I closed all the applications before I did the following.
I have downloaded ad aware and scanned my PC and deleted the files that had problem. I then downloaded the latest version of hijack this and ran it. Below is the hijackthis.log. Also I ran Hijack This analyzer. It created result.txt file. I am posting that as well.
PLEASE HELP ME!!!! This is my PC at work. I will be trouble if I dont get rid of the virus.
HIJACKTHIS.log
Logfile of HijackThis v1.99.0
Scan saved at 4:56:01 PM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\Common\Alert\ALERT.EXE
C:\WINNT\UMCSTUB.EXE
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\system32\nvsvc32.exe
C:\orant\bin\wdblsnr.exe
C:\orant\bin\ifsrv60.exe
C:\orant\bin\ifweb60.exe
C:\TNGRCO\RCManClient.exe
C:\TNGRCO\RCOService.exe
C:\TNGRCO\rp32u.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\SxpInst\sxplog32.exe
C:\WINNT\system32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
\IS-NT-AMO1\AMAGENTS$\SWMWNT.EXE
\IS-NT-AMO1\AMAGENTS$\SWMNTDOG.EXE
C:\TNGSD\BIN\triggusr.exe
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
C:\WINNT\system32\wsoptsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CheckPoint\Session Authentication Agent\PROGRAM\fwsession.exe
C:\New Sbaskar\WinZip\WZQKPICK.EXE
C:\WINNT\explorer.exe
C:\New Sbaskar\Virus\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsear...sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.popupsear...sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsear...sidesearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = indekalb;10.*;172.*;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O2 - BHO: (no name) - {A290C541-8CBD-A670-FEDF-A8AFC765B5BE} - C:\WINNT\waifjf.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKCU\..\Run: [hBx2RTK8W] wsoptsvc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Session Authentication Agent 5.0.lnk = C:\Program Files\CheckPoint\Session Authentication Agent\PROGRAM\fwsession.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\New Sbaskar\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...43/QDow_AS2.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://isfmis2.co.de...tor/oajinit.exe
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.../dwnldr_ext.cab
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\Common\Alert\ALERT.EXE
O23 - Service: Asset Management Agent - Computer Associates International, Inc. - C:\WINNT\UMCSTUB.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe (file missing)
O23 - Service: Event Log Watch - Unknown - C:\WINNT\LogWatNT.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Oracle WebDb Listener - Unknown - C:\orant\bin\wdblsnr.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Forms Server [Forms60Server] - Oracle Corporation - C:\orant\bin\ifsrv60.exe
O23 - Service: Oracle Reports Server [Rep60_IS-1V1YN41] - Oracle Corp - C:\orant\bin\rwmts60.exe
O23 - Service: RCManClient - Computer Associates International, Inc. - C:\TNGRCO\RCManClient.exe
O23 - Service: Unicenter TNG RCO - Computer Associates International, Inc. - C:\TNGRCO\RCOService.exe
O23 - Service: Unicenter Software Delivery - Computer Accociates, Intl Inc. - C:\TNGSD\BIN\SDSERV.EXE
result.txt file from Hijackthis analyzer
===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 12/27/04
Get updates at http://www.greyknigh...ad.htm#programs
***Security Programs Detected***
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.0
Scan saved at 4:56:01 PM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Program Files\CA\Common\Alert\ALERT.EXE
C:\WINNT\UMCSTUB.EXE
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\WINNT\LogWatNT.exe
C:\orant\bin\wdblsnr.exe
C:\orant\bin\ifsrv60.exe
C:\orant\bin\ifweb60.exe
C:\TNGRCO\RCManClient.exe
C:\TNGRCO\RCOService.exe
C:\TNGRCO\rp32u.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\SxpInst\sxplog32.exe
C:\TNGSD\BIN\TRIGGAG.EXE
\IS-NT-AMO1\AMAGENTS$\SWMWNT.EXE
\IS-NT-AMO1\AMAGENTS$\SWMNTDOG.EXE
C:\TNGSD\BIN\triggusr.exe
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
C:\WINNT\system32\wsoptsvc.exe
C:\Program Files\CheckPoint\Session Authentication Agent\PROGRAM\fwsession.exe
C:\New Sbaskar\WinZip\WZQKPICK.EXE
C:\New Sbaskar\Virus\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsear...sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.popupsear...sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsear...sidesearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = indekalb;10.*;172.*;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O2 - BHO: (no name) - {A290C541-8CBD-A670-FEDF-A8AFC765B5BE} - C:\WINNT\waifjf.dll
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKCU\..\Run: [hBx2RTK8W] wsoptsvc.exe
O4 - Global Startup: Session Authentication Agent 5.0.lnk = C:\Program Files\CheckPoint\Session Authentication Agent\PROGRAM\fwsession.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\New Sbaskar\WinZip\WZQKPICK.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...43/QDow_AS2.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://isfmis2.co.de...tor/oajinit.exe
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.../dwnldr_ext.cab
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\CA\Common\Alert\ALERT.EXE
O23 - Service: Asset Management Agent - Computer Associates International, Inc. - C:\WINNT\UMCSTUB.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe (file missing)
O23 - Service: Event Log Watch - Unknown - C:\WINNT\LogWatNT.exe
O23 - Service: Oracle WebDb Listener - Unknown - C:\orant\bin\wdblsnr.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Forms Server [Forms60Server] - Oracle Corporation - C:\orant\bin\ifsrv60.exe
O23 - Service: Oracle Reports Server [Rep60_IS-1V1YN41] - Oracle Corp - C:\orant\bin\rwmts60.exe
O23 - Service: RCManClient - Computer Associates International, Inc. - C:\TNGRCO\RCManClient.exe
O23 - Service: Unicenter TNG RCO - Computer Associates International, Inc. - C:\TNGRCO\RCOService.exe
O23 - Service: Unicenter Software Delivery - Computer Accociates, Intl Inc. - C:\TNGSD\BIN\SDSERV.EXE
End of HijackThis Analyzer Log.
===========================================================================================================================