Here is the logfile from hijackthis from our work computer. multiple individuals use it and now we are getting these annoying popups everytime internet explorer is open. Hopefully someone can help
raymond
Logfile of HijackThis v1.99.1
Scan saved at 5:00:10 AM, on 5/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Insight\Tools\Aiclient.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
c:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Marriott\Installation Gatekeeper\IGK.exe
C:\WINDOWS\System32\idr3hlpr.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NetManage\APPS\NFS\wlpd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\FLRSERV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\PMC900.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NetManage\APPS\EMULATION\TELNET.EXE
C:\Program Files\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marrweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marrweb/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Marriott International
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=marrproxy:8000;gopher=marrproxy:8000;http=marrproxy:8000;https=marrproxy:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 162.130.*.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DPCUpdater Object - {61C07AF3-01A3-4B85-ADB2-4EFD04E1286C} - C:\WINDOWS\System32\jkklj.dll
O2 - BHO: AIMSite Class - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\Program Files\AIM Toolbar\aimhelper.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IE_TOPOFF_RUN] C:\Stage\APPLIC~1\MICROS~1\IE\6_SP1_~1\IE_Topoff.exe /F
O4 - HKLM\..\Run: [Outlook_XP_Read_Reciept_Patch] C:\stage\applications\microsoft\Outlook_XP_Read_Reciept_Patch\Outlook_XP_Read_Receipt_Patch.exe
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [SwdisUsrPCN.ELPTXPC964705] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
O4 - HKLM\..\Run: [ScrewDrivers Client Executable] "C:\Program Files\triCerat\Simplify Printing\ScrewDrivers Client v3\sdclient.exe" -i
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://marrweb/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fs.marrcorp.marriott.com
O17 - HKLM\Software\..\Telephony: DomainName = fs.marrcorp.marriott.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fs.marrcorp.marriott.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fs.marrcorp.marriott.com
O20 - Winlogon Notify: jkklj - C:\WINDOWS\System32\jkklj.dll
O23 - Service: Asset Insight Client (Aiclient) - Unknown owner - C:\Program Files\Insight\Tools\Aiclient.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - c:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Installation Gatekeeper - Marriott International - C:\Program Files\Marriott\Installation Gatekeeper\IGK.exe
O23 - Service: NetManage NFS Client (InterDrive) Helper (InterDrive) - NetManage, Inc. - C:\WINDOWS\System32\idr3hlpr.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: NetManage LPD Service (LPD Server) - NetManage, Inc. - C:\Program Files\NetManage\APPS\NFS\wlpd.exe
O23 - Service: NetManage FTP Server - NetManage, Inc. - C:\PROGRA~1\NETMAN~1\apps\ftpd\ftpd.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Shared Folders Server (SFOLDER) - NetManage. - C:\WINDOWS\System32\FLRSERV.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
Unable to find what caused popup's
Started by
ray
, May 01 2006 12:03 PM
6 replies to this topic
#2
Guest_winchester73_*
Guest_winchester73_*
-
- Guests
Posted 01 May 2006 - 02:09 PM
You have a variant of Vundo ...
The classic signs in your case are:
O2 - BHO: DPCUpdater Object - {61C07AF3-01A3-4B85-ADB2-4EFD04E1286C} - C:\WINDOWS\System32\jkklj.dll
O20 - Winlogon Notify: jkklj - C:\WINDOWS\System32\jkklj.dll
Download VundoFix.exe by Atribune to your desktop: http://www.atribune..../click.php?id=4* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* When the scan is complete, click the Remove Vundo button
* You will receive a prompt asking if you want to remove the files, click yes
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Restart your computer
A log called vundofix.txt will be created in your C:\ directory
Please post the vundofix.txt file here (it will open with Notepad) as well as a fresh HijackThis log.
The classic signs in your case are:
O2 - BHO: DPCUpdater Object - {61C07AF3-01A3-4B85-ADB2-4EFD04E1286C} - C:\WINDOWS\System32\jkklj.dll
O20 - Winlogon Notify: jkklj - C:\WINDOWS\System32\jkklj.dll
Download VundoFix.exe by Atribune to your desktop: http://www.atribune..../click.php?id=4* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* When the scan is complete, click the Remove Vundo button
* You will receive a prompt asking if you want to remove the files, click yes
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Restart your computer
A log called vundofix.txt will be created in your C:\ directory
Please post the vundofix.txt file here (it will open with Notepad) as well as a fresh HijackThis log.
#3
ray
-
- Members
-
- 3 posts
Newbie
Posted 04 May 2006 - 12:12 PM
Thanks! Here is the log from vundofix.txt and a new hijackthis log. Thanks for your help
ray
undoFix V4.2.73
Checking Java version...
Sun Java not detected
Scan started at 5:03:00 AM 5/4/2006
Listing files found while scanning....
C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\System32\jlkkj.ini
C:\WINDOWS\System32\jlkkj.bak1
C:\WINDOWS\System32\jlkkj.bak2
C:\WINDOWS\System32\jlkkj.ini2
C:\WINDOWS\System32\jlkkj.tmp
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.tmp
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.tmp
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jkklj.dll
Attempting to delete C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\System32\jkklj.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\jlkkj.ini
C:\WINDOWS\System32\jlkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\jlkkj.bak1
C:\WINDOWS\System32\jlkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\jlkkj.bak2
C:\WINDOWS\System32\jlkkj.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\jlkkj.ini2
C:\WINDOWS\System32\jlkkj.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\jlkkj.tmp
C:\WINDOWS\System32\jlkkj.tmp Has been deleted!
Performing Repairs to the registry.
Done!
--------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:10:41 AM, on 5/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Insight\Tools\Aiclient.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
c:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Marriott\Installation Gatekeeper\IGK.exe
C:\WINDOWS\System32\idr3hlpr.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NetManage\APPS\NFS\wlpd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\FLRSERV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\ZS9212.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marrweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marrweb/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Marriott International
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=marrproxy:8000;gopher=marrproxy:8000;http=marrproxy:8000;https=marrproxy:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 162.130.*.*;<local>
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: AIMSite Class - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\Program Files\AIM Toolbar\aimhelper.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IE_TOPOFF_RUN] C:\Stage\APPLIC~1\MICROS~1\IE\6_SP1_~1\IE_Topoff.exe /F
O4 - HKLM\..\Run: [Outlook_XP_Read_Reciept_Patch] C:\stage\applications\microsoft\Outlook_XP_Read_Reciept_Patch\Outlook_XP_Read_Receipt_Patch.exe
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [SwdisUsrPCN.ELPTXPC964705] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
O4 - HKLM\..\Run: [ScrewDrivers Client Executable] "C:\Program Files\triCerat\Simplify Printing\ScrewDrivers Client v3\sdclient.exe" -i
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZUxdm082YYUS
O14 - IERESET.INF: START_PAGE_URL=http://marrweb/
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fs.marrcorp.marriott.com
O17 - HKLM\Software\..\Telephony: DomainName = fs.marrcorp.marriott.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fs.marrcorp.marriott.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fs.marrcorp.marriott.com
O23 - Service: Asset Insight Client (Aiclient) - Unknown owner - C:\Program Files\Insight\Tools\Aiclient.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - c:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Installation Gatekeeper - Marriott International - C:\Program Files\Marriott\Installation Gatekeeper\IGK.exe
O23 - Service: NetManage NFS Client (InterDrive) Helper (InterDrive) - NetManage, Inc. - C:\WINDOWS\System32\idr3hlpr.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: NetManage LPD Service (LPD Server) - NetManage, Inc. - C:\Program Files\NetManage\APPS\NFS\wlpd.exe
O23 - Service: NetManage FTP Server - NetManage, Inc. - C:\PROGRA~1\NETMAN~1\apps\ftpd\ftpd.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Shared Folders Server (SFOLDER) - NetManage. - C:\WINDOWS\System32\FLRSERV.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
ray
undoFix V4.2.73
Checking Java version...
Sun Java not detected
Scan started at 5:03:00 AM 5/4/2006
Listing files found while scanning....
C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\System32\jlkkj.ini
C:\WINDOWS\System32\jlkkj.bak1
C:\WINDOWS\System32\jlkkj.bak2
C:\WINDOWS\System32\jlkkj.ini2
C:\WINDOWS\System32\jlkkj.tmp
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.tmp
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.tmp
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jkklj.dll
Attempting to delete C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\System32\jkklj.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\jlkkj.ini
C:\WINDOWS\System32\jlkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\jlkkj.bak1
C:\WINDOWS\System32\jlkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\jlkkj.bak2
C:\WINDOWS\System32\jlkkj.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\jlkkj.ini2
C:\WINDOWS\System32\jlkkj.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\jlkkj.tmp
C:\WINDOWS\System32\jlkkj.tmp Has been deleted!
Performing Repairs to the registry.
Done!
--------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:10:41 AM, on 5/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Insight\Tools\Aiclient.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
c:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Marriott\Installation Gatekeeper\IGK.exe
C:\WINDOWS\System32\idr3hlpr.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NetManage\APPS\NFS\wlpd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\FLRSERV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\ZS9212.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://marrweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://marrweb/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Marriott International
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=marrproxy:8000;gopher=marrproxy:8000;http=marrproxy:8000;https=marrproxy:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 162.130.*.*;<local>
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: AIMSite Class - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\Program Files\AIM Toolbar\aimhelper.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IE_TOPOFF_RUN] C:\Stage\APPLIC~1\MICROS~1\IE\6_SP1_~1\IE_Topoff.exe /F
O4 - HKLM\..\Run: [Outlook_XP_Read_Reciept_Patch] C:\stage\applications\microsoft\Outlook_XP_Read_Reciept_Patch\Outlook_XP_Read_Receipt_Patch.exe
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [SwdisUsrPCN.ELPTXPC964705] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [lcfep] "C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
O4 - HKLM\..\Run: [ScrewDrivers Client Executable] "C:\Program Files\triCerat\Simplify Printing\ScrewDrivers Client v3\sdclient.exe" -i
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZUxdm082YYUS
O14 - IERESET.INF: START_PAGE_URL=http://marrweb/
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fs.marrcorp.marriott.com
O17 - HKLM\Software\..\Telephony: DomainName = fs.marrcorp.marriott.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fs.marrcorp.marriott.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fs.marrcorp.marriott.com
O23 - Service: Asset Insight Client (Aiclient) - Unknown owner - C:\Program Files\Insight\Tools\Aiclient.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - c:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Installation Gatekeeper - Marriott International - C:\Program Files\Marriott\Installation Gatekeeper\IGK.exe
O23 - Service: NetManage NFS Client (InterDrive) Helper (InterDrive) - NetManage, Inc. - C:\WINDOWS\System32\idr3hlpr.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: NetManage LPD Service (LPD Server) - NetManage, Inc. - C:\Program Files\NetManage\APPS\NFS\wlpd.exe
O23 - Service: NetManage FTP Server - NetManage, Inc. - C:\PROGRA~1\NETMAN~1\apps\ftpd\ftpd.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Shared Folders Server (SFOLDER) - NetManage. - C:\WINDOWS\System32\FLRSERV.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
#4
Guest_winchester73_*
Guest_winchester73_*
-
- Guests
Posted 04 May 2006 - 03:16 PM
It looks like your Vundo has been exterminated ... 
I'm not a big fan of the MyWebSearch Search Assistant or MyWebSearch Email Plugin, but if your problem is solved at this point, let's leave it alone if you like them.
I noticed this computer is still running XP SP1 instead of SP2. Is this computer current on its Windows Updates?
I'm not a big fan of the MyWebSearch Search Assistant or MyWebSearch Email Plugin, but if your problem is solved at this point, let's leave it alone if you like them.
I noticed this computer is still running XP SP1 instead of SP2. Is this computer current on its Windows Updates?
#5
ray
-
- Members
-
- 3 posts
Newbie
Posted 05 May 2006 - 02:45 AM
That did it, thanks.
I will probably remove the my websearch assistant since I dont' know why it's there in the first place.
I'm not sure if the computer is current on i'ts updates but theres nothing we can do about it. Computer is on a corporate network and only our tech support has access to that. I guess they are behind or something.
Well thanks again for all your help.
raymond
I will probably remove the my websearch assistant since I dont' know why it's there in the first place.
I'm not sure if the computer is current on i'ts updates but theres nothing we can do about it. Computer is on a corporate network and only our tech support has access to that. I guess they are behind or something.
Well thanks again for all your help.
raymond
#6
Nick
-
- Members
-
- 23 posts
Member
Posted 05 May 2006 - 03:46 AM
well your tech support is horribly irresponsible!
What kind of TS doesn't keep there computers updated with critical windows updates?
What kind of TS doesn't keep there computers updated with critical windows updates?
#7
Guest_winchester73_*
Guest_winchester73_*
-
- Guests
Posted 05 May 2006 - 01:58 PM
If you wish to uninstall the My Web products, try the Control Panel's "Add/Remove Programs" option first. If you have troubles, post back ... after you have done so, you might wish to post a fresh HJT log and someone can look it over for any remnants.
It is usually suggested that a computer be 'clean' before upgrading to SP2 ... perhaps tech support can do that now?
It is usually suggested that a computer be 'clean' before upgrading to SP2 ... perhaps tech support can do that now?
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
