[SoDakota]

I have a corporate laptop computer (no admin privileges) with Symantec firewall and virus cleaning software. Just got back from using the laptop in Korea. Seemed to have picked up some sort of virus or malware. Every time I open IE, I get the above page which tries to go to a spyware vendor (I think). I'm running Windows 2000. I just downloaded HJT software today, so I'm no expert at how to use it. My log looks like:
(apologies if I pasted this into the forum improperly)
Where do I go from here??

Logfile of HijackThis v1.99.1
Scan saved at 12:10:39 PM, on 1/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\hijackThis\Analyze.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://urswest4/west4.asp?office=Denver
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://urswest4/west4.asp?office=Denver
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://urswest4/west4.asp?office=Denver
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\system32\advpack.dll,DelNodeRunDLL32 "C:\WINNT\TEMP\IXP000.TMP\"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: User.lnk = C:\Program Files\Deltek\Time Collection\User\EtUsr32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm300YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .OPT: C:\Program Files\Optika\Acorde\NPOptk32.dll
O14 - IERESET.INF: START_PAGE_URL=http://urswest4/west4.asp?office=Denver
O16 - DPF: JavaConnect - file://C:\Documents and Settings\helpdsk0\Local Settings\Temp\SISD\JavaConnect.cab
O16 - DPF: Sametime BroadCast Client ST31 - file://C:\Documents and Settings\helpdsk0\Local Settings\Temp\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST31 - file://C:\Documents and Settings\helpdsk0\Local Settings\Temp\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST31 - file://C:\Documents and Settings\helpdsk0\Local Settings\Temp\SISD\STMeetingRoomClient.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail113a.urscorp.com/iNotes6W.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {4F86057E-27D3-4263-BB44-93A2FFFC6B11} (ActiveXKT1 Control) - http://wfs3.kthard.com/imexsdoc/update/activex/ActiveXKT1.CAB
O16 - DPF: {719433EA-60DE-45A8-8255-115826F16D5B} (STConnectivityAgent Control) - file://C:\Documents and Settings\helpdsk0\Local Settings\Temp\SISD\InstallSTConnAgent.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - file://C:\Documents and Settings\helpdsk0\Local Settings\Temp\SISD\STJNILoader.cab
O16 - DPF: {7758D9E1-B6E9-451A-A1DE-621F81940FB9} (Pspwctl Control) - http://mail106.urscorp.com/domcfg.nsf/pspwctl.cab
O16 - DPF: {94749501-9436-4A64-9367-34A904AEB1EE} (KTHARDX UpDown Control) - http://wfs3.kthard.com/imexsdoc/update/activex/KTHARDtx.cab
O16 - DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} (JDEWebRTFEditU Control) - https://e1.urscorp.com/jde/axctls/jdewebctlsU.cab
O16 - DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} (JDEExcelAutoU Control) - https://e1.urscorp.com/jde/axctls/jdeex****U.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = urs-denver.colorado.urscorp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{69F2F06A-98E0-4F8B-BE4D-97D113A325DB}: Domain = urs-denver
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = urs-denver.colorado.urscorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = urs-denver,urscorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = urs-denver.colorado.urscorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = urs-denver,urscorp.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = urs-denver,urscorp.com
O20 - AppInit_DLLs: AMINIT.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINNT\system32\schdsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

 

[Linkmaster]

Hi SoDakota, Welcome to TSF !!
I recommend you Subscribe to this thread (if you have not already done so) so you are notified of any replies via email
To do this :
Click Thread Tools, then click Subscribe to this Thread
Make sure it is set to Instant Notification by email, then click Subscribe

You may wish to print out a copy of these instructions to follow while you complete this procedure

Go to Start, Control Panel, Add/Remove Programs and Uninstall the following : (if present)

MyWebSearch

Do Not reboot if it asks

When finished uninstalling close Control Panel

I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download SmitfraudFix© by S!Ri to your Desktop.

Download ATF (Atribune Temp File) Cleaner© by Atribune

Download and Install AVG Anti-Spyware© by Grisoft

Launch AVG Anti-Spyware, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update AVG Anti-Spyware to the latest definition files.
On the main screen select the icon Update then select the Update now link
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Close AVG Anti-Spyware

Reboot to Safe mode
Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Double-click smitfraudfix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you
You will be prompted : Registry cleaning - Do you want to clean the registry ? answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll
Answer Yes to the question Replace infected file ? by typing Y and hit Enter.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed
A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually
Reboot back into Safe mode

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program

Run AVG Anti-Spyware
Click on Scanner at top
Click on Settings
Once in the Settings screen click on Recommended actions and then select Quarantine
Under Reports, Select Automatically generate report after every scan
Un-Select Only if threats were found
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time
Once the scan is complete do the following :
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Now close AVG Anti-Spyware

Reboot into Normal Mode

Please run Panda's ActiveScan and perform a full system scan.
Once you are on the Panda site click the Scan your PC button (be sure to disable your popup blocker first )
A new window will open...click the big Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
Click on Local Disks to start the scan
Click on see report Then click Save report

Post a fresh HijackThis log, the contents of the rapport.txt file, the AVG Anti-Spyware log, and the Panda ActiveScan log here
(You may need to use several replies as the logs may be cut off)

Thank you !

 

[SoDakota]

Linkmaster:
1) WebSearch was not present in my program files.
2) I downloaded each of the programs SmitFraud, ATF, and AVG to my desktop as instructed.
3) When I double-clicked on AVG to run it, I got a message "Need full local admin rights in order to install or upgrade AVG. " I'm hoping to avoid my IT department because it will take a week to get here - any other options?

sodakota

 

[SoDakota]

Problem may be solved. Here's what I did. I tried to reboot in Safe mode, but Windows would not accept my username and password in that mode?? Not sure why. I rebooted to Normal Mode and ran smitfraudfix.exe and then ATF Cleaner. As I noted, I could not launch AVG without Admin privileges. However, I just opened IE and I did not get the 'res:C:\\WINNT\system32\shdoclc.dll/navcancl anymore. I have not tried to run Panda ActiveScan yet. The Rapport.txt is as follows:
SmitFraudFix v2.132

Scan done at s068ntapp1, Wed 01/17/2007
Run from C:\Documents and Settings\clweber0\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\Video ActiveX Object\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[Linkmaster]

If you don't have Admin rights that limits us!

Post me a fresh HijackThis log and try the Panda Scan and post that log as well !
Thanks