:\Program Files\SQLLIB\bin\db2sec.exe
C:\PROGRA~1\nav\DefWatch.exe
C:\WINNT\System32\daccess.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\WINNT\System32\mnmsrvc.exe
C:\PROGRA~1\nav\Rtvscan.exe
C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\javaw.exe
C:\win32app\nsr\bin\nsrexecd.exe
C:\orant\BIN\TNSLSNR80.EXE
C:\orant\bin\OWASTsvr.exe
C:\win32app\nsr\bin\portmap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\PROGRA~1\IBM\IMNNQ\HTTPDL.exe
C:\PROGRA~1\IBM\IMNNQ\imnsvdem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\TEMP\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Convergys
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = wms;pdc;pdclive;cinntiis1;synthesys;synweb.convergys.com;*.img.convergys.com;*.p2k.cbis.com;*.oz.convergys.com;metrics;chintiis1;orlntiis1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [TaskPlus] C:\Program Files\TaskPlus\taskplus0.exe
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=CDCAW05:5007 /S=CDCAW05 /I=HTTP://CDCAW05/ldlogon/ldappl3.ldz /NOUI
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Start HTML Search Server.lnk = C:\Program Files\SQLLIB\bin\db2nq.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .xs: C:\Program Files\Internet Explorer\PLUGINS\nphclx.dll
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://cinntiis1.cin.dhcp.img.convergys.co...rver/ezinit.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0033.exe
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://helpdeskreports.cmg.convergys.com/v...tivexviewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ahdweb.webmeeting.att.com/client/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.convergys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.convergys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cin.dhcp.img.convergys.com,oz.convergys.com,img.convergys.com,convergys.com,cmg.convergys.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.convergys.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cin.dhcp.img.convergys.com,oz.convergys.com,img.convergys.com,convergys.com,cmg.convergys.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cin.dhcp.img.convergys.com,oz.convergys.com,img.convergys.com,convergys.com,cmg.convergys.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk® Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: IBM CICS Universal Client (CICSClient) - Unknown owner - C:\IBM Connectors\CICS\BIN\CCLSERV.EXE
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: DB2 JDBC Applet Server - Control Center (DB2ControlCenterServer) - Unknown owner - C:\Program Files\SQLLIB\bin\db2ccs.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\Program Files\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\SQLLIB\bin\db2sec.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\nav\DefWatch.exe
O23 - Service: DiskAccess - Unknown owner - C:\WINNT\System32\daccess.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: IBM CICS Transaction Gateway (IBMCICSTransactionGateway) - Unknown owner - C:\IBM Connectors\CICS\BIN\CTGSERVICE.EXE
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\nav\Rtvscan.exe
O23 - Service: NetWorker Backup and Recover Server (nsrd) - Unknown owner - C:\win32app\nsr\bin\nsrd (file missing)
O23 - Service: NetWorker Remote Exec Service (nsrexecd) - Unknown owner - C:\win32app\nsr\bin\nsrexecd (file missing)
O23 - Service: OracleAgent80 - oracle - C:\orant\agentbin\DBSNMP.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleCMAdminService80 - Unknown owner - C:\orant\BIN\CMADM80.EXE
O23 - Service: OracleCManService80 - Unknown owner - C:\orant\BIN\CMGW80.EXE
O23 - Service: OracleConTextService80 - Oracle Corporation - C:\orant\BIN\CTXSVC80.EXE
O23 - Service: OracleDataGatherer - Unknown owner - C:\orant\bin\vppdc.exe
O23 - Service: OracleExtprocAgent - Unknown owner - C:\orant\BIN\EXTPROCT.EXE
O23 - Service: OracleNamesService80 - Unknown owner - C:\orant\BIN\NAMES80.EXE
O23 - Service: OraclePGMSService - Unknown owner - C:\orant\BIN\PGMS.EXE
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\orant\bin\oracle80.exe
O23 - Service: OracleStartORCL - Unknown owner - C:\orant\BIN\strtdb80.exe
O23 - Service: OracleTNSListener80 - Unknown owner - C:\orant\BIN\TNSLSNR80.EXE
O23 - Service: OracleWebAssistant - Oracle Corporation - C:\orant\bin\OWASTsvr.exe
O23 - Service: pcAnywhere Install Service - Unknown owner - C:\Program Files\Symantec\pcAnywhere\pca_run.exe (file missing)
O23 - Service: Storage Management Portmapper (portmap) - Unknown owner - C:\win32app\nsr\bin\portmap (file missing)

Pat

#4 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 18 March 2005 - 06:31 PM

I'm still a bit mystified - but may have a hunch (it's certainly changed) - please do the following 2 items

Download: http://www.bleepingcomputer.com/files/spyware/imm_mh4.zip
Unzip it to a folder (it will make it's own subfolder there called imm_mh4)
Double click on the runme.bat in that folder and it should produce a MH4_Look.log file which will open in notepad.
If it fails - re-extract and try again. Post (paste) the MH4_Look.log file to this post.
There will also be a MH4_err.log file produced in that folder. Have a look at it with notepad.
If the MH4_err log contains anything - attach rather than paste it using the browse button in the reply editor
If you can't do that - just post the text bits from the error log which avoid most of the hex numbers in the file
(keep it short :thumbsup: )

Additionally, download this one and post the log it produces
Download http://www.bleepingcomputer.com/files/reglook.php




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users