Hijack this log

[J_K_M_A_N]

Can someone tell me a good place to post a hijack this log and get some help? One of our work computers is not working correctly. When you try to install anything in IE it says the signature is from unknown publisher and just a bunch of crap like that.

Any help would be appreciated. Thanks.

J_K_M_A_N

[Monkey]

put a MS dos boot dick in the floppy drive

boot from floppy

the at the A:\ prompt type Format c:/u

then install windows

problem will go away

[RxBrad]

put a MS dos boot dick in the floppy drive

Last time I tried that, I had to go to the hospital...

[mccoy178]

A google search will bring somewhere up in a jiffy.  That's what I've done in the past.

[ChadTower]

And stop installing stolen software without scanning it first.

[TMS]

I can take a look at it for you if you like

[CCM]

http://www.hijackthis.de/

[J_K_M_A_N]

Logfile of HijackThis v1.99.1
Scan saved at 11:13:28 AM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eCopy Desktop Printer Service] C:\PROGRA~1\eCopy\Desktop\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [eCopy Desktop Inbox Monitor] C:\PROGRA~1\eCopy\Desktop\Bin\INBOXM~1.EXE -run
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe" /h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120766657924
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133195691350
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bennerotte.com
O17 - HKLM\Software\..\Telephony: DomainName = bennerotte.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bennerotte.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bennerotte.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


thanks

[ChadTower]

AutoSizer?

[J_K_M_A_N]

maximizes windows for me. i use it for IE. it isn't that.

J_K_M_A_N

[PCtech]

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe?...SAV didn't find  anything?

You got Symantec Antivirus/Norton Antivirus....have you done a recent scan, are the virus def's up to date.

Just out of curiosity, what kind of things are you trying to install in IE?

Have you adjusted the security options in IE recently?  Have you tried since the problem?

Have you tried, cleaning everything in IE (Clear history, delete temp internet files, empty content, etc?)

I might be able to help, but need some more info.

[ha-Y-n]

the log looks pretty clean to me.  Have you tried scanning for spyware and adware yet.  I pasted the links to Ad-awareSE and SpybotS&D below, download it, install it, update it, and run it, if you haven't already

Ad-Aware
http://www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html

Spybot
http://www.majorgeeks.com/SpyBot-Search_&_Destroy_d2471.html

Run hijack again and you can get rid of these:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

And clean everything in IE like PCTech mentioned above.  Run Disk Cleanup too.

Post your log back after the spyware scan

[J_K_M_A_N]

We have a corporate edition of symantic antivirus on all of our systems. I use VNC 4 to get in from home sometimes. I have run Adaware and spybot. Both latest versions and up to date. Adaware found a couple of bad things and supposedly cleaned them out.

I have tried to run system restore and it won't restore ANY restore points going all the way back to December.

I have also deleted all files and cookies and actually, when I would try to click 'delete offline content' and click ok it would close IE. Then I figured out that if I opened IE RIGHT AWAY when I booted, I was able to delete offline content.

I think something is loading a little late. So if I open IE as soon as possible, I have the google toolbar. If I then close IE and reopen, it is gone again.

I have tried to run housecall and panda scan but housecall doesn't find anything and panda won't load. I will try to run disk cleanup tomorrow.

I also cannot get to the window update. It says there is an error with the site whenever I go to it. I can go to it from ANY other computer in our office and it works fine. I also tried to install the Microsoft antispyware beta and it wouldn't download. Also, it would say the signature was from an unknown publisher like everything else I try to install.

I REALLY don't want, nor do I have time, to reinstall everything. It doesn't have a lot of network activity and most everything else SEEMS to work fine. So I don't know if it is only an IE thing or what.

Thanks for the help so far. If anyone has any other ideas, please let me know.

J_K_M_A_N

P.S.
    The part that really sucks is that we are doing inventory now and I am the office geek as well as the warehouse manager so I don't have time to do both right now! THIS SUCKS!

[ha-Y-n]

maybe ie got messed up by one of those spyware that you found earlier, try this:

http://www.theeldergeek.com/repair_ie6.htm

[J_K_M_A_N]

maybe ie got messed up by one of those spyware that you found earlier, try this:

http://www.theeldergeek.com/repair_ie6.htm

cool, I will try that...thanks.

J_K_M_A_N

[TMS]

The only thing that pops out right away as suspect is
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
and
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bennerotte.com
O17 - HKLM\Software\..\Telephony: DomainName = bennerotte.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bennerotte.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bennerotte.com

Is bennerotte.com a VPN or something for you

What you can do also is check the following file C:\Windows or WINNT\system32\drivers\etc
There should be a file called "hosts" unless you have added anything under the entry that says "localhost 127.0.0.1" it should be blank underneath that line.

Lastly you can go right into your registry to find the garbage. The keys you are looking for are

HKEY Local Machine\software\microsoft\windows\current version\run
and
HKEY Current USer\software\microsoft\windows\current version\run

IF you want you can post a screen shot of those keys and I can see if there is anything suspect

[J_K_M_A_N]

The only thing that pops out right away as suspect is
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

I didn't like that one either.

and
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bennerotte.com
O17 - HKLM\Software\..\Telephony: DomainName = bennerotte.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bennerotte.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bennerotte.com

Is bennerotte.com a VPN or something for you

That is the name of our domain. We run Windows Server 2003.

What you can do also is check the following file C:\Windows or WINNT\system32\drivers\etc
There should be a file called "hosts" unless you have added anything under the entry that says "localhost 127.0.0.1" it should be blank underneath that line.

Lastly you can go right into your registry to find the garbage. The keys you are looking for are

HKEY Local Machine\software\microsoft\windows\current version\run
and
HKEY Current USer\software\microsoft\windows\current version\run

IF you want you can post a screen shot of those keys and I can see if there is anything suspect

I have a program that shows all the startup things and I don't see anything weird. I am wondering if some settings got changed in IE and I am hoping I can just change them back. I will try to find out more tomorrow. Thanks for all the help.

J_K_M_A_N

[ha-Y-n]

so did you fix your prob?

[J_K_M_A_N]

Yes. We had a virus. I had a file called taskdir.exe in the %sysdir% and a few other things. I believe it is all cleared up now.

What was kinda weird was that a girl here had the exact same virus at her house at the same time. It looked like it was a fairly new virus. I believe the date on one of the sites I saw was 2/6/2006 or somewhere around there. She ended up having a few virii actually. I think we are all clean now so....

Thanks for all the help guys.

J_K_M_A_N

[PCtech]

What Virus was it?  Did Symantec Anti Virus find it for you, or another program....I just curious becuase my company runs Symantec, and if that isn't catching it, would be cool to know.

Thanks, glad your problem is fixed.

[J_K_M_A_N]

http://securityresponse.symantec.com/avcenter/venc/data/trojan.abwiz.f.html

I believe that was the one. It is pretty new so I could see why Symantec didn't catch on right away. I downloaded the removal tool and it found nothing so I believe I found it all.

J_K_M_A_N

[ha-Y-n]

glad you got that cleaned out