Have I cleaned up everything after hijack

[bebe]

Thanks - scans are in process on the affected machine - will post hijack this log when complete

 

[bebe]

Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 10:41:57 PM, on 3/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CA\Common\Alert\ALERT.EXE
C:\Program Files\Cisco VPN\cvpnd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\CA\eTrust Antivirus\InoRpc.exe
C:\CA\eTrust Antivirus\InoRT.exe
C:\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\UMCSTUB.EXE
C:\CA\ETRUST~1\realmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\cisco vpn\vpngui.exe
C:\Program Files\Cisco VPN\ipseclog.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://support.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = mobile.gdls.com:8080
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [Realtime Monitor] C:\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft

IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CA-AMAgent] \\gdllsdvthshc083\amagents$\amagent.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio

Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator

6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator

6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe

-quiet
O4 - Global Startup: General Dynamics Land Systems VPN Client.lnk =

C:\Program Files\cisco vpn\vpngui.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: Hummingbird Business Intelligence -

http://biweb/ADYCodebase/hclbimwe.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} -

https://imeeting.gdls.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) -

http://is002011.gdls.com/qp2.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/

us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuw

eb_site.cab?1099510061448
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housec

all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator

1.1.8.16) - http://ebusiness.gdls.com:8390/jinitiator/oajinit.exe
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -

http://www.alwaysupdatednews.com/install/aun_0032.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -

http://oasss02h.gdls.com:7778/jinitiator/jinit.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 -

HKLM\System\CCS\Services\Tcpip\..\{961E20D2-AB39-4613-8FF7-01F344052AB0}:

Domain = ls.gdls.com
O17 -

HKLM\System\CCS\Services\Tcpip\..\{EE5A5ABD-8BF6-4364-A0B0-AA9AE9359F02}:

Domain = ls.gdls.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

ls.gdls.com,gdls.com,cdn.gdls.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

ls.gdls.com,gdls.com,cdn.gdls.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

ls.gdls.com,gdls.com,cdn.gdls.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Alert Notification Server - Computer Associates International,

Inc. - C:\CA\Common\Alert\ALERT.EXE
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates

International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc.

- C:\Program Files\Cisco VPN\cvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development

LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates

International, Inc. - C:\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates

International, Inc. - C:\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates

International, Inc. - C:\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner -

C:\WINDOWS\LogWatNT.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp -

C:\Lotus\Notes\ntmulti.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog

Devices\SoundMAX\spkrmon.exe
O23 - Service: ApplicationVantage Agent (VantageAgent) - Compuware -

C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe

 

[rstones12]

bebe,

Things look good are having anymore issues??

Thanks,
rstones12

 

[bebe]

My intial tests looked good. I will look at it more indepth today. Can you tell me what that uvap9zts was. I kind of thought that was one of the issues. I ddi remove weatherbug although I have had it on my PC for quite some time without any issues

 

[rstones12]

bebe,

The uvap9zts is called a BHO (Browser Helper Object). Sometime they are good and sometime they are bad :beard:


The system could have gotten infected in a few ways, hard to tell exacty.

Run your system for a while and see if you are having any issues.

Thanks,
rstones12

 

[bebe]

So far so good - - Thanks so much for the help, Can you tell me how I should have my active x controls set to help prevent unwanted downloads

 

[rstones12]

I would start here since you are using IE.
It will give you more information about activeX controls as well as other security tips.

http://www.microsoft.com/windows/ie/default.mspx

Hope that helps.

rstones12

 

[Osiris]

Remove entries at your own risk


O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - This entry is possibly nasty. Should be fixed.