|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-28-2009, 11:18 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 1
OS: windows xp sp4
|
Is this a Bagle?
I'm really at a loss. Picked up a nasty one. Here are the symptoms
Major slowdown Antivirus is history Can't install any sort of antivirus Can't run hijackthis unless the file is renamed Can't run Combofix at all. It blocks some of the files being written to the drive. And that's if it is renamed. If the file is "Combofix.exe", it says it isn't a valid win32 image. Can't run safemode Here is my hijackthis, but I didn't see anything weird here. Any ideas? Thanks Logfile of HijackThis v1.97.7 Scan saved at 11:47:31 PM, on 7/28/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\CmgShieldSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\WiFi\bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Drivers\trcboot.exe C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\APSSRV.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\SYSTEM32\DWRCS.EXE C:\Program Files\Intel\WiFi\bin\EvtEng.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\lxctcoms.exe C:\WINDOWS\system32\lxdncoms.exe C:\WINDOWS\system32\lxducoms.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Lotus\Notes\ntmulti.exe C:\WINDOWS\system32\oodag.exe C:\Program Files\OpenSSH\bin\cygrunsrv.exe C:\Oracle\Ora92\bin\omtsreco.exe C:\Program Files\OpenSSH\usr\sbin\sshd.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\ISS\Proventia Desktop\RapApp.exe C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe C:\WINDOWS\system32\rpcnet.exe C:\WINDOWS\SYSTEM32\DWRCST.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Passlogix\v-GO SSO\ssoshell.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\suss.exe C:\Program Files\Nortel\TunnelGuard\CueAgent_srv.exe C:\Program Files\VattiManhattan\CC CentrePoint Desktop Service\CCCPWindowsService.exe C:\Program Files\ISS\Proventia Desktop\vpatch.exe C:\Program Files\Passlogix\v-GO SSO\Helper\Moz\ssomozho.exe C:\Program Files\Passlogix\v-GO SSO\Helper\Emulator\ssomho.exe C:\Program Files\Passlogix\v-GO SSO\Helper\IE\ssobho.exe C:\Program Files\ORL\VNC\WinVNC.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\Drivers\ldlcserv.exe C:\Program Files\IBM\Personal Communications\tpam.exe C:\Program Files\FileNET\IDM\fnsysmgr.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Dell\Dell Mobile Broadband\systray.exe C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe C:\Program Files\CRN\Common\Bin\CRNWMQH.exe C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe C:\Program Files\Lexmark 5400 Series\lxctmon.exe C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Lexmark 2600 Series\lxdnmon.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\ssontr.exe C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe C:\WINDOWS\system32\oodtray.exe C:\Program Files\attask\Clik\Clik.exe C:\program files\Brownie\BrStsWnd.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\uswdna02\Application Data\Google\Google Talk\googletalk.exe C:\Program Files\Mindjet\MindManager 7\PDF-XChange\pdfSaver\pdfSaver3.exe C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe C:\Program Files\DNA\btdna.exe C:\Program Files\Meeting Center\Modules\Launcher\mcLauncher.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe C:\Program Files\Nortel\TunnelGuard\platforms\win32\TGIconApp.EXE C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\eFax Messenger 4.4\J2GTray.exe C:\Program Files\Microsoft HealthVault\Connection Center\ConnectionCenter.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Documents and Settings\uswdna02\Local Settings\Temporary Internet Files\Content.IE5\A3MJQLQF\FxBeagle[1].exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\PROGRA~1\WinZip\winzip32.exe C:\DOCUME~1\uswdna02\LOCALS~1\Temp\HijackThis1.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Zurich Financial Services R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://figproxy.farmersinsurance.com/wpad.pac F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Passlogix\v-GO SSO\ssoshell.exe" /background,"C:\Program Files\Global Graphics\Jaws PDF Creator 5\PDFClient.exe", O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: DebugBar BHO - {69FC0024-10EB-480A-BBF2-3BF4E78E17B1} - C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O2 - BHO: (no name) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: DebugBar - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe" O4 - HKLM\..\Run: [0FileNET System Manager] C:\Program Files\FileNET\IDM\fnsysmgr.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe O4 - HKLM\..\Run: [CMGShieldUI] C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe O4 - HKLM\..\Run: [CRN WMQ Exit Background Process] C:\Program Files\CRN\Common\Bin\CRNWMQH.exe O4 - HKLM\..\Run: [FIG_SiebelSyncMonitor.exe] C:\Program Files\CRN\Siebel\bin\FIG_SiebelSyncMonitor.exe O4 - HKLM\..\Run: [FNLocalDB] cmd /c del "C:\Program Files\FileNet\IDM\LocalDB\fnlocaldb.fnldb" O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LDTray] C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe" O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe" O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe" O4 - HKLM\..\Run: [lxdnamon] "C:\Program Files\Lexmark 2600 Series\lxdnamon.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Prism] C:\WINDOWS\system32\ssontr.exe O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [CRN9.30.03] C:\Program Files\CRN\Setup\crn_v9.30.03_production.exe /s O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe O4 - HKLM\..\Run: [click] "C:\Program Files\attask\Clik\Clik.exe" O4 - HKLM\..\Run: [brownie] "C:\program files\Brownie\BrStsWnd.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [googletalk] C:\Documents and Settings\uswdna02\Application Data\Google\Google Talk\googletalk.exe /autostart O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Mindjet\MindManager 7\PDF-XChange\pdfSaver\pdfSaver3.exe" O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [MeetingLauncher] "C:\Program Files\Meeting Center\Modules\Launcher\mcLauncher.exe" O4 - HKCU\..\RunOnce: [BrStsWnd.exe] C:\Program Files\Brownie\BrStsWnd.exe WindowsStartUpModel O4 - Startup: eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE O4 - Startup: Microsoft HealthVault Connection Center.lnk = C:\Program Files\Microsoft HealthVault\Connection Center\ConnectionCenter.exe O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe O4 - Global Startup: Proventia Desktop Agent.lnk = C:\Program Files\ISS\Proventia Desktop\blackice.exe O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ? O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote (HKLM) O9 - Extra 'Tools' menuitem: S&end to OneNote (HKLM) O9 - Extra button: Research (HKLM) O9 - Extra button: Send to Mindjet MindManager (HKLM) O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O15 - Trusted Zone: *.CC-FARMERS.COM O15 - Trusted Zone: http://*.helppointinfo O16 - DPF: MCInstallCAB - https://content101.mc.iconf.net/gcc_.../mcInstall.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://helppointinfo/actx/scriptx/ScriptX.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...irector/sw.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1229556231234 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1229556220250 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=26688 O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get.../ultrashim.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qas.webex.com/client/T26L/webex/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.zurich.corp O17 - HKLM\Software\..\Telephony: DomainName = amer.zurich.corp O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.zurich.corp O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.zurich.corp,farmersinsurance.com,farmers.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amer.zurich.corp O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amer.zurich.corp,farmersinsurance.com,farmers.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.zurich.corp,farmersinsurance.com,farmers.com |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
07-29-2009, 04:30 AM
|
#2 (permalink) | |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,456
OS: XP SP3
|
Re: Is this a Bagle?
Hello and welcome to TSF.
Some entries in the log indicate that this is a company computer. In which case, it would be best that you resolve the issue with your IT department as there may be certain restrictions/alterations placed in by the Company's IT Department, and we would not like to interfere with the company protocols. We cannot anticipate how our removal tools may interact with these alterations or restrictions. The information in any of the logs we require will be visible to the public and this may be a matter of concern to you, and to your company. Also, more than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable. To prevent any possible loss or corruption of company information, it's in your best interest to inform your company's IT department or your supervisor. Hence, our Forum Rule: NETWORK RESTRICTIONS Quote:
__________________
My services are free. However, you can donate to TSF to help keep it running.   Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
| Thread Tools | |
|
|
