Hacked Computer At Work

Vile_DR · May 4, 2005

Thanks for everyone who takes a look at this...and especially for the ones who know what they are looking at...

Logfile of HijackThis v1.99.1

Scan saved at 2:44:29 PM, on 5/4/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE

C:\WINNT\System32\gearsec.exe

C:\Program Files\CA\eTrust Antivirus\InoRpc.exe

C:\Program Files\CA\eTrust Antivirus\InoRT.exe

C:\Program Files\CA\eTrust Antivirus\InoTask.exe

C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\hkcmd.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\CA\ETRUST~1\realmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\Plaxo\2.1.0.80\InstallStub.exe

C:\WINNT\DvzCommon\DvzMsgr.exe

C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe

C:\Program Files\LimeWire\LimeWire 4.2.5\LimeWire.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\mboree\Desktop\spyware tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\2.1.0.80\InstallStub.exe -a

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe

O4 - Global Startup: Kodak Picture Easy 3.1 Batch Transfer.lnk = C:\Program Files\Kodak\Picture Easy Software\Program\PezDownload.exe

O4 - Global Startup: LimeWire 4.2.5.lnk = C:\Program Files\LimeWire\LimeWire 4.2.5\LimeWire.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: DigiChat Applet - http://host.digichat.com//DigiChat/DigiClasses/Client_IE.cab

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab

O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB

O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co...X.cab?9,0,712,0

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Dwf Viewer Control) - http://www.autodesk.com/global/expressview...ViewerSetup.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = flightstarjax.com

O17 - HKLM\Software\..\Telephony: DomainName = flightstarjax.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{08682F6A-A7A5-486E-8ED5-BC66ECD2E1AC}: NameServer = 192.168.100.20

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = flightstarjax.com

O17 - HKLM\System\CS1\Services\Tcpip\..\{08682F6A-A7A5-486E-8ED5-BC66ECD2E1AC}: NameServer = 192.168.100.20

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = flightstarjax.com

O17 - HKLM\System\CS2\Services\Tcpip\..\{08682F6A-A7A5-486E-8ED5-BC66ECD2E1AC}: NameServer = 192.168.100.20

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE

O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe

O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe

O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\System32\gearsec.exe

O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe

O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe

O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

insipid · May 5, 2005

Vile_DR, at first inspection, I don't see anything wrong with your log. Are you involved in a business relating to aircraft? Please describe your problem in as much detail as you can so as to help me help you :)l.

Vile_DR · May 5, 2005

the company i work for is a Aircraft Repair Company. The computer i ran Hijack on is one of the directors of Maintence. He is one of the big guys in the company. His IE browser is really acting weird. I ran the anti's yesterday to clean it and removed serveral different items. Here is what the browser still looks like though

Button, Icons, LINKS, and Pictures are about 35% bigger than they normally should be when the TEXT SIZE (under View) is at smallest. When at medium, a single avatar sized picture will take up the whole browser window. The typed text on a web page that isn't a hyperlink or clickable item, is the correct size.

I am not sure what the problem is exactly. This might be a windows support forum concern now, but i need to have the log checked. And maybe you can help with this one. The system tray icons are so small i can't mouse over them to find out what they are. This all started about 2 months ago when he learned about Limewire at home and wanted to download it here at work without my knowing.

I may have him switch browsers for the time being until we can function with the IE. I use FF everywhere and might suite him better, but for the M$ sharepoint web hosting we use, it doesn't agree with FF, so he needs IE...

Thanks for you Help Inispid

insipid · May 5, 2005

If the problem is with Internet Explorer itself, this article describes how to repair or reinstall it http://support.microsoft.com/default.aspx?kbid=318378.

It could be malware, however, that HijackThis isn't seeing. We can try some other detection tools to get a closer look.

Please download the free MWAV antivirus tool from here:

ftp://ftp.microworldsystems.com/download/tools/mwav.exe

Save it to the desktop and run it. Follow the prompts to scan your system for viruses. Then please post for me the log of infected files from the BOTTOM panel of the scan window.

Also download SilentRunners from here:

http://www.silentrunners.org/Silent%20Runners.vbs

Save it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

On a side note, I've been recommending removing Limewire and installing a 'clean' P2P application(as an optional fix) for some time. In the past, Limewire was bundled with malware. The newest version is supposed to be clean, but I don't know what the next update will contain. It's your bosses choice, clean alternatives can be found here http://www.spywareinfo.com/articles/p2p

Please post a fresh HijackThis log, as well as the results mentioned above.

Vile_DR · May 5, 2005

File C:\Documents and Settings\mboree\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{A0FF62EF-9DDB-4AB5-895A-7038BF04C854}\RP475\A0056177.dll infected by "not-a-virus:AdWare.Comet.a" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{A0FF62EF-9DDB-4AB5-895A-7038BF04C854}\RP475\A0056240.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{A0FF62EF-9DDB-4AB5-895A-7038BF04C854}\RP475\A0056249.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{A0FF62EF-9DDB-4AB5-895A-7038BF04C854}\RP475\A0056259.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{A0FF62EF-9DDB-4AB5-895A-7038BF04C854}\RP475\A0056262.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

That is from the MircoWorld Anti Virus

This is the silent runners script log:

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"PlaxoUpdate" = "C:\WINNT\Plaxo\2.1.0.80\InstallStub.exe -a" ["Plaxo"]

"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"IgfxTray" = "C:\WINNT\system32\igfxtray.exe" ["Intel Corporation"]

"HotKeysCmds" = "C:\WINNT\system32\hkcmd.exe" ["Intel Corporation"]

"AdaptecDirectCD" = ""c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]

"Realtime Monitor" = "C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s" ["Computer Associates International, Inc."]

"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"mmtask" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" ["TODO: <Company name>"]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\gnotify.exe" ["Google Inc."]

"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

ANd here is the hIjack Log: