Hijacked

Discussion in 'adware, spyware & hijack cleaning' started by AztecD, May 19, 2004.

Thread Status:
Not open for further replies.
  1. AztecD

    AztecD Registered Member

    Joined:
    May 10, 2004
    Posts:
    4
    Here is the log of my work PC i think its infected but you guys let me know ok
    --------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 10:15:09 AM, on 5/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
    C:\Program Files\EpsonNet\common\bin\ensrvmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
    C:\Program Files\EpsonNet\common\bin\emalmmon.exe
    C:\Program Files\EpsonNet\common\bin\emwchsrv.exe
    C:\Program Files\EpsonNet\EpsonNet SOAP Server\bin\emsoaprr.exe
    C:\Program Files\EpsonNet\EpsonNet Web Pages Service\bin\ewpsrr.exe
    C:\Program Files\EpsonNet\EpsonNet HTTP Server\bin\apache.exe
    C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
    C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\EpsonNet\EpsonNet HTTP Server\bin\apache.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\hkcmd.exe
    C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
    C:\WINNT\system32\ntvdm.exe
    C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
    C:\WINNT\msagent\AgentSvr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Documents and Settings\cesarf\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://watermark-intranet/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://watermark-intranet
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Watermark Paddlesports, Inc.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = europa:80
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: RECIBEW.lnk = F:\Inter\RECIBEW.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://watermark-intranet
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...tp://www.space.com/php/multimedia/zoomviewer/
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/09c45a8e7cfdeb161600/netzip/RdxIE601.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37956.6623726852
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://inetgs.gs.com.mx/viewer/activeXViewer/activexviewer.cab
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.prorec.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.prorec.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.prorec.com
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    what makes you think it's infected

    what problems are you getting with it
     
  3. AztecD

    AztecD Registered Member

    Joined:
    May 10, 2004
    Posts:
    4
    I keep getting bounced back e-mails in my outlook that i have never sent,like this one.
    -------------------
    Your message did not reach some or all of the intended recipients.

    Subject: Re: Thank you for delivery
    Sent: 5/19/2004 9:45 AM

    The following recipient(s) could not be reached:

    annihilate@nid.co.jp on 5/19/2004 9:45 AM
    The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
    < cygnus.nid.co.jp #5.1.1 X-Unix; 550 5.1.1 User unknown>
    --------------------

    I ran Adaware and i have etrust AV, but i still keep getting emails like this.

    thx for any asistance you can provide.

    Az
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It's very likely that one of the viruses sending those emails is spoofing your email address so you are getting the bounced messages when someone else is actually sending them.


    There are no obvious signs in your log of any known viral infection, but to be safe

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
     
Thread Status:
Not open for further replies.