Jump to content


Photo

Work Laptop Hijacked!


  • This topic is locked This topic is locked
5 replies to this topic

#1 tmorris10

tmorris10

    Member

  • New Member
  • Pip
  • 3 posts

Posted 18 May 2004 - 08:51 AM

Looks like I have some Spyware. Here is my log file from HijackThis. Can someone suggest items to be removed. Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 9:13:49 AM, on 5/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Marimba\CASTAN~1\Tuner.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\Marimba\CASTAN~1\lib\jre\bin\jre.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\SMARTDISK\FLASHPATH\SDSTAT.exe
C:\Program Files\GetRight\getright.exe
C:\Palm\HOTSYNC.EXE
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\nwrdaemn.EXE
C:\Lotus\Notes\nupdate.EXE
C:\Lotus\Notes\nhldaemn.EXE
C:\Lotus\Notes\nWEB.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\MsiExec.exe
C:\Hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eweb.verizon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.ver...gi-bin/getproxy
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50003
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Program Files\Netscape\Users\home\prefs.js)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SMARTDISK\FLASHPATH\SDSTAT.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eweb.verizon.com/
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplacetri...tus.com/qp2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://flttmail01.tm....com/iNotes.cab
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abet...20/payload2.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwir...5.19/Hiwire.cab
O16 - DPF: {2DFA3F5C-C7D8-44C2-A420-EC11E00C3F28} (DLXControl Class) - http://itrdoc.verizo...isplayListX.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abet...39120/flash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://139.49.193.19...ls/iftwclix.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - http://flttmail01.tm.../dolcontrol.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8083.3210300926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webe...bex/ieatgpc.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://136.151.234.2...tivexviewer.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com

#2 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 18 May 2004 - 09:14 AM

Hi and welcome...


To start, just download this: CWShredder
Do not run it yet...
Save it to your desktop...

Download this too: http://www.downloads...g/VX2Finder.exe and run it

1-Click "Click To find Find VX2.Abetterinternet"

2-Delete all files found
You will get a message about "cannot delete this one" matching the same name in the Guardian Key.

3-Click "Open regedit" will take you right to the Guardian Key(no need to search for it)

4-Hilite "Guardian", RightClick and choose Security/permissions, you'll get another window with 'advanced'...
DE-select (uncheck) the lower box with "inheritable permissions"
Hit 'ok' and 'remove' on the following security prompts.

Restart computer.

5-On restart use VX2Finder again, select + delete the last file, click "User Agent$" will remove that entry from the registry.

6-Click "Open regedit" again, this time restoring the checkmark in "inheritable permissions"

7-Click "Guardian.reg" in VX2Finder Deletes the Guardian Key.

8-Use Find again should produce a clean log of blank values.

9-Click "Restore Policy" to restore the Debug policy altered in the look2Me installation.(requires reboot to apply, but not immediatley neccessary)


Now run the CWShredder you downloaded to your desktop

Reboot...

After the fresh reboot, only open HiJackthis, tick the next entries and only hit fix when I say so:

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe

O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abet...20/payload2.cab

O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abet...39120/flash.cab


After these you can also add the next entries, they are not bad, but removing them will free-up resources and will shorten boot-up time...
Doing this will not harm your programs, and you can always start them manually using start>Programs... But the choice is up to you...

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Now hit fix...

Reboot and delete the next folder:
C:\Program Files\Common files\updater\

And delete the next file:
C:\WINNT\Belt.exe


Now post me a fresh HiJackThisLog...


Good Luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#3 tmorris10

tmorris10

    Member

  • New Member
  • Pip
  • 3 posts

Posted 19 May 2004 - 11:56 AM

Thanks for your quick reply!

Followed directions...However, when I executed the "Click To find Find VX2.Abetterinternet", nothing came up. Here is the log:

Log for VX2.BetterInternet File Finder

Files Found---

Guardian Key--- is called:

User Agent String---
Q312461


I went ahead and continued with your suggested HJT fixes. Looks like it is working better..

Here is the current HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 12:45:08 PM, on 5/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Marimba\CASTAN~1\Tuner.exe
C:\Marimba\CASTAN~1\lib\jre\bin\jre.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\SMARTDISK\FLASHPATH\SDSTAT.exe
C:\Program Files\GetRight\getright.exe
C:\Palm\HOTSYNC.EXE
C:\WINNT\system32\svchost.exe
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eweb.verizon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.ver...gi-bin/getproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50003
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Program Files\Netscape\Users\home\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SMARTDISK\FLASHPATH\SDSTAT.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eweb.verizon.com/
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplacetri...tus.com/qp2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://flttmail01.tm....com/iNotes.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwir...5.19/Hiwire.cab
O16 - DPF: {2DFA3F5C-C7D8-44C2-A420-EC11E00C3F28} (DLXControl Class) - http://itrdoc.verizo...isplayListX.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://139.49.193.19...ls/iftwclix.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - http://flttmail01.tm.../dolcontrol.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8083.3210300926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webe...bex/ieatgpc.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://136.151.234.2...tivexviewer.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eweb.verizon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.ver...gi-bin/getproxy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50003
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Program Files\Netscape\Users\home\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SMARTDISK\FLASHPATH\SDSTAT.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eweb.verizon.com/
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplacetri...tus.com/qp2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://flttmail01.tm....com/iNotes.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwir...5.19/Hiwire.cab
O16 - DPF: {2DFA3F5C-C7D8-44C2-A420-EC11E00C3F28} (DLXControl Class) - http://itrdoc.verizo...isplayListX.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://139.49.193.19...ls/iftwclix.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - http://flttmail01.tm.../dolcontrol.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8083.3210300926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webe...bex/ieatgpc.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://136.151.234.2...tivexviewer.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com

#4 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 19 May 2004 - 12:25 PM

Well, if it didn't find anything then the infection is gone...
Yet there were 3 lines indicating it.. Oh well...
If it's working fine it's ok for me.. :)

yet a little cleaning...
Close all programs, open HiJackThis and fix these entries:

O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwir...5.19/Hiwire.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

Edit: Add this one too
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu



Reboot and post a fresh log once more...


Greetz...

Edited by Quinstar, 19 May 2004 - 12:57 PM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#5 tmorris10

tmorris10

    Member

  • New Member
  • Pip
  • 3 posts

Posted 19 May 2004 - 04:03 PM

Thanks again! Issues seem to be resolved. Here is current HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 5:01:49 PM, on 5/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Marimba\CASTAN~1\Tuner.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\Marimba\CASTAN~1\lib\jre\bin\jre.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\SMARTDISK\FLASHPATH\SDSTAT.exe
C:\Program Files\GetRight\getright.exe
C:\Palm\HOTSYNC.EXE
C:\Hijack\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eweb.verizon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.ver...gi-bin/getproxy
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50003
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Program Files\Netscape\Users\home\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SMARTDISK\FLASHPATH\SDSTAT.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eweb.verizon.com/
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplacetri...tus.com/qp2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://flttmail01.tm....com/iNotes.cab
O16 - DPF: {2DFA3F5C-C7D8-44C2-A420-EC11E00C3F28} (DLXControl Class) - http://itrdoc.verizo...isplayListX.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://139.49.193.19...ls/iftwclix.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - http://flttmail01.tm.../dolcontrol.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8083.3210300926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://verizon.webe...bex/ieatgpc.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://136.151.234.2...tivexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us1.ent.verizon.com

#6 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 19 May 2004 - 04:07 PM

Yup...

Looks very clean to me... :D


Read this:

Protection after fix... These are recommandations...
download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies...
http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all...
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates...

And also see:
So how did I get infected in the first place?



Happy surfing...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button