Show Posts
1
Tech Clinic / More problems with Popups
« on: March 17, 2005, 05:15:45 AM »
Many thanks for your help.
Yes there are limitation on the PC to rectrict Administrator rights, so this is correct.
I have carried out the actions you suggested, here's the new Hijack log which, hopefully, should now be clean. Thanks again.
Logfile of HijackThis v1.99.1
Scan saved at 10:02:40, on 17/03/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ionusb.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\ati2evxx.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\nddeagnt.exe
C:\Program Files\Softex\apm\bin\pwrstart.exe
C:\WINNT\system32\RpcSs.exe
C:\Program Files\Softex\apm\bin\system32\pwrlnch.exe
c:\winnt\system32\srvany.exe
C:\WINNT\System32\snmp.exe
c:\winnt\system32\SUSS.EXE
C:\WINNT\system32\timeserv.exe
C:\WINNT\System32\WBEM\winmgmt.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tapisrv.exe
C:\Program Files\Softex\apm\bin\system32\ServApp.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\rasman.exe
C:\WINNT\Explorer.EXE
c:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\atiptaxx.exe
c:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
c:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\essapm.exe
c:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
c:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Softex\apm\bin\Power.exe
C:\WINNT\system32\UsbTray.exe
C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\explorer.exe
C:\TEMP\HiJack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ngtuk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ngtnet/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://135.23.210.36:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ngtuk.co.uk;*.ion.nationalgrid.com;*.ngc.co.uk;*.wok.ngc.intranet;*.ngtsourcin
g.com;*.na.ngrid.net;*.prod.ntt1.lattice-group.com;<local>
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: LLIEHlprObj Class - {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - C:\Program Files\Open Text\Livelink Explorer\LLBHO3.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PowerQuest Startup Utility] C:\Program Files\PowerQuest\PartitionMagic5 Pro\UTILITY\MMOVER32\PQINIT.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [power] C:\Program Files\Softex\apm\bin\power.exe
O4 - HKLM\..\Run: [essapm] essapm.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [NGTUser] C:\WINNT\System32\Utils\NGTUser1.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - Startup: BGTSaver.cmd
O4 - Startup: Livelink Explorer Synchronizer.lnk = C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: proxy.lnk = C:\WINNT\REGEDIT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: USB Status Utility.lnk = system32\UsbTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: ASE Web Enablement - http://tbpn03/ase510.cab
O16 - DPF: {1BD06D58-7D84-11D3-A300-0000F6B406EE} (EVCInstall.UCInstall) - http://eveproduction/ev2k/Download/EVCInstall.CAB
O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-Net Client for MSIE) - http://wokhop03/trackdoc/trkpm660ie.cab
O16 - DPF: {4E5B94C7-CA22-11D5-ADEA-0000F6B4D93A} (EVCInstallSup.clsInstallSup) - http://eveproduction/ev2k/Download/EVCInstallSup.CAB
O16 - DPF: {52E05B40-455A-4D4E-8A58-37D1EC54BD4C} (EVCLoadCases.ucLoadCases) - http://eveproduction/ev2k/Download/EVCLoadCases.CAB
O16 - DPF: {58BB24AE-F403-4B09-8850-F80925FDC254} (EVCInstallNGT.UCInstallNGT) - http://eveproduction/ev2k/Download/EVCInstallNGT.CAB
O16 - DPF: {7D45226B-2A76-417D-8AA2-D2FC5358EDF1} (EVCTaskViewer.ucTaskViewer) - http://eveproduction/ev2k/Download/EVCTaskViewer.CAB
O16 - DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} (PVCS VM I-NET Client for MSIE) - http://wokhop03/vminet_images/vmi660ie.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ngc.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ngc.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ngc.co.uk desktop.transco.bgplc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ngc.co.uk desktop.transco.bgplc.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - c:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: IONUSB (ionusb) - Inside Out Networks - C:\WINNT\system32\ionusb.exe
O23 - Service: McShield - Unknown owner - c:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: OracleOra8ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: setprfdc - Unknown owner - c:\winnt\system32\srvany.exe
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'
\' />
Yes there are limitation on the PC to rectrict Administrator rights, so this is correct.
I have carried out the actions you suggested, here's the new Hijack log which, hopefully, should now be clean. Thanks again.
Logfile of HijackThis v1.99.1
Scan saved at 10:02:40, on 17/03/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ionusb.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\ati2evxx.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\nddeagnt.exe
C:\Program Files\Softex\apm\bin\pwrstart.exe
C:\WINNT\system32\RpcSs.exe
C:\Program Files\Softex\apm\bin\system32\pwrlnch.exe
c:\winnt\system32\srvany.exe
C:\WINNT\System32\snmp.exe
c:\winnt\system32\SUSS.EXE
C:\WINNT\system32\timeserv.exe
C:\WINNT\System32\WBEM\winmgmt.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tapisrv.exe
C:\Program Files\Softex\apm\bin\system32\ServApp.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\rasman.exe
C:\WINNT\Explorer.EXE
c:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\atiptaxx.exe
c:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
c:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\essapm.exe
c:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
c:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Softex\apm\bin\Power.exe
C:\WINNT\system32\UsbTray.exe
C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\explorer.exe
C:\TEMP\HiJack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ngtuk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ngtnet/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://135.23.210.36:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ngtuk.co.uk;*.ion.nationalgrid.com;*.ngc.co.uk;*.wok.ngc.intranet;*.ngtsourcin
g.com;*.na.ngrid.net;*.prod.ntt1.lattice-group.com;<local>
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: LLIEHlprObj Class - {F757FBBF-10E5-4DDA-BBEA-2357E54BEA2B} - C:\Program Files\Open Text\Livelink Explorer\LLBHO3.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PowerQuest Startup Utility] C:\Program Files\PowerQuest\PartitionMagic5 Pro\UTILITY\MMOVER32\PQINIT.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [power] C:\Program Files\Softex\apm\bin\power.exe
O4 - HKLM\..\Run: [essapm] essapm.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [NGTUser] C:\WINNT\System32\Utils\NGTUser1.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - Startup: BGTSaver.cmd
O4 - Startup: Livelink Explorer Synchronizer.lnk = C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: proxy.lnk = C:\WINNT\REGEDIT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: USB Status Utility.lnk = system32\UsbTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: ASE Web Enablement - http://tbpn03/ase510.cab
O16 - DPF: {1BD06D58-7D84-11D3-A300-0000F6B406EE} (EVCInstall.UCInstall) - http://eveproduction/ev2k/Download/EVCInstall.CAB
O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-Net Client for MSIE) - http://wokhop03/trackdoc/trkpm660ie.cab
O16 - DPF: {4E5B94C7-CA22-11D5-ADEA-0000F6B4D93A} (EVCInstallSup.clsInstallSup) - http://eveproduction/ev2k/Download/EVCInstallSup.CAB
O16 - DPF: {52E05B40-455A-4D4E-8A58-37D1EC54BD4C} (EVCLoadCases.ucLoadCases) - http://eveproduction/ev2k/Download/EVCLoadCases.CAB
O16 - DPF: {58BB24AE-F403-4B09-8850-F80925FDC254} (EVCInstallNGT.UCInstallNGT) - http://eveproduction/ev2k/Download/EVCInstallNGT.CAB
O16 - DPF: {7D45226B-2A76-417D-8AA2-D2FC5358EDF1} (EVCTaskViewer.ucTaskViewer) - http://eveproduction/ev2k/Download/EVCTaskViewer.CAB
O16 - DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} (PVCS VM I-NET Client for MSIE) - http://wokhop03/vminet_images/vmi660ie.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ngc.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ngc.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ngc.co.uk desktop.transco.bgplc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ngc.co.uk desktop.transco.bgplc.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - c:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: IONUSB (ionusb) - Inside Out Networks - C:\WINNT\system32\ionusb.exe
O23 - Service: McShield - Unknown owner - c:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: OracleOra8ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: setprfdc - Unknown owner - c:\winnt\system32\srvany.exe
\' />
\' />