Jump to content


Photo

Work Computer infected


  • Please log in to reply
5 replies to this topic

#1 Katz170

Katz170

    State of Confusion

  • Full Member
  • Pip
  • 24 posts

Posted 30 July 2004 - 10:45 AM

Hey guys,

My work computer does NOT have any protection on it from anything, and I've had to clean it up the best I could. The person who used this computer before me must've gone to every website in the world because I have Bargain Buddy, Comet Cursor and all sorts of nasties on here. I'm probably not even supposed to fix it but the IT department is incompetent.

The biggest problem I'm having is I'm getting error messages when I first start up the computer in the morning regarding DLL files and not being able to locate certain things. Can you guys please help?!? :D

Hijack This Log:

Logfile of HijackThis v1.97.7
Scan saved at 8:36:16 AM, on 07/30/2004
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\DMI\bin\delldmi.exe
C:\WINNT40\System32\nddeagnt.exe
C:\LDCLIENT\SOFTMON.EXE
C:\WINNT40\Explorer.exe
C:\WINNT40\System32\SysTray.Exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT40\System32\loadwc.exe
C:\WINNT40\System32\SxgTkBar.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\DMI\bin\nic.exe
C:\DMI\bin\coo.exe
C:\DMI\bin\dnar.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\DMI\bin\nodemngr.exe
C:\WINNT40\System32\MsgSys.EXE
C:\WINNT40\System32\MAPISP32.EXE
C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin
C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE
C:\WINNT40\System32\ddhelp.exe
C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin
C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin
C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin
C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\TEMP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myworkpath.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bscintranet1.bsca.eds.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Http://myworkpath.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS/BSC
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe,C:\LDCLIENT\SOFTMON.EXE
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - (no file)
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IntelAPMClient] C:\LDClient\amclient.exe /apm /s /ro /bw=WAN
O4 - HKLM\..\Run: [LDIScn32] C:\LDClient\LDISCN32.EXE /NTT=BSCEDHC01SA11:5007 /S="BSCEDHC01SA11" /I=HTTP://BSCEDHC01SA11/ldlogon/ldappl3.ldz /NOUI /W=60
O4 - HKLM\..\Run: [TCSClient] C:\LDClient\amclient.exe /tcs /s
O4 - HKLM\..\Run: [RegtoReg] C:\LDClient\RegtoReg.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT40\wupdt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: CSWCFG.lnk = C:\Windows\getname.bat
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=Http://myworkpath.com
O15 - Trusted Zone: http://*.wellpoint.com
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://aristotle2/cb...ull/awswaxf.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - ftp://ftp.autodesk.com/pub/whip/english/whip.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bsca.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bsca.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bsca.eds.com eds.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bsca.eds.com eds.com


Thank you!!

#2 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 02 August 2004 - 09:11 PM

Hello,

Your copy of HijackThis is outdated and it's in a temporary directory. Please create a new folder on the C: drive and name it C:\HJT or something similar. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select "New" then "Folder" and name it HJT. Next, click here to download the latest version of HijackThis, v1.98. Download it directly into the new folder. Delete your old copy of HijackThis.

NOTE: Please print a copy of these instructions because you will be working in Safe Mode and/or with all windows closed except HijackThis.

Please run HijackThis in Safe Mode....

Reboot into safe mode, this way:
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.”

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - (no file)

O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - (no file)

O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT40\wupdt.exe

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O13 - WWW. Prefix: http://


If this 015 item is an entry you deliberately set, then leave it; otherwise fix it with HijackThis....

O15 - Trusted Zone: http://*.wellpoint.com

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab


Now, search for, and delete if found, (some files may not be present after previous steps) the following:

C:\WINNT40\wupdt.exe < file

C:\Program Files\BullsEye Network\ < folder

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

Empty your Recycle Bin.

Reboot into normal mode.

Proceed to the Windows Update site (see link below) download and install ALL critical updates.

Reboot when finished.

If you are not running version 1.3 of Spybot S & D, click here to download Spybot Search & Destroy v1.3 - install, update, reboot into Safe Mode, scan and fix all RED items it finds. Reboot into normal mode when done.

Perform a customized Ad-aware scan in Safe Mode........

If you do not have the latest version of Ad-aware, version 6, Build 6.181, click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then boot into Safe Mode, start the program, and click the gear wheel at the top and check these options to configure Ad-aware for a customized scan:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot into normal mode when finished.

Next, perform online virus and Trojan scans, using the links in my signature below. Allow the programs to delete all that they may find. Reboot after each scan.

Scan with HijackThis and post a fresh log into this same thread.

#3 Katz170

Katz170

    State of Confusion

  • Full Member
  • Pip
  • 24 posts

Posted 02 August 2004 - 09:58 PM

Thank you for all the good advice, it's not looking pretty.

Unfortunately I can only do so much because it's my work computer - and I'm not logged in as the Administrator. For example, I tried downloading Spybot and it would not let me open the Zip file. *headdesk*

Are any of those nasty things on the computer real malicious?

I tried talking to the IT department about it, but supposedly we're upgrading to Windows XP soon. So, is this computer ok until October? Or is it going to crash and burn on me soon?

#4 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 02 August 2004 - 10:25 PM

Hello,

I was concerned you might have a problem, considering it's a work computer. Sometimes IT departments are incredibly lax and sometimes they're overly strict.... sometimes they're just plain stupid. :p

Were you able use HijackThis to fix the selected entries? If you were able to do that, and then delete the file and folder I listed, you might be able to hang in there. You need to do at least that much.

The folder you were supposed to delete is the one responsible for Bargain Buddy. The file, on the other hand, is likely to be associated with a virus. Here's the information on it.....

http://www.liutiliti...slibrary/wupdt/

and here.....

http://uk.trendmicro...=TROJ_IMISERV.C

Best of luck to you.

#5 Katz170

Katz170

    State of Confusion

  • Full Member
  • Pip
  • 24 posts

Posted 04 August 2004 - 06:44 PM

I tried to do what I could - I couldn't:

A) Start the computer in Safe Mood
B) Update Windows
C) Run Spybot

because I wasn't logged in as an Admin.
But I did everything else, this is my new Hijack This log - does it look better? I deleted those BHO files but they came back.

Logfile of HijackThis v1.98.1
Scan saved at 10:20:00 AM, on 08/04/2004
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\DMI\bin\delldmi.exe
C:\WINNT40\System32\nddeagnt.exe
C:\LDCLIENT\SOFTMON.EXE
C:\WINNT40\Explorer.exe
C:\WINNT40\System32\SysTray.Exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT40\System32\loadwc.exe
C:\WINNT40\System32\SxgTkBar.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\DMI\bin\nic.exe
C:\DMI\bin\coo.exe
C:\DMI\bin\dnar.exe
C:\DMI\bin\nodemngr.exe
C:\WINNT40\System32\MsgSys.EXE
C:\WINNT40\System32\MAPISP32.EXE
C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin
C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin
C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin
C:\PROGRAM FILES\WALLDATA\System\Wddsppag.bin
C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE
C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE
C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\winword.exe
C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE
H:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bscintranet1.bsca.eds.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myworkpath.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Http://myworkpath.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS/BSC
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe,C:\LDCLIENT\SOFTMON.EXE
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - (no file)
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IntelAPMClient] C:\LDClient\amclient.exe /apm /s /ro /bw=WAN
O4 - HKLM\..\Run: [LDIScn32] C:\LDClient\LDISCN32.EXE /NTT=BSCEDHC01SA11:5007 /S="BSCEDHC01SA11" /I=HTTP://BSCEDHC01SA11/ldlogon/ldappl3.ldz /NOUI /W=60
O4 - HKLM\..\Run: [TCSClient] C:\LDClient\amclient.exe /tcs /s
O4 - HKLM\..\Run: [RegtoReg] C:\LDClient\RegtoReg.EXE
O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: CSWCFG.lnk = C:\Windows\getname.bat
O14 - IERESET.INF: START_PAGE_URL=Http://myworkpath.com
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://aristotle2/cb...ull/awswaxf.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - ftp://ftp.autodesk.com/pub/whip/english/whip.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bsca.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bsca.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bsca.eds.com eds.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bsca.eds.com eds.com


What is that HouseCall Control file? Can I get rid of that?

Thanks again! :lol:

#6 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 04 August 2004 - 08:07 PM

Hi,

You're welcome. Your log looks much better.

Those dead 02 BHO entries are from Comet Cursor. Have you uninstalled Comet Cursor in Add/Remove Programs? (If you're able to do that). If not, and if you can, then do so. Since the files are missing, they shouldn't be a problem; however, something is calling them up.

You can get rid of the 016 entry for HouseCall Control; however, it's just the activeX control for Trend Micro's House Call, the online virus scanner, so it's not a bad file.

I think you'll be okay to hang in there now until the new OS is installed in October.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button