HiJackThis Log request

**Guest6183** · 08-16-2004, 09:10 AM

Hoping someone can review this log and make some recommendations. Home page resets to www.dorkodrom.com and Win Min errors when trying to close windows. Thanks for any help!!!

Logfile of HijackThis v1.98.2
Scan saved at 8:01:36 AM, on 8/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Udeliver\CASTAN~1\Tuner.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Courion Corporation\PasswordCourier with DIRECT! Access\direct.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpyRemover\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [Mufix] C:\INFOCN32\ACCMGR32\mufix.exe
O4 - HKLM\..\Run: [DIRECT!] C:\Program Files\Courion Corporation\PasswordCourier with DIRECT! Access\direct.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\2\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlgn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgb.ops.placeware.com/etc/...uicksilver.cab
O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail Class) - http://www107.placeware.com/etc/stat...ailObjects.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwbg.ops.placeware.com/etc/...uicksilver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com

greyknight17 · 08-16-2004, 11:03 AM

Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Desktop or Temp folder. This is required because HijackThis will create backups.

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

Make sure to close any open browsers you have. Check and fix the following in HijackThis (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTr ay.exe
O4 - Global Startup: winlgn.exe
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgb.ops.placeware.com/etc...quicksilver.cab
O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail Class) - http://www107.placeware.com/etc/sta...MailObjects.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwbg.ops.placeware.com/etc...quicksilver.cab

Suspicious. Right click on the following file and choose Properties. Then go to the Version tab to see what company it’s from. Post that information back:

C:\INFOCN32\ACCMGR32\mufix.exe

Reboot into Safe Mode (hit F8 key until menu shows up). Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\PROGRA~1\COMMON~1\XCPCSync\

Reboot into Normal Mode.

Please download Adaware and install it. Make sure to check for any updates before running it. Also make sure to customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds.

After that’s done, restart and post a new HijackThis log file so we can make sure it’s clean.

To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided.

**Guest6183** · 08-16-2004, 03:29 PM

Greyknight17,

Thanks for your help. The problem is resolved. I am attaching a new HiJackThat log for your final review. I also checked the file below and it appears to be a legitimate file from Attachmate (used for terminal emulation).
C:\INFOCN32\ACCMGR32\mufix.exe

Logfile of HijackThis v1.98.2
Scan saved at 2:08:35 PM, on 8/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\Udeliver\CASTAN~1\Tuner.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Courion Corporation\PasswordCourier with DIRECT! Access\direct.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpyRemover\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [Mufix] C:\INFOCN32\ACCMGR32\mufix.exe
O4 - HKLM\..\Run: [DIRECT!] C:\Program Files\Courion Corporation\PasswordCourier with DIRECT! Access\direct.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\2\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.uis.unisys.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com

KRS · 08-18-2004, 06:48 AM

run adaware & spybot
run antivirus

if not helping
reboot and run falutsafe mode (F8)
run antivirus
run adaware & spybot

08-16-2004, 09:10 AM	#1 (permalink)
Guest6183 I helped the forums. Join Date: Aug 2004 Posts: 8 OS: 2000	HiJackThis Log request Hoping someone can review this log and make some recommendations. Home page resets to www.dorkodrom.com and Win Min errors when trying to close windows. Thanks for any help!!! Logfile of HijackThis v1.98.2 Scan saved at 8:01:36 AM, on 8/16/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\System32\Ati2evxx.exe C:\Program Files\Sygate\SSA\smc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\basfipm.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\PROGRA~1\Udeliver\CASTAN~1\Tuner.exe C:\WINNT\System32\wltrysvc.exe C:\WINNT\System32\bcmwltry.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\System32\DSentry.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe C:\Program Files\Courion Corporation\PasswordCourier with DIRECT! Access\direct.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\system32\internat.exe C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SpyRemover\TeaTimer.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe C:\Program Files\Palm\HOTSYNC.EXE C:\temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [Mufix] C:\INFOCN32\ACCMGR32\mufix.exe O4 - HKLM\..\Run: [DIRECT!] C:\Program Files\Courion Corporation\PasswordCourier with DIRECT! Access\direct.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\2\E_SRCV03.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: winlgn.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgb.ops.placeware.com/etc/...uicksilver.cab O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail Class) - http://www107.placeware.com/etc/stat...ailObjects.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwbg.ops.placeware.com/etc/...uicksilver.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.uis.unisys.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.uis.unisys.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.uis.unisys.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.uis.unisys.com O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com

08-16-2004, 11:03 AM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Desktop or Temp folder. This is required because HijackThis will create backups. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe Make sure to close any open browsers you have. Check and fix the following in HijackThis (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dorkodrom.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dorkodrom.com/index.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dorkodrom.com/index.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dorkodrom.com/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dorkodrom.com/index.htm O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTr ay.exe O4 - Global Startup: winlgn.exe O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgb.ops.placeware.com/etc...quicksilver.cab O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail Class) - http://www107.placeware.com/etc/sta...MailObjects.cab O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://scpwbg.ops.placeware.com/etc...quicksilver.cab Suspicious. Right click on the following file and choose Properties. Then go to the Version tab to see what company it’s from. Post that information back: C:\INFOCN32\ACCMGR32\mufix.exe Reboot into Safe Mode (hit F8 key until menu shows up). Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe C:\PROGRA~1\COMMON~1\XCPCSync\ Reboot into Normal Mode. Please download Adaware and install it. Make sure to check for any updates before running it. Also make sure to customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds. After that’s done, restart and post a new HijackThis log file so we can make sure it’s clean. To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

08-16-2004, 03:29 PM	#3 (permalink)
Guest6183 I helped the forums. Join Date: Aug 2004 Posts: 8 OS: 2000	Problem resolved... HiJackThis log attached Greyknight17, Thanks for your help. The problem is resolved. I am attaching a new HiJackThat log for your final review. I also checked the file below and it appears to be a legitimate file from Attachmate (used for terminal emulation). C:\INFOCN32\ACCMGR32\mufix.exe Logfile of HijackThis v1.98.2 Scan saved at 2:08:35 PM, on 8/16/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\System32\Ati2evxx.exe C:\Program Files\Sygate\SSA\smc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\basfipm.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\PROGRA~1\Udeliver\CASTAN~1\Tuner.exe C:\WINNT\System32\wltrysvc.exe C:\WINNT\System32\bcmwltry.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Apoint\Apntex.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\System32\DSentry.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe C:\Program Files\Courion Corporation\PasswordCourier with DIRECT! Access\direct.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINNT\system32\internat.exe C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SpyRemover\TeaTimer.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Palm\HOTSYNC.EXE C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [Mufix] C:\INFOCN32\ACCMGR32\mufix.exe O4 - HKLM\..\Run: [DIRECT!] C:\Program Files\Courion Corporation\PasswordCourier with DIRECT! Access\direct.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\2\E_SRCV03.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.uis.unisys.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.uis.unisys.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.uis.unisys.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.uis.unisys.com O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = na.uis.unisys.com,ea.unisys.com,bb.unisys.com

08-18-2004, 06:48 AM	#4 (permalink)
KRS Registered User Join Date: Aug 2004 Location: sweden Posts: 9 OS: win2kpro	run adaware & spybot run antivirus if not helping reboot and run falutsafe mode (F8) run antivirus run adaware & spybot