hijack log please guys

paul4798

I stupidly put rebate catcher on my work pc and here is a copy of the hijack log which do i remove.

thanks

Paul

Logfile of HijackThis v1.98.2
Scan saved at 14:27:49, on 03/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\McAfee\Remote Desktop 32\CONNSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\SLClient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\starter.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\CMPNM\CNAMELEFT6.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
E:\Tech&UserSupport\Spyware Removal Tools and Pop Up Blockers\HijackThis\HijackThis19802.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bradweb.bradford.gov.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\LDClient\meterw32.exe,C:\Program Files\LANDesk\LDClient\softmon.exe
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Band Class - !!8272B062-BD4D-4EAD-A149-45B3CE3F5CDA} - C:\WINNT\GPalm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - !!8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Band Class - !!8272B062-BD4D-4EAD-A149-45B3CE3F5CDA} - C:\WINNT\GPalm.dll
O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [CompName] C:\WINNT\CMPNM\CNAMELEFT6.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /to=10
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Mouse.lnk = C:\WINNT\system32\main.cpl
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: !!56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2345ebcd58e3dadfdb06/netzip/RdxIE601.cab
O16 - DPF: !!62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://bfd-sql2/mapguide6/mgaxctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bradford.gov.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\!!6F4DB8B1-6477-4AFE-8FE3-075D990F3D83}: Domain = bradford.gov.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\!!6F4DB8B1-6477-4AFE-8FE3-075D990F3D83}: NameServer = 6.99.99.99
O17 - HKLM\System\CCS\Services\Tcpip\..\!!7483FFEE-266C-4B42-A4A8-75FADDC3811B}: Domain = bradford.gov.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\!!7483FFEE-266C-4B42-A4A8-75FADDC3811B}: NameServer = 6.99.99.99
O17 - HKLM\System\CCS\Services\Tcpip\..\!!7F922A66-5E8E-4255-868F-BF4AE42BC2E8}: NameServer = 6.99.99.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{D334351E-6504-49ED-B8E8-71B591AB801B}: Domain = bradford.gov.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{D334351E-6504-49ED-B8E8-71B591AB801B}: NameServer = 6.99.99.99
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bradford.gov.uk
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = bradford.gov.uk

hendersonb

Try this

http://forums.spywareinfo.com/lofiversion/index.php/t7001.html

smckay

try this;

http://www.hijackthis.de you can paste in your log file

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 needs fixing

check what residentagent.exe is

Browntoa

we are going to suggest the above for ALL hijackthis logs as we are not set up to do them, we are talking about this with the board guides

the next posts are a rough idea of the new "sticky" that will appear when the thing is finalised and the steps that we advise you to take to clean your machine

Browntoa

Download the following software, in each case as it downloads click on the “Run” button on the File download box that opens to install the software.



1)Trial version of Ewido Security Suite here.

• Install ewido.
• During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido
• It will prompt you to update click the OK button and it will go to the main screen
• On the left side of the main screen click update
• Click on Start and let it update.
• DO NOT run a scan yet. You will do that later in safe mode

2)Ad-Aware from Lavasoft from here

http://www.lavasoftusa.com/support/download/

Install, click Check for Updates now and get any updates, then exit

3)Crap Cleaner from

http://www.ccleaner.com/ccdownload.asp

Install only, then exit

4) Microsoft Anti-Spyware (this can only be used with Windows 2000/XP/2003)

http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

Install it and update it

5)Spybot Search and Destroy

http://www.majorgeeks.com/download2471.html

Install, do the search for updates now and get any updates, Make sure you leave the SDhelper ( IE bad download blocker) checked to install (this is the default).

You will need to disable system restore, boot into safe mode, scan for the problem and finally re-enable system restore.

HOW TO DISABLE/RE-ENABLE SYSTEM RESTORE

For Windows XP:

1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

For Windows Millenium:

1: Right-click My Computer, and then click Properties.
2: On the Performance tab, click File System, or press ALT+F.
3: On the Troubleshooting tab, click to select the Disable System Restore check box.
4: Click OK twice, and then click Yes when you are prompted to restart the computer.
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box

Browntoa

Malware Removal

Important:- Before starting make sure you print these instructions as you will not be able to connect to the internet.

The best method to remove malware is to do it after booting in Safe Mode. Please note to complete ALL these scans may take some time so make sure you allow yourself plenty of time.

Boot to safe mode now.

For info on how to boot to safe mode click on the link below:

http://service1.symantec.com/SUPPOR...001052409420406

Shut down ALL unrequired applications including browsers



1) Run Ccleaner with the default options to clean out temporary files. Only use the Default Scan on the Windows Tab and select Run Cleaner



2) Run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan it will prompt you to clean files, click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

3) Run Spybot Search & Destroy and allow it to fix all that it finds

4) Run Ad-Aware SE and select Perform full system scan box and allow it to fix all that it finds

5) Run Spybot Search & Destroy and allow it to fix all that it finds

6) Run Microsoft Antispyware and allow it to fix all that it finds

You will now need to get back into normal Windows mode by reversing the steps you took to get into safe mode

When Windows has booted up connect to the Internet and see if the problem is still happening, if so you may need to boot back into safe mode again and do a 2nd run of steps 2) to 6).



Should the problem persist despite all this then run all the free online scans at both these sites:

http://www.pandasoftware.com/activescan/

…and here…..

http://housecall.trendmicro.com.

When running the Panda Activescan make sure you click the Free Online Virus Scan in the upper right hand corner of the page under the Free use Activescan header. You do NOT want the default spyXposer scan.

You should run ALL the free scans offered by Housecall.

Make sure they both perform full system scans.

If either/both scans find something they cannot fix - perhaps because the infected files are "in use" - please make a note of the file(s) concerned and post the details in a new thread in the techie forum stating the name of the Malware and which version of Windows you are using.

If all is clear then please read the following and make sure that you have installed a Firewall and some AntiVirus software be reading the following thread

http://forums.moneysavingexpert.com/showthread.html?t=3356

and also it is important that you update your Version of Windows to the latest build as this will help stop a recurrence of the problem.

www.windowsupdate.microsoft.com

Please note that this will only work with a VALID Version of Windows XP

Toxteth_OGrady

Fran,

As discussed on MSN please make B_T's post #6 above a sticky.

Cheers

:cool:

TOG