Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


..Popups, WinFixer, spyware, etc..

  • Please log in to reply
1 reply to this topic

#1 indolence


  • Members
  • 22 posts
  • Local time:03:06 AM

Posted 16 September 2005 - 11:50 PM

The computer that has the problem currently has some major popup issues and the program "WinFixer 2005" tries to install.. heres the log


Logfile of HijackThis v1.99.1
Scan saved at 9:37:53 PM, on 09/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\win32app\VPN Client\cvpnd.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe
C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe
C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\WINNT\Downloaded Program Files\UWFX5NetInstaller.exe
C:\win32app\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\Profiles\dnuestro\Desktop\Neils stuff\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50212
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50212
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50212
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=mediator:80;http=mediator:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\LDCLIENT\SOFTMON.EXE
O1 - Hosts: crestgw1 # SWIFTAlliance Server
O1 - Hosts: crestgw3 # SWIFTAlliance Server
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\win32app\adobe\reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelAPMClient] C:\LDClient\amclient.exe /apm /s
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [ve] cmd /c start /min cscript c:\drv\install\ve.vbs
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINNT\Downloaded Program Files\UWFX5NetInstaller.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [AIM] C:\Win32app\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - Startup: America Online 5.0 Tray Icon.lnk = C:\LDClient\AMCLIENT.EXE
O4 - Startup: Desktop Manager.lnk = C:\Win32app\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: Download Mgr.lnk = C:\WINNT\Blp.exe
O4 - Global Startup: Inventory Scan.LNK = C:\LDClient\LDISCN32.EXE
O4 - Global Startup: Task Completion.LNK = C:\LDClient\AMCLIENT.EXE
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\win32app\MSOffice\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\win32app\Netscape\COMMUN~1\AOL\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.entrust.com
O15 - Trusted Zone: *.ld-core01
O15 - Trusted Zone: *.ldswdist
O15 - Trusted Zone: *.sjcnai
O15 - Trusted Zone: http://*.tech-cbs
O15 - Trusted Zone: *.entrust.com (HKLM)
O15 - Trusted Zone: *.ld-core01 (HKLM)
O15 - Trusted Zone: *.ldswdist (HKLM)
O15 - Trusted Zone: *.sjcnai (HKLM)
O15 - Trusted Zone: http://*.tech-cbs (HKLM)
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50212/QDow_AS2.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\iXlmgdev.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINNT\system32\o4lule391h.dll (file missing)
O20 - Winlogon Notify: Telephony - C:\WINNT\system32\ouuninst.dll (file missing)
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk® Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Hewlett Packard - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\win32app\VPN Client\cvpnd.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett Packard - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Intel® 82865G Graphics Controller Power Management (ialmpa) - Intel Corporation - C:\WINNT\System32\pmsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\LDCLIENT\LOCALSCH.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\LDCLIENT\QIPCLNT.EXE
O23 - Service: Intel Targeted Multicast - LANDesk Software Ltd. - C:\LDClient\tmcsvc.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Network Associates Management Agent - Network Associates, Inc. - C:\WINNT\System32\NTME\METHWNT.EXE
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Intel Remote Control Service (Wuser32) - LANDesk Software Ltd. - C:\LDClient\wuser32.exe

BC AdBot (Login to Remove)


#2 viccy


    Malware Exterminator

  • Security Colleague
  • 433 posts
  • Gender:Male
  • Location:Kansas
  • Local time:02:06 AM

Posted 20 September 2005 - 01:13 PM

Welcome to the forum.

You have several different infections going on, so it will take more than one post to get your log cleaned up.

Step 1
*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES
Download and unzip http://metallica.geekstogo.com/MADEbyOSC.zip
Run the file by doubleclicking metallica.bat
and post the log.

Do not reboot untill someone has looked at your log and given you the next step.
If you have to reboot repeat this part when you are back online.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users