Tech Support Forum - View Single Post - Got quite a mess today

krikori · 04-19-2005, 03:15 PM

Something decided to extract on my work computer today. Things like websearch and Pacisoft and lots of popups. I ran adaware, then HJT, then KRC HJT analyzer. Thanks for your help. The log is below:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 2

03 PM, on 4/19/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\vyac\citgfoou.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\WINNT\system32\rhgypu\emvcojr.exe
C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
c:\winnt\system32\ruremq.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\WINNT\system32\PDesk\PDesk.exe
C:\WINNT\system32\wintask.exe
C:\winnt\system32\uonglf.exe
C:\WINNT\system32\uermh\twkcc.exe
C:\WINNT\system32\uojgauq\euvgen.exe
C:\WINNT\system32\wblejrc\muphfglh.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\winnt\system32\packager.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINNT\system32\drwtsn32.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mygene.ne.ge.com/portal/mypag....asp?UserID=2&
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Energy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http-proxy.geps.ge.com:80;https=http-proxy.geps.ge.com:80;ftp=http-proxy.geps.ge.com:80;gopher=http-proxy.geps.ge.com:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [RUNCIS] C:\Program Files\1E\CIS\\RUNCIS.EXE
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [Asset Insight SUM] C:\INSIGHT\TOOLS\AISOFTMN.EXE -B
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu
O4 - HKLM\..\Run: [jpegav] C:\WINNT\Driver Cache\jpegav.exe
O4 - HKLM\..\Run: [dlls] C:\WINNT\Speech\dlls.exe
O4 - HKLM\..\Run: [cmdutil] C:\WINNT\Cursors\cmdutil.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MGA_CD_Install] E:\mgasetup.exe /No_Welcome /Lang:English
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitefyy32.exe
O4 - HKLM\..\Run: [uonglf] c:\winnt\system32\uonglf.exe
O4 - HKLM\..\Run: [twkcc] C:\WINNT\system32\uermh\twkcc.exe
O4 - HKLM\..\Run: [citgfoou] C:\WINNT\system32\vyac\citgfoou.exe
O4 - HKLM\..\Run: [emvcojr] C:\WINNT\system32\rhgypu\emvcojr.exe
O4 - HKLM\..\Run: [euvgen] C:\WINNT\system32\uojgauq\euvgen.exe
O4 - HKLM\..\Run: [muphfglh] C:\WINNT\system32\wblejrc\muphfglh.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [gynbbsd] c:\winnt\system32\ruremq.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_01) - http://thor.ne.ge.com:7001/ematrix/a...1_01-win-i.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ne.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ne.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ne.ge.com

End of KRC HijackThis Analyzer Log.
====================================================================

04-19-2005, 03:15 PM	#1 (permalink)
krikori Registered User Join Date: Aug 2004 Posts: 22 OS: WinXP	Got quite a mess today - KRC HJT Analyzed Something decided to extract on my work computer today. Things like websearch and Pacisoft and lots of popups. I ran adaware, then HJT, then KRC HJT analyzer. Thanks for your help. The log is below: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 203 PM, on 4/19/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\system32\vyac\citgfoou.exe C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE C:\WINNT\system32\rhgypu\emvcojr.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe c:\winnt\system32\ruremq.exe C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe C:\WINNT\system32\PDesk\PDesk.exe C:\WINNT\system32\wintask.exe C:\winnt\system32\uonglf.exe C:\WINNT\system32\uermh\twkcc.exe C:\WINNT\system32\uojgauq\euvgen.exe C:\WINNT\system32\wblejrc\muphfglh.exe C:\Program Files\Media Access\MediaAccK.exe C:\winnt\system32\packager.exe C:\Program Files\Media Access\MediaAccess.exe C:\WINNT\system32\drwtsn32.exe C:\Program Files\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mygene.ne.ge.com/portal/mypag....asp?UserID=2& R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Energy R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http-proxy.geps.ge.com:80;https=http-proxy.geps.ge.com:80;ftp=http-proxy.geps.ge.com:80;gopher=http-proxy.geps.ge.com:80 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js) O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" O4 - HKLM\..\Run: [RUNCIS] C:\Program Files\1E\CIS\\RUNCIS.EXE O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE O4 - HKLM\..\Run: [Asset Insight SUM] C:\INSIGHT\TOOLS\AISOFTMN.EXE -B O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu O4 - HKLM\..\Run: [jpegav] C:\WINNT\Driver Cache\jpegav.exe O4 - HKLM\..\Run: [dlls] C:\WINNT\Speech\dlls.exe O4 - HKLM\..\Run: [cmdutil] C:\WINNT\Cursors\cmdutil.exe O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch O4 - HKLM\..\Run: [MGA_CD_Install] E:\mgasetup.exe /No_Welcome /Lang:English O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitefyy32.exe O4 - HKLM\..\Run: [uonglf] c:\winnt\system32\uonglf.exe O4 - HKLM\..\Run: [twkcc] C:\WINNT\system32\uermh\twkcc.exe O4 - HKLM\..\Run: [citgfoou] C:\WINNT\system32\vyac\citgfoou.exe O4 - HKLM\..\Run: [emvcojr] C:\WINNT\system32\rhgypu\emvcojr.exe O4 - HKLM\..\Run: [euvgen] C:\WINNT\system32\uojgauq\euvgen.exe O4 - HKLM\..\Run: [muphfglh] C:\WINNT\system32\wblejrc\muphfglh.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [gynbbsd] c:\winnt\system32\ruremq.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_01) - http://thor.ne.ge.com:7001/ematrix/a...1_01-win-i.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ne.ge.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ne.ge.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ne.ge.com End of KRC HijackThis Analyzer Log. ====================================================================