Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Eliminating A Hi Jacking


  • Please log in to reply
7 replies to this topic

#1 Tank_D

Tank_D

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 26 March 2007 - 08:29 AM

Hi,

There's something wrong I just can't tell what it is. My computer is making the clicking sound as if I was browsing the internet. It's the sound that when you click a link. It also makes the sound when popups are blocked. I've done all the preliminary scans and stuff, but no luck in clearing this problem. Posting my HJT log in hopes of some help thanks alot.

Tank

Logfile of HijackThis v1.99.1
Scan saved at 9:24:30 AM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\slClient.exe
C:\Program Files\CA\eTrustITM\eaps.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\Unicenter DSM\Bin\caf.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\Unicenter DSM\Bin\ccnfagent.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\Unicenter DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\Unicenter DSM\Bin\rcHost.exe
C:\Program Files\CA\SharedComponents\DTS\bin\tngdta.exe
C:\Program Files\CA\Unicenter DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfftplugin.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\CA\Unicenter DSM\Bin\sxplog32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.atlanta.local/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41412EA4-0F96-4CC2-99A0-50CB500352EA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\Unicenter DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.maximus.com/qp2.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://atlopen.atlantaga.gov/CACHE/webvpn/...ries/stcweb.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://beta.update.microsoft.com/microsoft...b?1174702795671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlanta.local
O17 - HKLM\Software\..\Telephony: DomainName = atlanta.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlanta.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = atlanta.local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: CAF - C:\Program Files\CA\Unicenter DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\Unicenter DSM\Bin\rcLoginExt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: CA Unicenter DSM r11 Common Application Framework. (caf) - Unknown owner - C:\Program Files\CA\Unicenter DSM\Bin\caf.exe" service (file missing)
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 31 March 2007 - 05:25 PM

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Post back with the smitfraudfix log and a new HijackThis log

#3 Tank_D

Tank_D
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 31 March 2007 - 10:07 PM

Hi and thanks for the help. Here are the logs you requested.

SmitFraudFix v2.162

Scan done at 22:56:15.29, Sat 03/31/2007
Run from C:\Documents and Settings\mtanks\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slClient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\eTrustITM\eaps.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CA\Unicenter DSM\Bin\sxplog32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\Program Files\CA\Unicenter DSM\Bin\caf.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\Unicenter DSM\Bin\ccnfagent.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\Unicenter DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\Unicenter DSM\Bin\rcHost.exe
C:\Program Files\CA\SharedComponents\DTS\bin\tngdta.exe
C:\Program Files\CA\Unicenter DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfftplugin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\mtanks


C:\Documents and Settings\mtanks\Application Data


Start Menu


C:\DOCUME~1\mtanks\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Windows Media Player\\zysosalihd.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32



DNS

Description: Dell Wireless 1370 WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 68.87.68.162
DNS Server Search Order: 68.87.74.162

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F4C3C3FB-8654-46B7-92B7-37715236E414}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F4C3C3FB-8654-46B7-92B7-37715236E414}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\..\{573E7A45-C4AF-4EF9-AEE3-BAADCCD5B764}: DhcpNameServer=10.18.100.199 10.11.2.199
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F4C3C3FB-8654-46B7-92B7-37715236E414}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.18.100.199 10.11.2.199


Scanning wininet.dll infection


End

and....

ALogfile of HijackThis v1.99.1
Scan saved at 11:02:29 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slClient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\eTrustITM\eaps.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CA\Unicenter DSM\Bin\sxplog32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe
C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
C:\Program Files\CA\Unicenter DSM\Bin\caf.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfsmsmd.exe
C:\Program Files\CA\Unicenter DSM\Bin\ccnfagent.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfnotsrvd.exe
C:\Program Files\CA\Unicenter DSM\Bin\ccsmagtd.exe
C:\Program Files\CA\Unicenter DSM\Bin\rcHost.exe
C:\Program Files\CA\SharedComponents\DTS\bin\tngdta.exe
C:\Program Files\CA\Unicenter DSM\PMAgent\capmuamagt.exe
C:\Program Files\CA\Unicenter DSM\Bin\cfftplugin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.atlanta.local/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41412EA4-0F96-4CC2-99A0-50CB500352EA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [DsmSxplog] "C:\Program Files\CA\Unicenter DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program Files\CA\Unicenter DSM\Bin\cfSysTray.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.maximus.com/qp2.cab
O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://atlopen.atlantaga.gov/CACHE/webvpn/...ries/stcweb.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://beta.update.microsoft.com/microsoft...b?1174702795671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlanta.local
O17 - HKLM\Software\..\Telephony: DomainName = atlanta.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlanta.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = atlanta.local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: CAF - C:\Program Files\CA\Unicenter DSM\Bin\cfwlogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: rcHostExt - C:\Program Files\CA\Unicenter DSM\Bin\rcLoginExt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program Files\CA\SharedComponents\CAM\bin\cam.exe
O23 - Service: CA Unicenter DSM r11 Common Application Framework. (caf) - Unknown owner - C:\Program Files\CA\Unicenter DSM\Bin\caf.exe" service (file missing)
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 01 April 2007 - 04:50 AM

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")

Delete this file:

C:\Program Files\Windows Media Player\zysosalihd.html

Let me know if this solves your problem

#5 Tank_D

Tank_D
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 01 April 2007 - 06:56 AM

OK. The entry you named was the only one there. I did as you instructed and it seems to have fixed the problem. I restarted this machine as it usually starts browsing as soon as I log in. This time nothing. I browsed through a couple of sites and nothing so far.

I don't know if there's a time limit on keeping topics open, but I'd like to post again later today to let you know if the problem comes back up. In any case Thanks ever so much for your assistance. I'm alittle amazed that it was something that seemed so simple. I've fought adware/spyware in the past and this is the first time I've come across a threat using those settings. If this is it I'm happy as I usually don't wast the time trying to fight and just wipe a drive and go.

Tank

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 01 April 2007 - 08:02 AM

I think the malware is gone, but there's some updates you need to do

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 .
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:

http://www.adobe.com/products/acrobat/readstep2.html

As for a time limit, I'll leave this topic open for a week, but you can have it reopened by sending a PM to a moderator

#7 Tank_D

Tank_D
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 02 April 2007 - 10:43 AM

Thanks for the tips. I have loaded the new jave version, but I am using adobe pro. 6 and I have downloaded all the available updates for it. Do I still need to load the newer version of the reader? Will a newer reader conflict with adobe 6 pro.?

Oh, and no sign of the malware =^)

Edited by Tank_D, 02 April 2007 - 10:45 AM.


#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 PM

Posted 02 April 2007 - 11:01 AM

Will a newer reader conflict with adobe 6 pro.?


I don't know, the security risk is only if you open unknown pdf files




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users