Thread: about:blank Home Page High Jacker
View Single Post
Old 04-13-2005, 08:42 PM   #2 (permalink)
Pancake
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3


I have Posted this log for better viewing......


Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:20:33 PM, on 4/13/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
C:\Program Files\AccessManager\Client\AMBroker.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\IP VPN Remote Services\cvpnd.exe
C:\BOSSDE\DEClntNT.EXE
C:\Program Files\3C Software\ImpactECS\Imp3CSvr.exe
C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe
C:\WINNT\System32\RASLOGON.EXE
C:\WINNT\system32\winmn32.exe
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\Program Files\AccessManager\SMOC\spi_da.exe
C:\Program Files\AccessManager\Client\DAPlugin.exe
C:\HighJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gmqyv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fabrics1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = f1aussm001.fabrics1.com:8002
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bp.com;*.fabrics1.com;*.*.bp.com;*.*.*.bp.com;*.amoco.com;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\ACROIE~1.OCX
O2 - BHO: (no name) - {270B9E11-6C0E-5996-097E-0F955B318C70} - C:\WINNT\addcj.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [IBMPMSVC] C:\WINNT\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [iRAS Logon Tool Current User Settings] C:\Program Files\BP\iRAS\ACU.exe
O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe"
O4 - HKLM\..\Run: [RASLogon] %SystemRoot%\System32\RASLOGON.EXE
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\eXpress\NS Client\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [winmn32.exe] C:\WINNT\system32\winmn32.exe
O4 - HKLM\..\RunOnce: [atllb32.exe] C:\WINNT\atllb32.exe
O4 - HKLM\..\RunOnce: [d3eu.exe] C:\WINNT\d3eu.exe
O4 - Global Startup: Cisco Systems IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O12 - Plugin for .dmn: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL
O12 - Plugin for .dmo: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL
O12 - Plugin for .dmu: C:\PROGRA~1\INTERN~1\PLUGINS\NPDWSS32.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ffbunet.fabrics1.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {10101010-1010-1111-1010-101010101011} - mhtml:C:\\WINX.MHT!http://216.240.137.41/counter/ie.exe
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgc.ops.placeware.com/etc/...uicksilver.cab
O16 - DPF: {6BF35011-3AE5-44D3-A8BB-73ED462A0BC0} (EZUploader Control) - http://www.ezprints.com/software/ezuploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fabrics1.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fabrics1.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = fabrics1.com
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
O23 - Service: Access Manager Configuration Service (AMBroker) - MCI, Inc. - C:\Program Files\AccessManager\Client\AMBroker.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\System32\ccsrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\IP VPN Remote Services\cvpnd.exe
O23 - Service: Visual Insight DA Plugin (DAPlugin) - MCI, Inc. - C:\Program Files\AccessManager\Client\DAPlugin.exe
O23 - Service: BOSS DiagWin Client (DEClntService) - Unknown owner - C:\BOSSDE\DEClntNT.EXE
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Impact Server - 3C Software, Inc. - C:\Program Files\3C Software\ImpactECS\Imp3CSvr.exe
O23 - Service: SP Software Installer - Smartpipes, Inc. - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe
O23 - Service: Visual Insight Dial Analysis (sp_spi_da) - Smartpipes, Inc. - C:\Program Files\AccessManager\SMOC\spi_da.exe


End of KRC HijackThis Analyzer Log.
Last edited by Pancake; 04-13-2005 at 08:44 PM.
Pancake is offline