Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Green Links And 1111 Folder Again..


  • This topic is locked This topic is locked
2 replies to this topic

#1 Jetman36

Jetman36

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 26 October 2005 - 03:25 PM

Can't get rid of this for the life of me...

Logfile of HijackThis v1.99.0
Scan saved at 4:05:19 PM, on 10/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CA\Unicenter Remote Control\rcHost.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\UMCSTUB.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\Unicenter Asset Management\Agents\umclogin.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CA\SharedComponents\CAM\bin\caftf.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\KMcevoy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search400.techtarget.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search400.techtarget.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://corporate.intranet/corporate/phoned...701895397693087
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Estee Lauder Companies, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = us-gm-isa:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = corporate.intranet;corporate.intranet.us.estee.com;*.corporate.intranet;msgsvr.elcompanies.com;intlmktg.elcompanies.com;infolink.elcompanies.com;suppliernet.elcompanies.com;ptm.elcompanies.com;mrpapprovals.elcompanies.com;192.6.*.*;rp-*;10.*.*.*;www.gratisawards.com;*.estee.com;*.*.estee.com;jda_*;cpms.elcompanies.com;owa.elcompanies.com;suppliernet.train.elcompanies.com;www.cosmeticscompanystore.com;kana;us-rp-*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsq6B9.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [CA-AMAgent] C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125603554912
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125603491883
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://powertechgroup.webex.com/client/v_m...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = am.elcompanies.net
O17 - HKLM\Software\..\Telephony: DomainName = am.elcompanies.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BD0A7BE-0FD0-4BB6-9730-982BFFCFCA56}: Domain = us.estee.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = am.elcompanies.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{5BD0A7BE-0FD0-4BB6-9730-982BFFCFCA56}: Domain = us.estee.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = am.elcompanies.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{5BD0A7BE-0FD0-4BB6-9730-982BFFCFCA56}: Domain = us.estee.com
O23 - Service: Altiris Client Service - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
O23 - Service: Asset Management Agent - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Unicenter Message Queuing Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: Client Access Express Remote Command - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DM Primer - Computer Associates - C:\Program Files\CA\SharedComponents\DesktopCommonServices\DMPrimer\dmprimer.exe
O23 - Service: GTask - Unknown - C:\WINDOWS\system32\elcishd\GTask\srvany.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Unicenter Remote Control Host - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Remote Control\rcHost.exe
O23 - Service: Unicenter Software Delivery - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: Webroot CommAgent Service - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Overlay Components - Unknown - C:\WINDOWS\negrazw.exe (file missing)


Thanks...

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:23 PM

Posted 28 October 2005 - 11:35 PM

Hello Jetman36 and welcome to BleepingComputer.

You are currently running an older version of HijackThis. Please click on the following link and download the most current version: HijackThis_sfx.exe

Delete your current HijackThis.exe file and double-click on the file you just downloaded and then click on the Unzip button to install the newer version. It will be installed to the C:\Program Files\HijackThis\ directory by default.



You have two anti-malware applications running that may interfer with the fix. Please disable them for the duration.

Before starting any cleaning steps, please disable the Microsoft Anti-Spyware real-time protection:
- Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
- Click on "Security Agents Status".
- Click on "Disable real-time protection".

Next, open Microsoft Anti-Spyware.
- Click on the Options menu, then Settings.
- Select "Real Time Protection" from the left column.
- Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
- Click the Save button.
Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.

You can reenable it once your system is clean.


Disable SpySweeper for the duration of this fix:
- Open it, click >Options over to the left then >program options >Uncheck "load at windows startup".
- Over to the left click "shields" and uncheck all there.
- Uncheck "home page shield".
- Uncheck 'automatically restore default without notifiction".
Reverse the process after you're given the all clear.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsq6B9.dll
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.



Pacimedia can also install a rootkit that we cannot see in a HJT log. Just to be sure, let's run the removal tool.


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

How are things running now?
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:23 PM

Posted 14 November 2005 - 04:43 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users