• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Katz170

Work Computer infected

6 posts in this topic

Hey guys,

 

My work computer does NOT have any protection on it from anything, and I've had to clean it up the best I could. The person who used this computer before me must've gone to every website in the world because I have Bargain Buddy, Comet Cursor and all sorts of nasties on here. I'm probably not even supposed to fix it but the IT department is incompetent.

 

The biggest problem I'm having is I'm getting error messages when I first start up the computer in the morning regarding DLL files and not being able to locate certain things. Can you guys please help?!? :D

 

Hijack This Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:36:16 AM, on 07/30/2004

Platform: Windows NT 4 SP6 (WinNT 4.00.1381)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\DMI\bin\delldmi.exe

C:\WINNT40\System32\nddeagnt.exe

C:\LDCLIENT\SOFTMON.EXE

C:\WINNT40\Explorer.exe

C:\WINNT40\System32\SysTray.Exe

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\WINNT40\System32\loadwc.exe

C:\WINNT40\System32\SxgTkBar.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\DMI\bin\nic.exe

C:\DMI\bin\coo.exe

C:\DMI\bin\dnar.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\DMI\bin\nodemngr.exe

C:\WINNT40\System32\MsgSys.EXE

C:\WINNT40\System32\MAPISP32.EXE

C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin

C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE

C:\WINNT40\System32\ddhelp.exe

C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin

C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin

C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin

C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE

C:\PROGRA~1\WinZip\winzip32.exe

C:\TEMP\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myworkpath.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bscintranet1.bsca.eds.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Http://myworkpath.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS/BSC

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe,C:\LDCLIENT\SOFTMON.EXE

O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - (no file)

O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - (no file)

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [browserWebCheck] loadwc.exe

O4 - HKLM\..\Run: [sxgTkBar] SxgTkBar.exe

O4 - HKLM\..\Run: [schedulingAgent] mstinit.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [intelAPMClient] C:\LDClient\amclient.exe /apm /s /ro /bw=WAN

O4 - HKLM\..\Run: [LDIScn32] C:\LDClient\LDISCN32.EXE /NTT=BSCEDHC01SA11:5007 /S="BSCEDHC01SA11" /I=HTTP://BSCEDHC01SA11/ldlogon/ldappl3.ldz /NOUI /W=60

O4 - HKLM\..\Run: [TCSClient] C:\LDClient\amclient.exe /tcs /s

O4 - HKLM\..\Run: [RegtoReg] C:\LDClient\RegtoReg.EXE

O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT40\wupdt.exe

O4 - HKLM\..\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: CSWCFG.lnk = C:\Windows\getname.bat

O13 - WWW. Prefix: http://

O14 - IERESET.INF: START_PAGE_URL=Http://myworkpath.com

O15 - Trusted Zone: http://*.wellpoint.com

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://aristotle2/cbtweb/players/authorware/full/awswaxf.cab

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - ftp://ftp.autodesk.com/pub/whip/english/whip.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bsca.eds.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bsca.eds.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bsca.eds.com eds.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bsca.eds.com eds.com

 

 

Thank you!!

Share this post


Link to post
Share on other sites

Hello,

 

Your copy of HijackThis is outdated and it's in a temporary directory. Please create a new folder on the C: drive and name it C:\HJT or something similar. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select "New" then "Folder" and name it HJT. Next, click here to download the latest version of HijackThis, v1.98. Download it directly into the new folder. Delete your old copy of HijackThis.

 

NOTE: Please print a copy of these instructions because you will be working in Safe Mode and/or with all windows closed except HijackThis.

 

Please run HijackThis in Safe Mode....

 

Reboot into safe mode, this way:

Restart the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

 

Also, enable the ”Show Hidden Files and Folders” option:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

Place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.”

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

 

O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - (no file)

 

O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - (no file)

 

O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT40\wupdt.exe

 

O4 - HKLM\..\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

 

O13 - WWW. Prefix: http://

 

If this 015 item is an entry you deliberately set, then leave it; otherwise fix it with HijackThis....

 

O15 - Trusted Zone: http://*.wellpoint.com

 

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

 

Now, search for, and delete if found, (some files may not be present after previous steps) the following:

 

C:\WINNT40\wupdt.exe < file

 

C:\Program Files\BullsEye Network\ < folder

 

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

 

C:\WINDOWS\Temp\

 

C:\Temp\

 

C:\Documents and Settings\username\Local Settings\Temp\

 

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

 

Empty your Recycle Bin.

 

Reboot into normal mode.

 

Proceed to the Windows Update site (see link below) download and install ALL critical updates.

 

Reboot when finished.

 

If you are not running version 1.3 of Spybot S & D, click here to download Spybot Search & Destroy v1.3 - install, update, reboot into Safe Mode, scan and fix all RED items it finds. Reboot into normal mode when done.

 

Perform a customized Ad-aware scan in Safe Mode........

 

If you do not have the latest version of Ad-aware, version 6, Build 6.181, click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then boot into Safe Mode, start the program, and click the gear wheel at the top and check these options to configure Ad-aware for a customized scan:

 

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

 

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

 

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

 

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

 

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot into normal mode when finished.

 

Next, perform online virus and Trojan scans, using the links in my signature below. Allow the programs to delete all that they may find. Reboot after each scan.

 

Scan with HijackThis and post a fresh log into this same thread.

Share this post


Link to post
Share on other sites

Thank you for all the good advice, it's not looking pretty.

 

Unfortunately I can only do so much because it's my work computer - and I'm not logged in as the Administrator. For example, I tried downloading Spybot and it would not let me open the Zip file. *headdesk*

 

Are any of those nasty things on the computer real malicious?

 

I tried talking to the IT department about it, but supposedly we're upgrading to Windows XP soon. So, is this computer ok until October? Or is it going to crash and burn on me soon?

Share this post


Link to post
Share on other sites

Hello,

 

I was concerned you might have a problem, considering it's a work computer. Sometimes IT departments are incredibly lax and sometimes they're overly strict.... sometimes they're just plain stupid. :p

 

Were you able use HijackThis to fix the selected entries? If you were able to do that, and then delete the file and folder I listed, you might be able to hang in there. You need to do at least that much.

 

The folder you were supposed to delete is the one responsible for Bargain Buddy. The file, on the other hand, is likely to be associated with a virus. Here's the information on it.....

 

http://www.liutilities.com/products/wintas...slibrary/wupdt/

 

and here.....

 

http://uk.trendmicro-europe.com/enterprise...=TROJ_IMISERV.C

 

Best of luck to you.

Share this post


Link to post
Share on other sites

I tried to do what I could - I couldn't:

 

A) Start the computer in Safe Mood

B) Update Windows

C) Run Spybot

 

because I wasn't logged in as an Admin.

But I did everything else, this is my new Hijack This log - does it look better? I deleted those BHO files but they came back.

 

Logfile of HijackThis v1.98.1

Scan saved at 10:20:00 AM, on 08/04/2004

Platform: Windows NT 4 SP6 (WinNT 4.00.1381)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\DMI\bin\delldmi.exe

C:\WINNT40\System32\nddeagnt.exe

C:\LDCLIENT\SOFTMON.EXE

C:\WINNT40\Explorer.exe

C:\WINNT40\System32\SysTray.Exe

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\WINNT40\System32\loadwc.exe

C:\WINNT40\System32\SxgTkBar.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\DMI\bin\nic.exe

C:\DMI\bin\coo.exe

C:\DMI\bin\dnar.exe

C:\DMI\bin\nodemngr.exe

C:\WINNT40\System32\MsgSys.EXE

C:\WINNT40\System32\MAPISP32.EXE

C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin

C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin

C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin

C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin

C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE

C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE

C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE

C:\Program Files\Microsoft Office\Office\winword.exe

C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE

H:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bscintranet1.bsca.eds.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myworkpath.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Http://myworkpath.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS/BSC

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe,C:\LDCLIENT\SOFTMON.EXE

O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - (no file)

O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - (no file)

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [browserWebCheck] loadwc.exe

O4 - HKLM\..\Run: [sxgTkBar] SxgTkBar.exe

O4 - HKLM\..\Run: [schedulingAgent] mstinit.exe /logon

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [intelAPMClient] C:\LDClient\amclient.exe /apm /s /ro /bw=WAN

O4 - HKLM\..\Run: [LDIScn32] C:\LDClient\LDISCN32.EXE /NTT=BSCEDHC01SA11:5007 /S="BSCEDHC01SA11" /I=HTTP://BSCEDHC01SA11/ldlogon/ldappl3.ldz /NOUI /W=60

O4 - HKLM\..\Run: [TCSClient] C:\LDClient\amclient.exe /tcs /s

O4 - HKLM\..\Run: [RegtoReg] C:\LDClient\RegtoReg.EXE

O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: CSWCFG.lnk = C:\Windows\getname.bat

O14 - IERESET.INF: START_PAGE_URL=Http://myworkpath.com

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://aristotle2/cbtweb/players/authorware/full/awswaxf.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - ftp://ftp.autodesk.com/pub/whip/english/whip.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bsca.eds.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bsca.eds.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bsca.eds.com eds.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bsca.eds.com eds.com

 

 

What is that HouseCall Control file? Can I get rid of that?

 

Thanks again! :lol:

Share this post


Link to post
Share on other sites

Hi,

 

You're welcome. Your log looks much better.

 

Those dead 02 BHO entries are from Comet Cursor. Have you uninstalled Comet Cursor in Add/Remove Programs? (If you're able to do that). If not, and if you can, then do so. Since the files are missing, they shouldn't be a problem; however, something is calling them up.

 

You can get rid of the 016 entry for HouseCall Control; however, it's just the activeX control for Trend Micro's House Call, the online virus scanner, so it's not a bad file.

 

I think you'll be okay to hang in there now until the new OS is installed in October.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0