Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please Help

Started by Smokey , Oct 03 2004 10:44 AM

  • Please log in to reply

#1
Smokey
Posted 03 October 2004 - 10:44 AM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
This is one of my school's computers. See what happens when I don't manage their systems ?!

Logfile of HijackThis v1.98.2
Scan saved at 1:12:27 PM, on 9/9/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Program Files\NavNT\defwatch.exe
d:\faircom\ctntserv.exe
D:\FAIRCOM\CTSRVR.EXE
C:\WINNT\System32\llssrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\ZipToA.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\DispCtrl\vi_grm.exe
C:\WINNT\System32\loadwc.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
D:\Microsoft Office\Office\OSA.EXE
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\Program Files\Common Files\GMT\GMT.exe
D:\Microsoft Office\Office\MSOFFICE.EXE
D:\Follett\CC40\WCIRC\cccirc.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\BRQIKMON.EXE
D:\Follett\CC40\WOPAC\ccopac.exe
C:\WINNT\System32\ddhelp.exe
C:\WINNT\Profiles\hibbsc\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.twrds.com/...w...YES- To Set
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.ebookcity.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://home.netscape...nsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} -
C:\Program Files\DashBar\DashBar15.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Display Control Panel] C:\DispCtrl\vi_grm.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common
Files\CMEII\CMESys.exe"
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = D:\Microsoft
Office\Office\MSOFFICE.EXE
O4 - Global Startup: Iomega Icons.lnk = C:\Program
Files\Iomega\Tools_NT\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program
Files\Iomega\Tools_NT\STARTNT.EXE
O4 - Global Startup: Office Startup.lnk = D:\Microsoft
Office\Office\OSA.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program
Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Refresh.lnk = C:\Program
Files\Iomega\Tools_NT\refresh.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .mov: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.ebookcity.com/
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
http://198.213.58.15...sCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = shinerisd.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = shinerisd.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.18.2.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = shinerisd.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.18.2.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.18.2.8
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 03 October 2004 - 11:22 AM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Looks like fun! <_<

-=jonnyrotten=-
  • 0

#3
Smokey
Posted 03 October 2004 - 11:28 AM

Smokey

    Member 1K

  • Topic Starter
  • Retired Staff
  • 1,423 posts
What do you suggest?
  • 0

#4
Hemal
Posted 03 October 2004 - 11:47 AM

Hemal

    Founding Fart

  • Technician
  • 1,470 posts
hey nathan

i also manage my schools computers and find them so AHH sometimes, you can try to fix this with the log, but what i found helped the best was to wipe them clean and start fresh basically, all the information is already on the network so you dont have to worry about backing up information and puttting it back on the network is pretty simple...good luck
  • 0

#5
-=jonnyrotten=-
Posted 03 October 2004 - 11:52 AM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
I would say use normal procedure, and make sure the 017 entries are removed and reset the hosts file. Unless I'm missing something big in there?

-=jonnyrotten=- <_<
  • 0

#6
Smokey
Posted 03 October 2004 - 11:53 AM

Smokey

    Member 1K

  • Topic Starter
  • Retired Staff
  • 1,423 posts
Why the 017s?
  • 0

#7
-=jonnyrotten=-
Posted 03 October 2004 - 11:55 AM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Domain Hijacks.

-=jonnyrotten=- <_<
  • 0

#8
admin
Posted 03 October 2004 - 01:22 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe <- Gator Spyware

O4 - Global Startup: PrecisionTime.lnk = C:\Program
Files\PrecisionTime\PrecisionTime.exe <- Spyware

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm <- spyware
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm <- spyware

Ad-aware should remove all of these. The O17's look normal to me for a computer hooked to your schools network. <_<
  • 0

#9
Smokey
Posted 03 October 2004 - 01:34 PM

Smokey

    Member 1K

  • Topic Starter
  • Retired Staff
  • 1,423 posts
Yes, you're right admin, 017s are for the network. Look at the IE version, 5.00 <_<! I can't even log into my gmail account with it, minimum is IE 5.5! The OS is poorly outdated as well :D. Thanks a lot for your help. :D

P.S. This looks like it's unwanted as well:

C:\Program Files\DashBar\ and the http://www.ebookcity.com/ lines

Also Hemal, I don't want to wipe this one clean as it is the library's pc with all the students information on it.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP