Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
1 reply to this topic

#1 merritt


  • Members
  • 42 posts
  • Gender:Male
  • Local time:06:29 AM

Posted 10 December 2004 - 10:41 PM

I have run adaware, but something is still taking over my browser. It changes my start page, creates popups, etc.


Logfile of HijackThis v1.98.2
Scan saved at 10:39:15 PM, on 12/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\OfficeScan NT\Pccntmon.exe
C:\Program Files\OfficeScan NT\RAUAgent.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\jmerritt\My Documents\Personal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wjbhc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wjbhc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wjbhc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wjbhc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wjbhc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wjbhc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boehringer Ingelheim
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bi-proxy.am.boehringer.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ridapp04;*.bic;148.188.*;148.189.*;wwwdcm*;nycppgbt1.pfizer.com;*.am.boehringer.com;*.eu.boehringer.com;*.ap.boehringer.com;192.168.113.*;Spex.pfizer.com;spiriva.pfizer.com;bi-changepoint*;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A52C7D9D-ECE6-E7DB-4A98-9F196536545A} - C:\WINDOWS\sysdc.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [ntdn32.exe] C:\WINDOWS\system32\ntdn32.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [iPass] C:\Program Files\iPass\iPassConnect Corporate\SrvHelp.exe
O4 - Startup: Siebel Autosync.lnk = C:\Sea752\client\BIN\autosync.exe
O4 - Startup: Siebel QuickStart.lnk = C:\Sea752\client\BIN\siebel.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://sales-inet.rid.us.bic
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://rdgms04/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://rdgms04/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://rdgms04/officescan/clientinstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://rdgms04/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - http://localhost/16161/applets/SiebelOptionPack.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = am.boehringer.com
O17 - HKLM\Software\..\Telephony: DomainName = am.boehringer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = am.boehringer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.boehringer.com,eu.boehringer.com,ap.boehringer.com,boehringer.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.boehringer.com,eu.boehringer.com,ap.boehringer.com,boehringer.com

BC AdBot (Login to Remove)



#2 raw


    Bleeping Hacker

  • Members
  • 2,577 posts
  • Gender:Male
  • Location:Texas
  • Local time:06:29 AM

Posted 11 December 2004 - 02:32 AM

The first thing I need you to do is download the file from here:


Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.


 rawcreations.net          @raw_creations

Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users