|
Re: HijackThisLog Analysis - Optionstradr
Date: Tuesday, 13 July, 2004 11:04 AM
Looks like you have corporate VPN and Novell components installed - it would be a good idea to document your removal process in the event that you need technical support later.
Important: After you have removed those offending keys, a copies of the .reg files will be left in the c:\Personal folders. These files would come in handly if you need to reverse the process, so don't delete them immediately.
Remove these search keys:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res:??C:\WINNT\mdjir.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res:??mdjir.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res:??mdjir.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res:??C:\WINNT\mdjir.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res:??mdjir.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res:??C:\WINNT\mdjir.dll/sp.html#96676
Remove these additional browser plug-in keys (O2...O4):
O2 - BHO: (no name) - {2E29D6B0-168E-BD3A-A8C8-11A0B4F9C13E} - C:\WINNT\netqz32.dll
O4 - HKLM\..\Run: [wincc32.exe] C:\WINNT\system32\wincc32.exe
Reboot the computer and put it to safe mode. Then delete (or rename the file name) these files from your C: drive.
C:\WINNT\netqz32.dll
C:\WINNT\mdjir.dll
C:\WINNT\system32\wincc32.exe
Original log but with private information removed.
Logfile of HijackThis v1.97.7
Scan saved at 10:06:49 PM, on 07/12/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINNT\crvt.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\wincc32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Personal\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res:??C:\WINNT\mdjir.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res:??mdjir.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res:??mdjir.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res:??C:\WINNT\mdjir.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res:??mdjir.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res:??C:\WINNT\mdjir.dll/sp.html#96676
O2 - BHO: (no name) - {2E29D6B0-168E-BD3A-A8C8-11A0B4F9C13E} - C:\WINNT\netqz32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wincc32.exe] C:\WINNT\system32\wincc32.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Wireless Connection Manager Update.lnk = C:\Program Files\Novatel Wireless\WirelessConnectionManager\WiseUpdt.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to naldesk.exe.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Reference:
|
Post your comment