Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've got trouble with unwanted programs!


  • Please log in to reply
7 replies to this topic

#1 jzz6q1

jzz6q1

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 22 November 2004 - 03:31 PM

Hello:

I have Zone Labs software on my work computer which warns me before any new program is installed, but I inadvertantly accepted something which I now regret. Since that time, I have had a windows search assistant running, along with salm and WebRebates. I have noticed these things running in task manager and I have killed the processes, but they keep coming back. I see these items in my HiJackThis log file, but wanted to have an experienced person look at this to give me any feedback which they have. The hosts entries in the log are all fine. It also keeps popping up with a message talking about the process C:/windows/system32.AUTOEXEC.NT not being able to run since it is a 16-bit app, and this file does NOT exist on my machine. I think some malware behind the scenes is trying to run this program on my PC. Please assist if you can. Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 3:13:59 PM, on 11/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
c:\em\opt\tivoli\Mobile\mobile.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Windows AdTools\WinAdTools.exe
C:\Program Files\Windows AdTools\WinRatchet.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://infocentre.eds.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.gm.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internetx.eds.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*eds.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
O1 - Hosts: 205.191.151.13 rusapa06 # EMEA Development
O1 - Hosts: 205.191.151.17 rusapa04 # EMEA Consolidation
O1 - Hosts: 205.191.151.50 rusapa01 # EMEA Production DB Server
O1 - Hosts: 205.191.151.64 rusapb01 # EMEA Production CI Server
O1 - Hosts: 205.191.151.10 rusapp10 # EMEA Production log. cluster addr. CI
O1 - Hosts: 205.191.151.11 rusapa02 # EMEA Production Server 2
O1 - Hosts: 205.191.151.12 rusapb02 # EMEA Production Server 3
O1 - Hosts: 205.191.151.8 rusapa03 # EMEA Production Server 4
O1 - Hosts: 205.191.151.9 rusapb03 # EMEA Production Server 5
O1 - Hosts: 205.191.151.14 rusapb06 # EMEA UAT
O1 - Hosts: 205.191.151.73 rusapb04 # EMEA Migration
O1 - Hosts: 205.191.151.16 rusapb05 # EMEA Special Purpose (E10)
O1 - Hosts: 205.191.151.62 rusapa07 # EMEA Training
O1 - Hosts: 205.191.151.63 rusapa08 # EMEA Application Sandbox (A10)
O1 - Hosts: 207.37.232.193 mdsapsu1 # EMEA DRA
O1 - Hosts: 134.251.179.4 sysapa01 # PP1 Asia/Pacific Production DB
O1 - Hosts: 134.251.179.5 sysapa02 # CP1 Asia/Pacific Consolidation
O1 - Hosts: 134.251.179.4 sysapa01 # PP1 Asia/Pacific Production DB
O1 - Hosts: 134.251.148.11 sysapb01 # TP1 Asia/Pacific Training
O1 - Hosts: 134.251.148.11 sysapb01 # MP1 Asia/Pacific Migration
O1 - Hosts: 204.104.247.196 plsappl1 # Latin America Prod failover
O1 - Hosts: 206.122.126.197 plsapa40 # Latin America Migration/Consolidation
O1 - Hosts: 206.122.126.216 plsapb60 # Latin America Training
O1 - Hosts: 204.104.247.203 plsappg1 # US Time Recording Production
O1 - Hosts: 204.104.247.243 plsapps1 # e.FW SEM Production failover
O1 - Hosts: 204.104.247.242 plsappw2 # e.FW BW Production failover
O1 - Hosts: 204.104.247.244 plsappr1 # e.FW ERD Production failover
O1 - Hosts: 130.175.217.56 ahsapb40 # e.FW BW Training
O1 - Hosts: 130.175.217.54 ahsapb30 # e.FW BW QA
O1 - Hosts: 130.175.217.50 ahsapb10 # e.FW ERD QA
O1 - Hosts: 130.175.217.212 aps25 aps25.ahipc.eds.com
O1 - Hosts: 130.175.217.214 aps26 aps26.ahipc.eds.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Tivoli_Check] C:\WINDOWS\COE\Tivoli\Tiv_Run.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_Em\HwInv2K.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.w2jzz6q101] "C:\em\opt\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\em\opt\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [EDS_Asset_Data_Collector] c:\em\opt\tivoli\lcf\isolated\scanner_check.vbs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mobile] "c:\em\opt\tivoli\Mobile\epspawn.exe" -w "c:\em\opt\tivoli\Mobile" "c:\em\opt\tivoli\Mobile\mobile.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [salm] c:\windows\salm.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowse...5.30/Hiwire.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {48F22476-0F08-43D8-BAA3-83AD77BD2582} (LLInstall Class) - http://llplano.educ.eds.com/learnlinc/download/LL7Inst.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27bd70e5693f66c30319/...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101151839253
O16 - DPF: {6FFBA6B8-E221-453D-940A-2B5A8A9F84B7} (GetID.clsGetID) - http://phonebook.iweb.gm.com/phonebook/GetID.CAB
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://entmetrics.smc.us.eds.com/viewer/ac...tivexviewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lifecare.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {EAF26D6B-B8E6-11D1-9941-444553540001} - http://www.eds.com/emf/scanner.cab

BC AdBot (Login to Remove)

 


#2 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:07:13 AM

Posted 22 November 2004 - 09:29 PM

Hi there jzz6q1,
Let's start by investigating the Add/Remove Programs application in the Control Panel. Double click it to open it and then look for and uninstall any and all of these entries if present:

Uninstall 180searchassistant
Webrebates
Win AdTools
Search Extender


Rescan with hijackthis, put a check next to these items, close all browser/explorer windows, press 'Fix Checked', then reboot into Safe Mode:
(As the computer is rebooting, tap on the F8 key repeatedly. This will bring up a Boot Menu with several options. Use the arrow keys on your keyboard to highlight Safe Mode and then hit the enter key.)

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O4 - HKLM\..\Run: [salm] c:\windows\salm.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowse...5.30/Hiwire.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27bd70e5693f66c30319/...ip/RdxIE601.cab

If you set the following 2 entries with Spybot, then keep them. Otherwise they can be fixed as well:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Upon reboot into Safe Mode, make sure that Show hidden files and folders is enabled, then find and delete the following highlighted files and folders:

c:\windows\salm.exe
C:\WINDOWS\wdskctl.exe
C:\Program Files\Web_Rebates
C:\Program Files\Windows AdTools

The following Folder Contents, but not the Folder itself, need to be deleted while in safe mode. Open each of these Folders, then click Edit (at the top), choose Select All, then Delete the highlighted entries.
C:\Windows\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Then empty the Recycle Bin.

Reboot normally, rescan with HijackThis and post a fresh scan log, please. :)Y

#3 jzz6q1

jzz6q1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 23 November 2004 - 12:38 PM

OK. I did as you suggested, plus a little more! I was alert enough to observe that my troubles started at 11:28am on 11/21, so when I was booted in safe mode, I got rid of some other files in C:\windows\Temp and C:\Documents and Settings...

The scan looks much better, but I am still getting a message that pops up 4 times every time I log on. It is a pop-up box labeled "16-bit MS-DOS Subsystem". Inside the box it says the following:

C:\Windows\System32\cmd.exe
C:\Windows\System32\AUTOEXEC.NT The system file is not suitable for running MS-DOS and Microsoft Windows applications.
Choose 'Close' to terminate the application.

I click the "Close" box, and the next one pops up. After doing this 4 times, everything else appears normal now. WHAT IS GOING ON WITH THIS?? This action also started after 11:28am on 11/21/04. I guess I need a little more help.

My updated scan is given below:

Logfile of HijackThis v1.98.2
Scan saved at 12:21:02 PM, on 11/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
c:\em\opt\tivoli\Mobile\mobile.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://infocentre.eds.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.gm.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internetx.eds.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*eds.com;<local>
O1 - Hosts: 205.191.151.13 rusapa06 # EMEA Development
O1 - Hosts: 205.191.151.17 rusapa04 # EMEA Consolidation
O1 - Hosts: 205.191.151.50 rusapa01 # EMEA Production DB Server
O1 - Hosts: 205.191.151.64 rusapb01 # EMEA Production CI Server
O1 - Hosts: 205.191.151.10 rusapp10 # EMEA Production log. cluster addr. CI
O1 - Hosts: 205.191.151.11 rusapa02 # EMEA Production Server 2
O1 - Hosts: 205.191.151.12 rusapb02 # EMEA Production Server 3
O1 - Hosts: 205.191.151.8 rusapa03 # EMEA Production Server 4
O1 - Hosts: 205.191.151.9 rusapb03 # EMEA Production Server 5
O1 - Hosts: 205.191.151.14 rusapb06 # EMEA UAT
O1 - Hosts: 205.191.151.73 rusapb04 # EMEA Migration
O1 - Hosts: 205.191.151.16 rusapb05 # EMEA Special Purpose (E10)
O1 - Hosts: 205.191.151.62 rusapa07 # EMEA Training
O1 - Hosts: 205.191.151.63 rusapa08 # EMEA Application Sandbox (A10)
O1 - Hosts: 207.37.232.193 mdsapsu1 # EMEA DRA
O1 - Hosts: 134.251.179.4 sysapa01 # PP1 Asia/Pacific Production DB
O1 - Hosts: 134.251.179.5 sysapa02 # CP1 Asia/Pacific Consolidation
O1 - Hosts: 134.251.179.4 sysapa01 # PP1 Asia/Pacific Production DB
O1 - Hosts: 134.251.148.11 sysapb01 # TP1 Asia/Pacific Training
O1 - Hosts: 134.251.148.11 sysapb01 # MP1 Asia/Pacific Migration
O1 - Hosts: 204.104.247.196 plsappl1 # Latin America Prod failover
O1 - Hosts: 206.122.126.197 plsapa40 # Latin America Migration/Consolidation
O1 - Hosts: 206.122.126.216 plsapb60 # Latin America Training
O1 - Hosts: 204.104.247.203 plsappg1 # US Time Recording Production
O1 - Hosts: 204.104.247.243 plsapps1 # e.FW SEM Production failover
O1 - Hosts: 204.104.247.242 plsappw2 # e.FW BW Production failover
O1 - Hosts: 204.104.247.244 plsappr1 # e.FW ERD Production failover
O1 - Hosts: 130.175.217.56 ahsapb40 # e.FW BW Training
O1 - Hosts: 130.175.217.54 ahsapb30 # e.FW BW QA
O1 - Hosts: 130.175.217.50 ahsapb10 # e.FW ERD QA
O1 - Hosts: 130.175.217.212 aps25 aps25.ahipc.eds.com
O1 - Hosts: 130.175.217.214 aps26 aps26.ahipc.eds.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Tivoli_Check] C:\WINDOWS\COE\Tivoli\Tiv_Run.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_Em\HwInv2K.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.w2jzz6q101] "C:\em\opt\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\em\opt\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [EDS_Asset_Data_Collector] c:\em\opt\tivoli\lcf\isolated\scanner_check.vbs
O4 - HKLM\..\Run: [Mobile] "c:\em\opt\tivoli\Mobile\epspawn.exe" -w "c:\em\opt\tivoli\Mobile" "c:\em\opt\tivoli\Mobile\mobile.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {48F22476-0F08-43D8-BAA3-83AD77BD2582} (LLInstall Class) - http://llplano.educ.eds.com/learnlinc/download/LL7Inst.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101151839253
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://entmetrics.smc.us.eds.com/viewer/ac...tivexviewer.cab
O16 - DPF: {EAF26D6B-B8E6-11D1-9941-444553540001} - http://www.eds.com/emf/scanner.cab

#4 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:07:13 AM

Posted 23 November 2004 - 07:42 PM

You cleaned up real nicely! :thumbsup:

As for the AUTOEXEC.NT error, this has been occuring either from corruption of the file or its removal. Fortunately, greysts has put together a fix that restores the originals and removes the error.

Download the self-extracting zip file for your specific version of XP and double click it. It will automatically extract the files to the System32 folder. Reboot after completion.

Autoexec.nt, config.nt and command.com Fix

Post back with an update, and another HijackThis log just to double check after the change, if you don't mind. Thanks :)Y

#5 jzz6q1

jzz6q1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 24 November 2004 - 04:46 PM

The link you directed me to worked fine. I downloaded the files and extracted them as recommended, and my system is now working properly!!

Here is the final HJT log, which I will keep onhand in case I get infected again. This will help me know what to do to eradicate the nasties! Thanks for your help!

Logfile of HijackThis v1.98.2
Scan saved at 4:42:56 PM, on 11/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\RCSERV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINDOWS\System32\ctfmon.exe
c:\em\opt\tivoli\Mobile\mobile.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://infocentre.eds.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.gm.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internetx.eds.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*eds.com;<local>
O1 - Hosts: 205.191.151.13 rusapa06 # EMEA Development
O1 - Hosts: 205.191.151.17 rusapa04 # EMEA Consolidation
O1 - Hosts: 205.191.151.50 rusapa01 # EMEA Production DB Server
O1 - Hosts: 205.191.151.64 rusapb01 # EMEA Production CI Server
O1 - Hosts: 205.191.151.10 rusapp10 # EMEA Production log. cluster addr. CI
O1 - Hosts: 205.191.151.11 rusapa02 # EMEA Production Server 2
O1 - Hosts: 205.191.151.12 rusapb02 # EMEA Production Server 3
O1 - Hosts: 205.191.151.8 rusapa03 # EMEA Production Server 4
O1 - Hosts: 205.191.151.9 rusapb03 # EMEA Production Server 5
O1 - Hosts: 205.191.151.14 rusapb06 # EMEA UAT
O1 - Hosts: 205.191.151.73 rusapb04 # EMEA Migration
O1 - Hosts: 205.191.151.16 rusapb05 # EMEA Special Purpose (E10)
O1 - Hosts: 205.191.151.62 rusapa07 # EMEA Training
O1 - Hosts: 205.191.151.63 rusapa08 # EMEA Application Sandbox (A10)
O1 - Hosts: 207.37.232.193 mdsapsu1 # EMEA DRA
O1 - Hosts: 134.251.179.4 sysapa01 # PP1 Asia/Pacific Production DB
O1 - Hosts: 134.251.179.5 sysapa02 # CP1 Asia/Pacific Consolidation
O1 - Hosts: 134.251.179.4 sysapa01 # PP1 Asia/Pacific Production DB
O1 - Hosts: 134.251.148.11 sysapb01 # TP1 Asia/Pacific Training
O1 - Hosts: 134.251.148.11 sysapb01 # MP1 Asia/Pacific Migration
O1 - Hosts: 204.104.247.196 plsappl1 # Latin America Prod failover
O1 - Hosts: 206.122.126.197 plsapa40 # Latin America Migration/Consolidation
O1 - Hosts: 206.122.126.216 plsapb60 # Latin America Training
O1 - Hosts: 204.104.247.203 plsappg1 # US Time Recording Production
O1 - Hosts: 204.104.247.243 plsapps1 # e.FW SEM Production failover
O1 - Hosts: 204.104.247.242 plsappw2 # e.FW BW Production failover
O1 - Hosts: 204.104.247.244 plsappr1 # e.FW ERD Production failover
O1 - Hosts: 130.175.217.56 ahsapb40 # e.FW BW Training
O1 - Hosts: 130.175.217.54 ahsapb30 # e.FW BW QA
O1 - Hosts: 130.175.217.50 ahsapb10 # e.FW ERD QA
O1 - Hosts: 130.175.217.212 aps25 aps25.ahipc.eds.com
O1 - Hosts: 130.175.217.214 aps26 aps26.ahipc.eds.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Tivoli_Check] C:\WINDOWS\COE\Tivoli\Tiv_Run.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_Em\HwInv2K.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.w2jzz6q101] "C:\em\opt\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\em\opt\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [EDS_Asset_Data_Collector] c:\em\opt\tivoli\lcf\isolated\scanner_check.vbs
O4 - HKLM\..\Run: [Mobile] "c:\em\opt\tivoli\Mobile\epspawn.exe" -w "c:\em\opt\tivoli\Mobile" "c:\em\opt\tivoli\Mobile\mobile.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {48F22476-0F08-43D8-BAA3-83AD77BD2582} (LLInstall Class) - http://llplano.educ.eds.com/learnlinc/download/LL7Inst.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101151839253
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://entmetrics.smc.us.eds.com/viewer/ac...tivexviewer.cab
O16 - DPF: {EAF26D6B-B8E6-11D1-9941-444553540001} - http://www.eds.com/emf/scanner.cab

#6 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:07:13 AM

Posted 24 November 2004 - 07:46 PM

Looks good jzz6q1 :flowers: What I suspect is that the malware took out your AutoexecNT file as a means to cripple your anti-virus program, since most do their initial scan in the lower 16 bit mode at start up. This of course would call up the multiple errors. I will follow through with this investigation as I have been seeing this behavior more frequently.

Be sure to stay on top of all your updates. The malware is getting meaner and prevention and detection are key to their demise! :thumbsup:

Just a little reading and some free utilities that I like and trust:

How did I get infected in the first place?

Adaware SE
Spybot Search & Destroy
Spyware Blaster
Win Patrol
Clean Up

Thanks for choosing Bleeping Computer to help you resolve the problem! :)Y

#7 jzz6q1

jzz6q1
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 29 November 2004 - 12:24 PM

Hi again! After reading your last post, I was wondering if you would like to investigate this malware a bit more closely, in a quarantined environment.

I got infected when I did a Google search for "You'll never walk alone". The link that caused the infection was http://www.~oldielyrics.com/lyrics/elvis_p...walk_alone.html

I was helping a friend get rid of the malware on his computer a month or two ago (see how the generous help you folks provide spurs others to pass along the favor?) and his machine brought up some horrendously pornographic websites when we tried to eradicate the virus!! It was positively disgusting the lengths that some of these jerks go to thwart people from getting rid of their stuff.

I appreciated your assistance greatly in resolving my problem! Thanks!

Edited by groovicus, 29 November 2004 - 08:00 PM.


#8 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:07:13 AM

Posted 29 November 2004 - 08:32 PM

Thanks jzz6q1, we had the link broken just to be safe, but will investigate.

I'm happy to hear that you are helping and spreading the word to others about this malware. The more that know, the better the fight! Be well my friend. :)Y




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users