Build Theme!

What the Tech

Unreplied Topics

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help Me Remove Porn Popups From My Boss' Computer

Started by DCguy , Jun 01 2004 06:51 AM

This topic is locked

7 replies to this topic

#1 DCguy

New Member

New Member
4 posts

Posted 01 June 2004 - 06:51 AM

My boss has been known to visit some porn sites. Recently the popups (for porn and other stuff) have gotten out of control. I downloaded adaware and spybot, and after running those and uninstalling isearch the problems seem to have gotten worse. The first time I ran hijackthis, there were some obvious things to get rid of, specifically myexex.com stuff. Apparently I didn't get rid of it all though. Here's his log. Any help would be appreciated. Tim

Logfile of HijackThis v1.97.7
Scan saved at 8:46:13 AM, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\WINDOWS\System32\uxycnb.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\OfficeScan NT\pccntupd.exe
C:\Program Files\Research In Motion\BlackBerry\Redirector.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\Telemet\orionmgr.exe
C:\DOCUME~1\hhanerfe\LOCALS~1\Temp\gmlj.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\hhanerfe\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [gcshhq] C:\WINDOWS\System32\uxycnb.exe
O4 - HKLM\..\Run: [cfqhohkb] C:\WINDOWS\cfqhohkb.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: POLAR Scheduler.lnk = C:\Program Files\Bear Stearns\RACS\system\RCCron.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\rjffwxow.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7700.4997569444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rockcap.com
O17 - HKLM\Software\..\Telephony: DomainName = rockcap.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rockcap.com

Back to top

Advertisements

Register to Remove

#2 k3dc

Authentic Member

Authentic Member
239 posts

Interests:Musician, Radio Host and Producer<br>Ham Radio Operator, Opera Lover<br>General Curmudgeon and Tightwad<br>Hater of Malware

Posted 02 June 2004 - 06:08 PM

Hi Tim,

There are several hijackers in the log you posted, and it's going to take quite a bit of work to get them all out of there. The first thing that needs to be done however, since there is NO evidence of any firewall or AntiVirus program in use, is to getting some online scans for viruses, worms and trojans. Since this system is more at risk than most, that's the first order of business.

Specifically, the Troj/BDSinit-C trojan is one I'm looking for. Follow these links:

http://www.bitdefend...can/licence.php
http://housecall.trendmicro.com/
http://scan.sygatete...trojanscan.html

The first two are general scans for worms, viruses and trojans of all types, and the third is specifically for trojans. All these scans are FREE.

The sites will download a file to run the scan; let them. Be sure the block to FIX ANYTHING FOUND is checked, and be sure to scan the ENTIRE computer. These scans will remove just about anything they find; if there is something they cannot remove, WRITE DOWN the FULL PATHS AND FILENAMES and post that information with your next log.

Once there scans are done, go to CONTROL PANEL and click on the "Add/Remove Programs" icon. If there are any programs you DO NOT BOTH RECOGNIZE AND WANT, DELETE THEM! (DO NOT delete your Windows and Internet Explorer updates, which are listed with a "Q" and a bunch of numbers.) Then reboot your computer.

Now, download and run Spybot-Search&Destroy and Ad-Aware; they are the standard programs for finding and cleaning crapware off your system, and can also help prevent its downloading and installation in some cases. Here are links to both programs, and instructions for their use.

Get Spybot - Search & Destroy from http://security.kolla.de (This is the NEW Version 1.3)
Get AdAware 6 from http://www.lavasoft....upport/download

Download and install these programs in their own PERMANENT folders if you don't already have them. If you do have them, make sure they are UPDATED AND CONFIGURED AS DESCRIBED.

To run Spybot S&D:

After installing first press "Online", click on "Search for Updates", then select all updates. Beside the download button is a little down-pointed arrow, which gives you a choice of several download sites; select one of the servers listed (the Australian server usually works well). Now, press "Download Updates." If that site doesn't work or you get an error message, try a different server.

When the updates are finished, close your browser and ALL WINDOWS EXCEPT THE ONE SPYBOT IS RUNNING IN, then press 'Check for Problems'; THE SCAN WILL TAKE SEVERAL MINUTES. Have SpyBot remove all it finds THAT ARE MARKED IN RED. When it's finished, reboot your system.

Then, Run ADAWARE:

Before you scan with AdAware, check for updates of the reference file by using the "webupdate" button at the lower right of the panel. The current ref file should read at least 01R312 30.05.2004 or a higher number/later date. Updates for this program come out frequently to keep up with new malware. THIS IS CRITICAL; updating is as important as installing these programs.

Then ........
Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......
click "Use custom scanning options>Customize" and have these options ON: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........
go to settings(the gear icon on top of AdAware)>Tweak>Scanning engine and click "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings. To scan, click NEXT. This scan will also take several minutes.

When the scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press "next" and then say yes to the prompt, "do you want to remove all these entries?"

Reboot again and run a fresh HijackThis scan, Post the log as a reply in this thread, and we'll see what needs attention next (there will still be quite a bit to do).

Back to top

#3 DCguy

New Member

New Member
4 posts

Posted 03 June 2004 - 07:47 AM

Thanks a lot for the lengthy reply...I just read this after toying around with my bosses computer for an hour or so. We have pretty extensive firewall and virus software on the servers. I had worried about trojans and viruses in the past and run a free scan on Panda's website as recently as last Friday. I'll run a scan from one of the links that you provided later today.

Anyway, here is the latest log (that I saved). Since saving this, I removed alchem. (I also italicized two things that I couldn't find any information on). Adaware and Spybot both found information for vx2.better.internet...will having those two programs remove it work, or do I need to do a more in depth removal? I also need to rerun adaware making the changes that you highlighted below. Thanks again, Tim

Logfile of HijackThis v1.97.7
Scan saved at 9:00:45 AM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\WINDOWS\System32\uxycnb.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\OfficeScan NT\pccntupd.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\hhanerfe\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [gcshhq] C:\WINDOWS\System32\uxycnb.exe
O4 - HKLM\..\Run: [cfqhohkb] C:\WINDOWS\cfqhohkb.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: POLAR Scheduler.lnk = C:\Program Files\Bear Stearns\RACS\system\RCCron.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7700.4997569444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rockcap.com
O17 - HKLM\Software\..\Telephony: DomainName = rockcap.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rockcap.com

Back to top

#4 k3dc

Authentic Member

Authentic Member
239 posts

Interests:Musician, Radio Host and Producer<br>Ham Radio Operator, Opera Lover<br>General Curmudgeon and Tightwad<br>Hater of Malware

Posted 03 June 2004 - 09:03 AM

Hi Tim, I'll wait for the results of those scans before posting anything further, because things could change quite a bit in that process. And to answer your question, VX2 is NOT fixable with any of the standard tools- it requires special handling. By the way, I assume that machine is running XP Professional? The fix for the VX2 could be different if it's not. Please advise on your next post. Thanks.

Back to top

#5 DCguy

New Member

New Member
4 posts

Posted 07 June 2004 - 02:44 PM

OK - sorry it took so long, I followed your directions...the second virus scan located a virus: troj-agent.cf. I did search for it on google and followed some instructions on how to remove it. It was located in a file located in windows\system32 called dp-him.exe...

Adaware found a ton of stuff which it deleted, and I also made a few other changes (I didn't have access to the internet at the time, but I got rid of stuff that I had seen before), and things seem to be working a lot better. Does this log look clean yet?

Logfile of HijackThis v1.97.7
Scan saved at 4:37:51 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\hhanerfe\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: POLAR Scheduler.lnk = C:\Program Files\Bear Stearns\RACS\system\RCCron.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7700.4997569444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rockcap.com
O17 - HKLM\Software\..\Telephony: DomainName = rockcap.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rockcap.com

Back to top

#6 k3dc

Authentic Member

Authentic Member
239 posts

Interests:Musician, Radio Host and Producer<br>Ham Radio Operator, Opera Lover<br>General Curmudgeon and Tightwad<br>Hater of Malware

Posted 07 June 2004 - 03:18 PM

Hi Tim,

Overall your log doesn't look too bad, but there is STILL that entry that indicates the Troj/BDSinit-C trojan. It's in this line:

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe

Here is a link to Sophos' page about the infection: http://www.sophos.co...ojbdsinitc.html

Since you are evidently experienced and confident about working with the Registry, you may want to do the manual removal. If you are NOT confident with this type of work, let me know and I'll see what we can do to help.

The only other thing I can see that I'm not familiar with is in those O17 lines, but as I suspect "rockcap.com" may be something you are familiar with, I'll just mention that it's something you should remove IF you are NOT familiar with it. If you know what it is, then obviously common sense says "let it alone."

On things like this, we rely on your judgment- we don't know what is wanted and what is not.

Please let me know about these things; I'll help with whatever you need.

Back to top

#7 DCguy

New Member

New Member
4 posts

Posted 08 June 2004 - 10:29 AM

k3dc-
Thanks so much for the help. I really appreciate it. You and the other experts on this board deserve a lot of credit for helping people out.

To give you an update, it looks like you helped me fix the computer completely. The Rockcap stuff I recognize; that's our ISP. I looked more into the F2 entry and it appeared to be a CoolWebSearch (chronicled Here).). I downloaded the CWShredder, and it did the trick.

For satisfaction purposes, here's my bosses final "clean" log, and I told him he better be a lot safer when surfing for porn.

Tim

Logfile of HijackThis v1.97.7
Scan saved at 12:18:33 PM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\OfficeScan NT\ofcdog.exe
C:\OfficeScan NT\pccntupd.exe
C:\Telemet\orionmgr.exe
C:\Program Files\Fidelity Investments\Advisor CHANNEL 6.4\AM64.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\hhanerfe\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: POLAR Scheduler.lnk = C:\Program Files\Bear Stearns\RACS\system\RCCron.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7700.4997569444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rockcap.com
O17 - HKLM\Software\..\Telephony: DomainName = rockcap.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rockcap.com

Back to top

#8 k3dc

Authentic Member

Authentic Member
239 posts

Interests:Musician, Radio Host and Producer<br>Ham Radio Operator, Opera Lover<br>General Curmudgeon and Tightwad<br>Hater of Malware

Posted 08 June 2004 - 12:32 PM

Hi Tim,

That log looks good. CONGRATULATIONS! GOOD WORK! :thumbup:

:thumbup:

Now that it's clean, the trick (a REAL one in this case) will be to keep it that way. There are a couple of things I can suggest that should help improve security; I'll go over them for you (they're painless, I assure you).

First, KEEP YOUR WINDOWS AND BROWSER UPDATED. As new security problems are found, Microsoft issues UPDATES to plug the holes that have been found. The top entry on your START menu should be "Windows Update," so this one is as easy as falling off a log.

Next, I recommend installing SpywareBlaster. It "inoculates" your computer against literally THOUSANDS of known malware items, and it works in such a way that it DOES NOT need to be running (and consuming system resources) to protect you. The program sets a "Kill-Bit" for each malware item it blocks, and then that thing can't download to your computer or run if it's there. I don't know just how it works, but I can assure you IT DOES! Once the protection is set, all you have to do is check for updates about once a week, install them and run SB to set protection against the new items on the list. Once a Kill-Bit is set, you have PERMANENT protecton from that item unless you remove it. Best of all, this is FREEWARE. Follow this link to download it: http://www.javacools...areblaster.html

For a good overview of basic Internet security, here is a good article: http://boards.cexx.o...topic.php?t=957 If I can leave you with one final thought, it's this: Security is NOT a destination, it's an endless journey.

Back to top

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

About What the Tech

Tom (Coyote) Wilson started this site as TomCoyote.org in 2002. Along with SpywareInfo, it was one of the first places to offer online malware removal training in its Classroom. Cluster headaches forced retirement of Tom in 2007, and the site was renamed "What the Tech". Free malware removal help and training has remained a constant.

Follow Us

Facebook Twitter

Help

Community Forum Software by IP.Board
Licensed to: What the Tech

Copyright © 2003- Geeks to Go, Inc. All rights reserved.