Spyware

Could someone please check this out & tell me what to remove.
Logfile of HijackThis v1.99.1
Scan saved at 8:21:26 AM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\LxrJD31s.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Windows\System32\ltmsg.exe
C:\Windows\System32\dpmw32.exe
C:\Windows\System32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Common Files\Desktop Weather Authority\TrueWeather.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hack-It\HackIt.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Windows\System32\wuauclt.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\ntaskldr.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\User\My Documents\My Downloads\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...PT/0409/bF8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ag.na.jci.com/index2.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.jci.com:8080
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [NDPS] C:\Windows\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\Windows\System32\zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Sametime Connect] C:\Program Files\Lotus\Sametime Client\Connect.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Desktop Weather Authority.lnk = C:\Program Files\Common Files\Desktop Weather Authority\TrueWeather.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Windows\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Windows\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Sametime Meeting Room Client ST31 - http://jmihoss1.na.j...gRoomClient.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://jmihoss1.na.j...STJNILoader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ag.na.jci.com
O17 - HKLM\Software\..\Telephony: DomainName = ag.na.jci.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ag.na.jci.com
O20 - Winlogon Notify: NavLogon - C:\Windows\System32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\Windows\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\Windows\SYSTEM32\LxrJD31s.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

Hi, tnstout,
Welcome! :tazz:

Can you verify that this is safe and that you are familiar with it?
http://w3.ag.na.jci.com/index2.htm

Did you intentionally install Hack-it?:
C:\Program Files\Hack-It\HackIt.exe
http://www3.ca.com/s...px?id=453075202

Otherwise, that is a pretty clean log except for two entries which are open to debate.
They are the Alexa registry entry created by an IE 6 install or installation of an IE Service Pack. It is nothing to worry about.
It is simply a registry key that creates a menu item which points to a local web page. That then points to an MSN search page using the Alexa engine.
It will get rebuilt as you continue to use IE. For now the only functionality lost would be "Show Related Links".
If you do not need that, it should be safe to remove, or to leave as is.

If you decide to remove them, launch HJT and tick these:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Windows\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Windows\web\related.htm

Close all windows and click "Fix Checked".

Reboot.

Have you run Ad-aware and Spybot yet? If not, I will post instructions next time.

If you would like to do a good follow-up cleaning, download: CCleaner
http://www.majorgeek...wnload4191.html
http://www.ccleaner.com/
http://www.filehippo...d_ccleaner.html

Once installed, run CCleaner:
Click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

Next: Click Options. Click Advanced .
Uncheck: "Only delete files older than 48 hrs.". Click OK.

UNCHECK all other defaults listed on the:
Issues and Applications tabs.

Then click Run Cleaner (bottom right). When finished> Exit (reboot)

I am looking forward to hearing from you regarding my questions above. If we are to do any additional fixing, please include a fresh HJT log.

Thanks.

#1
tnstout

Posted 28 July 2005 - 07:36 AM

Advertisements

#2
Bugbatter

Posted 28 July 2005 - 12:33 PM

#3
Bugbatter

Posted 12 August 2005 - 06:21 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us