Somebody at work clicked on something they shouldn't have... again. Here's a hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 11:04:30 AM, on 7/1/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\SYSTEM32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe f:\auditwiz\data\scanner\Scan32.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\igfxtray.exe C:\WINNT\System32\hkcmd.exe C:\WINNT\system32\NWTRAY.EXE C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe C:\WINNT\system32\intel32.exe C:\WINNT\system32\svcnt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Cyco Shared\AMWFASTL.EXE \Nbp411_ii\sys\APPS\office97\Office\OSA.EXE I:\PUBLIC\GRPWISE\CLIENT\WIN32\NOTIFY.EXE C:\CWShredder\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\system32\shdocsv.dll/API32.htm#ID=347;065D R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe" O4 - HKLM\..\Run: [MVS Splash] C:\PROGRA~1\McAfee\MANAGE~1\VScan\Splash.exe O4 - HKLM\..\Run: [intel32.exe] C:\WINNT\system32\intel32.exe O4 - HKLM\..\Run: [Fast Start] C:\WINNT\system32\svcnt.exe home O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: AM-WorkFlow Fast Load.lnk = C:\Program Files\Common Files\Cyco Shared\AMWFASTL.EXE O4 - Global Startup: Office Startup.lnk = APPS\office97\Office\OSA.EXE O4 - Global Startup: Microsoft Find Fast.lnk = APPS\office97\Office\FINDFAST.EXE O4 - Global Startup: GroupWise Notify.lnk = PUBLIC\GRPWISE\CLIENT\WIN32\NOTIFY.EXE O16 - DPF: Java Mainframe Display (MFDFTX) - http://web3270.extra.daimlerchrysler.com/w2hlegacy/w2h_b/w2hlegacy/java/wdmfdftx.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{75072744-2153-4123-A9D9-86B27C50CF45}: NameServer = 205.244.200.3,205.244.112.20 O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\myRmProt3.0.0.572.dll O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe Any help is appreciated, as always .
get microsoft antispyware to remove it all and get ad aware to remove some of it and finally remove the rest with spysweeper.
I would suspect that svcnt.exe in System32, but also that Java Mainframe Display CAB... which after googling it, happens to be something legitimate. Really, this could be a wild goose chase. Have you run the newest versions of Spybot and Ad-Aware? I see you have tea-timer running... that didn't stop anything from coming in... Maybe there's a need for that other CoolWebSearch removal program. What is the "weird" behaviour the machine is showing that made you want to analyse it?
I won't be going back to work until Tuesday, but thanks for any help . I was told by my supervisor to go out to this guys office. He clicked on one of those "Free Virus Scan" popups (retarded, I know, especially considering we have a virus scan program running at all times), and his background was replaced to a BSOD wannabe (no picture, sorry) and there is an odd icon in his taskbar. If you highlight it, it says "Click here to activate virus scan!". I haven't clicked it, for obvious reasons.
