Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with coworkers HJT log


  • This topic is locked This topic is locked
1 reply to this topic

#1 Doinshots

Doinshots

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 20 September 2004 - 10:48 AM

Since you folks helped me so well this weekend, I am back asking for more help :thumbsup:

Logfile of HijackThis v1.98.2
Scan saved at 9:47:17 AM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\WINDOWS\System32\drivers\trcboot.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
c:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\NavNT\rtvscan.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
c:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
c:\Program Files\Novell\ZENworks\wm.exe
C:\XPAPPS\PCOMM\PCS_AGNT.EXE
c:\WINDOWS\System32\drivers\ldlcserv.exe
C:\XPAPPS\PCOMM\tpattmgr.exe
c:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\documents and settings\i03303c\local settings\temp\Ss4.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\qistiwi.exe
C:\documents and settings\i03303c\local settings\temp\Ss4.exe
C:\documents and settings\i03303c\local settings\temp\gu.exe
C:\WINDOWS\System32\cmpbk328.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
Y:\clntrust.exe
C:\WINDOWS\System32\pcupsa.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\HLWAPIS.exe
C:\Documents and Settings\i03303c\Desktop\HJT\HIJACK~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.fyiblue.com/side.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.fyiblue.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.fyiblue.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://home.fyiblue.com/_config/xpupdate.ins
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IAdvertisementBHO Class - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\i03303c\Local Settings\Temp\eL.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] c:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [Ss4.exe] C:\documents and settings\i03303c\local settings\temp\Ss4.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [sylxdoij] C:\WINDOWS\System32\qistiwi.exe
O4 - HKLM\..\Run: [Ss4] C:\documents and settings\i03303c\local settings\temp\Ss4.exe
O4 - HKLM\..\Run: [gu.exe] C:\documents and settings\i03303c\local settings\temp\gu.exe
O4 - HKLM\..\Run: [10d496352462] C:\WINDOWS\System32\cmpbk328.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [pcupsa] C:\WINDOWS\System32\pcupsa.exe
O4 - HKLM\..\Run: [HLWAPIS] C:\WINDOWS\System32\HLWAPIS.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - c:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.fyiblue.com
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb028.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:04 PM

Posted 20 September 2004 - 08:18 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.fyiblue.com/side.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.fyiblue.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.fyiblue.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://home.fyiblue.com/_config/xpupdate.ins
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: IAdvertisementBHO Class - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\i03303c\Local Settings\Temp\eL.dll
O4 - HKLM\..\Run: [Ss4.exe] C:\documents and settings\i03303c\local settings\temp\Ss4.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [sylxdoij] C:\WINDOWS\System32\qistiwi.exe
O4 - HKLM\..\Run: [Ss4] C:\documents and settings\i03303c\local settings\temp\Ss4.exe
O4 - HKLM\..\Run: [gu.exe] C:\documents and settings\i03303c\local settings\temp\gu.exe
O4 - HKLM\..\Run: [10d496352462] C:\WINDOWS\System32\cmpbk328.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [pcupsa] C:\WINDOWS\System32\pcupsa.exe
O4 - HKLM\..\Run: [HLWAPIS] C:\WINDOWS\System32\HLWAPIS.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://home.fyiblue.com
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb028.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\mxTarget.dll
C:\WINDOWS\System32\mskhhe.dll
C:\WINDOWS\System32\msjfbl.dll
C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
C:\Documents and Settings\i03303c\Local Settings\Temp\eL.dll
C:\documents and settings\i03303c\local settings\temp\Ss4.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\qistiwi.exe
C:\documents and settings\i03303c\local settings\temp\Ss4.exe
C:\documents and settings\i03303c\local settings\temp\gu.exe
C:\WINDOWS\System32\cmpbk328.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\pcupsa.exe
C:\WINDOWS\System32\HLWAPIS.exe
C:\PROGRAM FILES\CLOCKSYNC\

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users