Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help For Hijack


  • Please log in to reply
1 reply to this topic

#1 KvR

KvR

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:06 AM

Posted 23 May 2006 - 11:45 AM

Our IE6 is hijacked. But where?

Logfile of HijackThis v1.99.1
Scan saved at 18:35:32, on 23.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\wsaccsmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\OfficeScan NT\pccntmon.exe
C:\WINDOWS\system32\iprntctl.exe
C:\Programme\Hardcopy\hardcopy.exe
C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\PatchLink\Update Agent\pddm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Novell\ZENworks\NalWin.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programme\Novell\ZENworks\NalAgent.exe
C:\Programme\Cisco Systems\CSAgent\bin\okclient.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Vokomail\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.stuttgart-airport.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.stuttgart-airport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.stuttgart-airport.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von Flughafen Stuttgart GmbH
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fsg62:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.airport-stuttgart.de;*.stuttgart-airport.com;10.*.*.*;192.168.*.*;172.16.*.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38B1AD7E-3150-4AC4-95A7-40DC63E05151} - C:\WINDOWS\system32\kbdcan32.dll
O2 - BHO: SecureLogin IESSO Browser Helper Object - {7DE7B623-A17E-4A0B-94BA-D1B3BA646792} - C:\Programme\Novell\SecureLogin\iesso.dll
O2 - BHO: (no name) - {801BF87E-A000-11D3-81FE-00902741DE09} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [Hardcopy] C:\Programme\Hardcopy\hardcopy.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Programme\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PDDM] C:\Programme\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Flash Toggler.lnk = C:\Programme\Flash Toggler\ft.exe
O4 - Startup: Outlook.lnk = C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Application Window.lnk = C:\Programme\Novell\ZENworks\NalWin.exe
O4 - Global Startup: Cisco Security Agent.lnk = C:\Programme\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: klickTel - Schnellstarter - 32-Bit.lnk = APPS\WINDOWS\KlickTel_neu\kstart32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Programme\Novell\ZENworks\AxNalServer.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.stuttgart-airport.com/
O15 - Trusted Zone: http://as400d.airport-stuttgart.de
O15 - Trusted Zone: http://*.fsg66
O15 - Trusted Zone: *.oracle.com
O15 - Trusted Zone: http://as400d.airport-stuttgart.de (HKLM)
O15 - Trusted Zone: http://*.fsg66 (HKLM)
O15 - Trusted Zone: *.oracle.com (HKLM)
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fsg.airport-stuttgart.de
O17 - HKLM\Software\..\Telephony: DomainName = fsg.airport-stuttgart.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F828D9C-F5E8-4D1A-A6B8-BED25DCD326E}: Domain = fsg.airport-stuttgart.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{B68899A1-9C7F-43FF-8BF7-A7357C7AD1A9}: Domain = fsg.airport-stuttgart.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1FECB56-6EFE-46E5-841B-4AE10E17A35B}: Domain = fsg.airport-stuttgart.de
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fsg.airport-stuttgart.de
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fsg.airport-stuttgart.de,airport-stuttgart.de
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F828D9C-F5E8-4D1A-A6B8-BED25DCD326E}: Domain = fsg.airport-stuttgart.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fsg.airport-stuttgart.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = fsg.airport-stuttgart.de,airport-stuttgart.de
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F828D9C-F5E8-4D1A-A6B8-BED25DCD326E}: Domain = fsg.airport-stuttgart.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fsg.airport-stuttgart.de,airport-stuttgart.de
O20 - AppInit_DLLs: csauser.dll AMInit.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O20 - Winlogon Notify: wsacclcm - C:\WINDOWS\SYSTEM32\SWEvent.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Programme\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Programme\Cisco Systems\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DeskFlash Kernel Service Instant (DfKrnlInstant) - Unknown owner - C:\DOKUME~1\Compunet\LOKALE~1\Temp\DfKrnl.exe (file missing)
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Programme\Novell\ZENworks\nalntsrv.exe
O23 - Service: Novell Secure Workstation Service (Novell Secure Workstation) - Unknown owner - C:\WINDOWS\system32\wsaccsvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: PatchLink Update - Novell, Inc. - C:\Programme\PatchLink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: Novell ZENworks-Fernverwaltungsagent (Remote Management Agent) - Novell, Inc. - C:\Programme\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Arbeitsstations-Manager (ZFDWM) - Novell, Inc. - C:\Programme\Novell\ZENworks\wm.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:06 AM

Posted 29 May 2006 - 02:18 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users