Author Topic: Hijackthis log - please help (Read 1886 times)

ErikOzz · « **on:** February 28, 2005, 02:35:29 PM »

Pls help. My friend's browser has been hijacked, and he can't get rid of the problem (appears to be "BetterInternet"?). He ran AdAware, SpyBot, and CWShredder, but they could not fix the problem. Now, he can't even open his Internet Explorer, so I am trying to help him out.

Here's his Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:20:24 PM, on 2/28/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\ePOAgent\naPrdMgr.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.42.87.219/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.na.nykline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-boi:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.nykline.com;10.*;*.yti.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\System32\rsyncmon.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\System32\AUNBHO.dll
O2 - BHO: SDWin32 Class - {6048EF3A-79A9-4685-952A-14F64999D3A2} - C:\WINNT\System32\smsnv.dll
O2 - BHO: SDWin32 Class - {754B68EE-1FF6-42FE-869F-50988B810AA7} - C:\WINNT\System32\fmujr.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\System32\winupdt.exe
O4 - HKLM\..\Run: [smsnvc] C:\WINNT\System32\smsnvc.exe
O4 - HKLM\..\Run: [version] C:\WINNT\System32\Cgpqyq.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Oqohun.exe
O4 - HKLM\..\Run: [zrwxfa4g] C:\Program Files\zrwxfa4g\zrwxfa4g.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [fmujrc] C:\WINNT\System32\fmujrc.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [RSync] C:\WINNT\System32\netsync.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [prutqct] C:\WINNT\System32\prutqct.exe
O4 - Global Startup: Start NYK Systems.lnk = C:\Program Files\E!PC\Sessions\StartNYKSystems.elf
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {093501ce-d290-11d3-a3d6-00c04fa32518} -
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Will someone pls help us indentify the culprits?

Thank you VERY MUCH in advance.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #1 on:** February 28, 2005, 02:55:46 PM »

Let's try some cleanup and then we'll manually tackle your log

First off
I see SpywareStormer in your log
I advise that if you didn't pay for it too remove it
It's on the bogus list, take a look
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Once it's uninstalled
Restart your computer
Let me know if you have removed it

Back in Windows
Go back to Add/Remove Programs
Remove if found

WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer
Elitebar or similiar
180 Search Assistant or similiar(You must be connected to the internet. Just keep pressing the uninstall button when it prompts).

Don't reboot until all have been Removed if found, Not even if your prompted
Once the last is Removed

Restart your computer

Come back here and post a fresh hijackthis log

Are your versions of Spybot and Ad-Aware the latest?
Spybot 1.3>>with all updates
Ad-Aware SE 1.05>>all updates?

Could you also download and save to desktop
VX2 finder.exe
Open it and
"Click to Find VX2.BetterInternet"
Wait for it to finish scanning and then Make a log and post it back too

ErikOzz · « **Reply #2 on:** February 28, 2005, 03:32:22 PM »

questolo-

We've uninstalled SpywareStormer, along w/ all of the seachbars.

Here's a new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:22:27 PM, on 2/28/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\RightFax\faxctrl.exe
C:\ePOAgent\UpdaterUI.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.na.nykline.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-boi:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.nykline.com;10.*;*.yti.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\System32\rsyncmon.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\System32\AUNBHO.dll
O2 - BHO: SDWin32 Class - {6048EF3A-79A9-4685-952A-14F64999D3A2} - C:\WINNT\System32\smsnv.dll
O2 - BHO: SDWin32 Class - {754B68EE-1FF6-42FE-869F-50988B810AA7} - C:\WINNT\System32\fmujr.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [smsnvc] C:\WINNT\System32\smsnvc.exe
O4 - HKLM\..\Run: [zrwxfa4g] C:\Program Files\zrwxfa4g\zrwxfa4g.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [fmujrc] C:\WINNT\System32\fmujrc.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [RSync] C:\WINNT\System32\netsync.exe
O4 - HKCU\..\Run: [prutqct] C:\WINNT\System32\prutqct.exe
O4 - Global Startup: Start NYK Systems.lnk = C:\Program Files\E!PC\Sessions\StartNYKSystems.elf
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {093501ce-d290-11d3-a3d6-00c04fa32518} -
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Also, we ran "VX2 Finder", and here's the log:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
sclgntfy
SensLogn

Guardian Key--- is called:

User Agent String---
Q312461

What's next?

guestolo · « **Reply #3 on:** February 28, 2005, 03:37:26 PM »

Can you do me a favor before we do some manually cleaning
Open Spybot and click on HELP>>ABOUT
let me know Spybot Version and Latest detection date

Open Ad-Aware and click on DETAILS>>in Initialization status
Let me know Reference Number and Internal build

ErikOzz · « **Reply #4 on:** February 28, 2005, 03:53:33 PM »

SpyBot Version 1.3
No detection updates installed.

AdAware
Reference number: SE1R28 16.02.2005
Internal build: 33

guestolo · « **Reply #5 on:** February 28, 2005, 04:19:49 PM »

Ok Erik, let's try some cleanup

Print this out or save to a Notepad file on the desktop

also know how to start into safe mode, as this will be needed shortly, I've supplied a link below if your unsure

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll

O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\System32\rsyncmon.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll

O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\System32\AUNBHO.dll
O2 - BHO: SDWin32 Class - {6048EF3A-79A9-4685-952A-14F64999D3A2} - C:\WINNT\System32\smsnv.dll
O2 - BHO: SDWin32 Class - {754B68EE-1FF6-42FE-869F-50988B810AA7} - C:\WINNT\System32\fmujr.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [smsnvc] C:\WINNT\System32\smsnvc.exe
O4 - HKLM\..\Run: [zrwxfa4g] C:\Program Files\zrwxfa4g\zrwxfa4g.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [fmujrc] C:\WINNT\System32\fmujrc.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [RSync] C:\WINNT\System32\netsync.exe
O4 - HKCU\..\Run: [prutqct] C:\WINNT\System32\prutqct.exe

O16 - DPF: {093501ce-d290-11d3-a3d6-00c04fa32518} -

O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer into SAFE MODE by tapping the F8 key as the system is booting up or follow the link

Find and delete these files or folders if they exist

C:\WINNT\BTGrab.dll <--file
C:\WINNT\Helper101.dll
C:\WINNT\farmmext.exe
C:\WINNT\System32\rsyncmon.dll
C:\WINNT\System32\AUNBHO.dll
C:\WINNT\System32\smsnv.dll
C:\WINNT\System32\fmujr.dll
C:\WINNT\System32\fmujrc.exe
C:\WINNT\System32\smsnvc.exe
C:\WINNT\System32\netsync.exe
C:\WINNT\System32\prutqct.exe

C:\Program Files\zrwxfa4g <--this folder
C:\Program Files\VBOUNCER <--folder
C:\Documents and Settings\All Users\Application Data\msw <--folder
C:\Program Files\Spyware Stormer <--folder

Stay in Safe mode
Do a Disk Cleanup
START>>RUN>>type in
cleanmgr
Ensure Temp and Temp internet files are checked

Return to Normal mode

Spybot doesn't seem to be updating
Can you open Spybot and Search for updates and Download all updates
Check for Problems>>Fix everything in RED

Restart your computer to finish the cleaning process
If it still doesn't seem to be updating
I see your running through a Proxy server, check the settings in Spybot

you will have to know your proxy setting
Which can be found thru
Control Panel>>Internet options>>Connections tab>>Under your connection type
Click Settings

Those you will have to add into Spybot
Open Spybot>>Click on Mode>>Advanced>>Ok the prompt
Click Settings>>Settings again in the column
On the right hand side scroll down to WEB UPDATE and check Use Proxy to Connect to Update Server
Fill in the required fields

Let me know if it will now update

ErikOzz · « **Reply #6 on:** February 28, 2005, 05:34:37 PM »

Was able to receive SpyBot update after adjusting the settings; program found and fixed 7 additional items after the update.

Here's the latest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:29:18 PM, on 2/28/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\RightFax\faxctrl.exe
C:\ePOAgent\UpdaterUI.exe
C:\Program Files\E!PC\EXTRA.EXE
C:\Program Files\E!PC\EXTRA.EXE
C:\Program Files\E!PC\EXTRA.EXE
C:\Program Files\E!PC\EXTRA.EXE
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\nhldaemn.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.na.nykline.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-boi:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.nykline.com;10.*;*.yti.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - Global Startup: Start NYK Systems.lnk = C:\Program Files\E!PC\Sessions\StartNYKSystems.elf
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\ePOAgent\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINNT\system32\smlogsvc.exe (file missing)

How does it look?

guestolo · « **Reply #7 on:** February 28, 2005, 05:57:14 PM »

That looks better
How's everything running?
Make sure you clean out those temp folders

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Your a bit behind on Windows Updates, this is important in keeping the system secure too
Service Pack 4 for Windows 2000 has been out for some time
You should visit Windows updates and get all latest Critical Updates and service packs
Restart when prompted and revisit Windows Updates until you get all latest Critical updates
Don't get the Recommended updates unless there something wanted....

NOTE: I've only seen this in one other log
O4 - Global Startup: Start NYK Systems.lnk = C:\Program Files\E!PC\Sessions\StartNYKSystems.elf
and this in your running processes
C:\Program Files\E!PC\EXTRA.EXE

Combine that with the Proxy server, can I assume that this is something to do with work?
I just want to make sure it's all ok