Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - Spats


  • Please log in to reply
7 replies to this topic

#1 spats

spats

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 05 April 2005 - 08:54 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:41:52 PM, on 4/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\SYSMGT\TNGAMr\AGENTS\UAMrStub.exe
C:\Program Files\ISS BlackICE Firewall\BlackICE\blackd.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\system32\nutsrv4.exe
C:\Program Files\Rational\ProjectConsole\bin\CollectorService.exe
C:\Program Files\Rational\ProjectConsole\bin\ReportServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN 3000 Client\ANetIKE.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\ltmsg.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISS BlackICE Firewall\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\SYSMGT\TNGAMr\AGENTS\umcliwnt.exe
C:\SYSMGT\TNGAMr\AGENTS\runedmr.exe
C:\SYSMGT\TNGAMr\AGENTS\edmr.exe
C:\SYSMGT\TNGAMr\AGENTS\CSC_SE~1.EXE
C:\CSCProjs\tools\Hijack\HijackThis.exe
C:\WINNT\Temp\MBSAFI~1\mbsacli.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\jlyle1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\jlyle1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5015BF0B-2C8F-403D-B302-308A100841A4} - C:\WINNT\system32\gjfe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tb Startup] C:\Program Files\Rational\ProjectConsole\Wizards\tb_Startup.exe StartUp
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AMOClient] "C:\sysmgt\tngam\agents\umclogin.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\jlyle1\LOCALS~1\Temp\se.dll,DllInstall
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O15 - Trusted Zone: *.csc.com (HKLM)
O16 - DPF: Sametime Meeting Room Client ST31 - http://amer-st01.amer.csc.com/sametime/stm...gRoomClient.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://help.amer.csc.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01112800-3E00-11D2-8470-0060089874ED} (Support.com Probe Class) - http://help.amer.csc.com/sdccommon/download/tgctlpr.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://collaborate.consult.csc.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://amer-ml18.amer.csc.com/iNotes.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16a36a9a4e44d2...ip/RdxIE601.cab
O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://www.webex.com/client/webex/atbootie.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - https://amer-st10.amer.csc.com/sametime/stm...STJNILoader.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://amer-st01.amer.csc.com/sametime/stm...STJNILoader.cab
O16 - DPF: {A00D615E-B878-4DCF-8B9A-C1AD302D4C4D} ({A00D615E-B878-4DCF-8B9A-C1AD302D4C4D}) - http://www.assetmetrix.com/epulse/assetMetrix.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://emory.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O18 - Filter: text/html - {2774ACD8-6D87-43B1-BC21-03D4B3B60B17} - C:\WINNT\system32\gjfe.dll
O18 - Filter: text/plain - {2774ACD8-6D87-43B1-BC21-03D4B3B60B17} - C:\WINNT\system32\gjfe.dll
O23 - Service: Asset Management Remote Agent (AMrAgent) - Unknown owner - C:\SYSMGT\TNGAMr\AGENTS\UAMrStub.exe
O23 - Service: ANetIKE - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN 3000 Client\ANetIKE.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS BlackICE Firewall\BlackICE\blackd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINNT\system32\nutsrv4.exe
O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS BlackICE Firewall\BlackICE\RapApp.exe
O23 - Service: Rational ProjectConsole Collection Server (RationalProjectConsoleCollectionServer) - Unknown owner - C:\Program Files\Rational\ProjectConsole\bin\CollectorService.exe" (file missing)
O23 - Service: Rational ProjectConsole Report Server (RationalProjectConsoleReportServer) - Unknown owner - C:\Program Files\Rational\ProjectConsole\bin\ReportServer.exe" (file missing)
O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 06 April 2005 - 11:22 AM

Hi spats,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

#3 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 06 April 2005 - 11:30 AM

Please download this file:

SpSeHjfix
  • Extract the file on your desktop.
  • Run SpSeHjfix112.exe.
  • Click Start disinfection
  • Reboot your system.
You will find on your desktop a log: SPSeHjFix.log.
  • Post the SPSeHjFix log and a new HJT log please
Didom

#4 spats

spats
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 07 April 2005 - 02:18 PM

Wow: I think that did it. A thousand thank-yous.

It popped up a response box saying it couldn't start se.dll on startup, and then it re-launched SpSeHjfix112.exe, so I wasn't sure it took. Then IE.exe wouldn't start, until I opened an existing html file and reset the Home url. But now it seems to work fine.

do I need to worry about those 'error while deleting' messages?

SpSeHjfix112 log:



(4/7/05 2:51:27 PM) SPSeHjFix started v1.1.2
(4/7/05 2:51:27 PM) OS: Win2000 Service Pack 4 (5.0.2195)
(4/7/05 2:51:27 PM) Language: english
(4/7/05 2:51:27 PM) Win-Path: C:\WINNT
(4/7/05 2:51:27 PM) System-Path: C:\WINNT\system32
(4/7/05 2:51:27 PM) Temp-Path: C:\DOCUME~1\jlyle1\LOCALS~1\Temp\
(4/7/05 2:51:41 PM) Disinfection started
(4/7/05 2:51:41 PM) Bad-Dll(IEP): c:\docume~1\jlyle1\locals~1\temp\se.dll
(4/7/05 2:51:41 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINNT\system32\gjfe.dll
(4/7/05 2:51:41 PM) Searchassistant Uninstaller - Keys Deleted
(4/7/05 2:51:41 PM) UBF: 6 - UBB: 2 - UBR: 13
(4/7/05 2:51:41 PM) FilterKey: HKCR\text/html (deleted)
(4/7/05 2:51:41 PM) FilterKey: HKCR\CLSID\{473580C8-89E3-4787-87F0-6CBAC0DE6DDD} (deleted)
(4/7/05 2:51:41 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(4/7/05 2:51:41 PM) FilterKey: HKCR\text/plain (deleted)
(4/7/05 2:51:42 PM) FilterKey: HKCR\CLSID\{473580C8-89E3-4787-87F0-6CBAC0DE6DDD} (error while deleting)
(4/7/05 2:51:42 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(4/7/05 2:51:42 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5015BF0B-2C8F-403D-B302-308A100841A4} (deleted)
(4/7/05 2:51:42 PM) BHO-Key: HKCR\CLSID\{5015BF0B-2C8F-403D-B302-308A100841A4} (deleted)
(4/7/05 2:51:42 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\jlyle1\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(4/7/05 2:51:42 PM) UBF: 4 - UBB: 1 - UBR: 12
(4/7/05 2:51:42 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\jlyle1\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\jlyle1\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(4/7/05 2:51:42 PM) Stealth-String not found
(4/7/05 2:51:42 PM) File added to delete: c:\winnt\system32\gjfe.dll
(4/7/05 2:51:42 PM) File added to delete: c:\docume~1\jlyle1\locals~1\temp\se.dll
(4/7/05 2:51:42 PM) Reboot


(4/7/05 2:54:55 PM) SPSeHjFix started v1.1.2
(4/7/05 2:54:55 PM) OS: Win2000 Service Pack 4 (5.0.2195)
(4/7/05 2:54:55 PM) Language: english
(4/7/05 2:54:55 PM) Win-Path: C:\WINNT
(4/7/05 2:54:55 PM) System-Path: C:\WINNT\system32
(4/7/05 2:54:55 PM) Temp-Path: C:\DOCUME~1\jlyle1\LOCALS~1\Temp\

#5 spats

spats
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 07 April 2005 - 02:20 PM

forgot: hjt log

Logfile of HijackThis v1.99.1
Scan saved at 3:04:16 PM, on 4/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\SYSMGT\TNGAMr\AGENTS\UAMrStub.exe
C:\Program Files\ISS BlackICE Firewall\BlackICE\blackd.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\system32\nutsrv4.exe
C:\Program Files\Rational\ProjectConsole\bin\CollectorService.exe
C:\Program Files\Rational\ProjectConsole\bin\ReportServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN 3000 Client\ANetIKE.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\ltmsg.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISS BlackICE Firewall\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\CSCProjs\tools\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tb Startup] C:\Program Files\Rational\ProjectConsole\Wizards\tb_Startup.exe StartUp
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AMOClient] "C:\sysmgt\tngam\agents\umclogin.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\jlyle1\LOCALS~1\Temp\se.dll,DllInstall
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O15 - Trusted Zone: *.csc.com (HKLM)
O16 - DPF: Sametime Meeting Room Client ST31 - http://amer-st01.amer.csc.com/sametime/stm...gRoomClient.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://help.amer.csc.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01112800-3E00-11D2-8470-0060089874ED} (Support.com Probe Class) - http://help.amer.csc.com/sdccommon/download/tgctlpr.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://collaborate.consult.csc.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://amer-ml18.amer.csc.com/iNotes.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16a36a9a4e44d2...ip/RdxIE601.cab
O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://www.webex.com/client/webex/atbootie.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - https://amer-st10.amer.csc.com/sametime/stm...STJNILoader.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://amer-st01.amer.csc.com/sametime/stm...STJNILoader.cab
O16 - DPF: {A00D615E-B878-4DCF-8B9A-C1AD302D4C4D} ({A00D615E-B878-4DCF-8B9A-C1AD302D4C4D}) - http://www.assetmetrix.com/epulse/assetMetrix.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://emory.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O23 - Service: Asset Management Remote Agent (AMrAgent) - Unknown owner - C:\SYSMGT\TNGAMr\AGENTS\UAMrStub.exe
O23 - Service: ANetIKE - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN 3000 Client\ANetIKE.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS BlackICE Firewall\BlackICE\blackd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINNT\system32\nutsrv4.exe
O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS BlackICE Firewall\BlackICE\RapApp.exe
O23 - Service: Rational ProjectConsole Collection Server (RationalProjectConsoleCollectionServer) - Unknown owner - C:\Program Files\Rational\ProjectConsole\bin\CollectorService.exe" (file missing)
O23 - Service: Rational ProjectConsole Report Server (RationalProjectConsoleReportServer) - Unknown owner - C:\Program Files\Rational\ProjectConsole\bin\ReportServer.exe" (file missing)
O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 09 April 2005 - 01:32 AM

Scan again with HijackThis and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\jlyle1\LOCALS~1\Temp\se.dll,DllInstall
O15 - Trusted Zone: *.csc.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16a36a9a4e44d2...ip/RdxIE601.cab

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Please scan this file with Jotti's online scan:
C:\SYSMGT\TNGAMr\AGENTS\UAMrStub.exe

Jotti Scan:
http://virusscan.jotti.org/

Reboot your computer and post a new log + Jotti's scan results,
didom

#7 spats

spats
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 10 April 2005 - 08:53 PM

OK--I left the trusted zone line in because that's my employer--if that's a mistake, my bad & I'll redo.

Jotti:

File: UAMrStub.exe
Status: OK
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 9:44:49 PM, on 4/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\SYSMGT\TNGAMr\AGENTS\UAMrStub.exe
C:\Program Files\ISS BlackICE Firewall\BlackICE\blackd.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\system32\nutsrv4.exe
C:\Program Files\Rational\ProjectConsole\bin\CollectorService.exe
C:\Program Files\Rational\ProjectConsole\bin\ReportServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN 3000 Client\ANetIKE.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\ltmsg.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ISS BlackICE Firewall\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\2142_Fiberlink\gui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\CSCProjs\tools\Hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tb Startup] C:\Program Files\Rational\ProjectConsole\Wizards\tb_Startup.exe StartUp
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\Program Files\Rational\Rational Test\nutcroot\bin\ncoeenv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AMOClient] "C:\sysmgt\tngam\agents\umclogin.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O15 - Trusted Zone: *.csc.com (HKLM)
O16 - DPF: Sametime Meeting Room Client ST31 - http://amer-st01.amer.csc.com/sametime/stm...gRoomClient.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://help.amer.csc.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01112800-3E00-11D2-8470-0060089874ED} (Support.com Probe Class) - http://help.amer.csc.com/sdccommon/download/tgctlpr.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://collaborate.consult.csc.com/qp2.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://amer-ml18.amer.csc.com/iNotes.cab
O16 - DPF: {6BD4FB43-470E-11D2-B99D-00104B02C956} (AtDownloadIE Class) - http://www.webex.com/client/webex/atbootie.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - https://amer-st10.amer.csc.com/sametime/stm...STJNILoader.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://amer-st01.amer.csc.com/sametime/stm...STJNILoader.cab
O16 - DPF: {A00D615E-B878-4DCF-8B9A-C1AD302D4C4D} ({A00D615E-B878-4DCF-8B9A-C1AD302D4C4D}) - http://www.assetmetrix.com/epulse/assetMetrix.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://emory.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61C21987-5FF7-4A9D-8DC2-B19DB291BF0B}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Asset Management Remote Agent (AMrAgent) - Unknown owner - C:\SYSMGT\TNGAMr\AGENTS\UAMrStub.exe
O23 - Service: ANetIKE - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN 3000 Client\ANetIKE.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS BlackICE Firewall\BlackICE\blackd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
O23 - Service: Rational ClearQuest Mail Service (MailService) - Unknown owner - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINNT\system32\nutsrv4.exe
O23 - Service: ProxyServer Service (ProxyServerService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpxsr.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS BlackICE Firewall\BlackICE\RapApp.exe
O23 - Service: Rational ProjectConsole Collection Server (RationalProjectConsoleCollectionServer) - Unknown owner - C:\Program Files\Rational\ProjectConsole\bin\CollectorService.exe" (file missing)
O23 - Service: Rational ProjectConsole Report Server (RationalProjectConsoleReportServer) - Unknown owner - C:\Program Files\Rational\ProjectConsole\bin\ReportServer.exe" (file missing)
O23 - Service: Rational Test Agent Service (RationalTestAgentService) - Rational Software - C:\Program Files\Rational\Rational Test\rtpsvc.exe

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 11 April 2005 - 11:51 AM

This log is clean!

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts.

Please post back if you are still having any problems....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users