Pest Problems.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

TomMiller

Thread Starter
Joined
Nov 10, 2004
Messages
48
Hi, I have a PC on a network at work that has a lot of pest problems. I have ran ad-aware, pest patrol and spy bot but there are still some pests on the PC. If I was to post a log using Hijack This! would somebody be kind enough to take a look?

Thanks.
Tom. (y)
 

TomMiller

Thread Starter
Joined
Nov 10, 2004
Messages
48
Thanks, ill get up to the PC at some point this afternoon and post the log. Thanks a lot.
 

TomMiller

Thread Starter
Joined
Nov 10, 2004
Messages
48
The log. Thanks again.

Logfile of HijackThis v1.97.7
Scan saved at 13:19:09, on 07/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\RightFax\faxctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\rrclient\tcgmain.exe
C:\Program Files\CA\eTrust Antivirus\InocIT.exe
Z:\application installation folder\adware_eliminators\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\jlh\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\jlh\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://walkermorris
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Walker Morris
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mailsweeper01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://freehome.walkermorris.com;www.walkermorrisonline.com;www.walkermorrisonline.co.uk;www.walkermorris.com;reach.walkermorris.com;mre.walkermorris.com;www.walkermorriscollect.com;referrer.walkermorrisonline.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 126.0.0.76 Cantrill
O1 - Hosts: 126.0.0.1 wm
O1 - Hosts: 126.0.0.4 Smart
O1 - Hosts: 126.0.0.19 Crystal01
O1 - Hosts: 126.0.0.124 SMS03
O1 - Hosts: 126.0.100.1 Walker
O1 - Hosts: 126.0.100.6 ITDEV
O1 - Hosts: 126.0.0.135 MUDD
O1 - Hosts: 126.0.0.135 Exchange01
O1 - Hosts: 126.0.100.8 IT
O1 - Hosts: :126.0.0.7 Scott accounts
O1 - Hosts: 126.0.0.47 chase1
O1 - Hosts: 126.0.0.48 chase2
O1 - Hosts: 126.0.0.49 volsales
O1 - Hosts: 126.0.0.50 CallXpress
O1 - Hosts: 126.0.0.60 caisley
O1 - Hosts: 126.0.0.61 FINANCE
O1 - Hosts: 126.0.0.61 Knowledge
O1 - Hosts: 126.0.0.77 Rightfax
O1 - Hosts: 126.0.0.97 beck
O1 - Hosts: 126.0.0.99 ITDEVELOPMENT
O1 - Hosts: 126.0.0.119 IFAX1
O1 - Hosts: 126.0.0.121 IFAX2
O1 - Hosts: 126.0.0.123 IFAX3
O1 - Hosts: 126.0.0.129 FILEPRINT01
O1 - Hosts: 195.166.13.131 WWW.LRDIRECT.CO.UK
O1 - Hosts: 126.0.0.110 EXTRANET01
O1 - Hosts: 126.0.0.157 EXTRANET02
O1 - Hosts: 126.0.0.156 TMSServer
O1 - Hosts: 126.0.0.158 SQL02
O1 - Hosts: 126.0.0.159 INTRANET02
O1 - Hosts: 126.0.0.159 CaseNet
O1 - Hosts: 126.0.0.160 ITDev2000
O1 - Hosts: 126.0.0.135 EXCHANGE01
O1 - Hosts: 126.0.0.227 Exchange02
O1 - Hosts: 126.0.0.233 Marketing01
O1 - Hosts: :added by WZC 24/09/2002
O1 - Hosts: 126.0.0.110 www.walkermorrisonline.com
O1 - Hosts: 126.0.0.110 www.walkermorriscollect.com
O1 - Hosts: 126.0.0.110 www.onestopclaimshop.com
O1 - Hosts: 126.0.0.110 reach.walkermorris.com
O1 - Hosts: 126.0.0.110 mre.walkermorris.com
O1 - Hosts: 126.0.0.110 ippo.walkermorris.com
O1 - Hosts: 126.0.0.110 freehome.walkermorris.com
O1 - Hosts: 126.0.0.157 www.walkermorris.com
O1 - Hosts: 126.0.0.157 www.bosscot.co.uk
O1 - Hosts: 126.0.0.157 referrer.walkermorrisonline.com
O1 - Hosts: 126.0.0.157 www.bosscot.co.uk
O1 - Hosts: 126.0.0.157 www.global.bosscot.co.uk
O1 - Hosts: 126.0.0.110 www.walkermorrisonline.co.uk
O1 - Hosts: : ***********************************
O1 - Hosts: : Latest Host file
O1 - Hosts: : Added 6/5/03
O1 - Hosts: : *************************
O1 - Hosts: : Added
O1 - Hosts: : -----
O1 - Hosts: : Cantrill 126.0.0.76 - MAA - 6/5/03
O1 - Hosts: : SMS03 126.0.0.124 - MAA - 8/5/03
O1 - Hosts: : 126.0.0.157 www.bosscot.co.uk - MAA - 8/7/03
O1 - Hosts: :
O1 - Hosts: : -----------------------------------
O1 - Hosts: :: Removed
O1 - Hosts: : -------
O1 - Hosts: : SMS01 126.0.100.5 - MAA - 8/5/03
O1 - Hosts: :
O1 - Hosts: :
O1 - Hosts: : **********************************
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {E7AB695D-F7C0-43F8-8467-38E7CDEF11AB} - C:\WINDOWS\System32\ebmo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Background Information] c:\windows\bginfo.exe /i:c:\windows\wm.bgi /timer=0
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [RoboPDF] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - Startup: Genesis2.LNK = ?
O4 - Global Startup: Genesis2.lnk = ?
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Escorted Browsing (HKLM)
O9 - Extra 'Tools' menuitem: Escorted Browsing (HKLM)
O9 - Extra button: Send This Page (HKLM)
O9 - Extra 'Tools' menuitem: Send This Page (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://walkermorris
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://H:\WP\IT\PPE\Macromedia\Full\awswaxf.cab
O16 - DPF: {20EB4AAE-9330-11D2-B2BE-00600854D84F} (WMTreeViewControl.WMTreeView) - http://knowledge/install/wm/WMTreeView.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.0931828704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = walkermorris.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = walkermorris.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = walkermorris.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = walkermorris.co.uk
 
Joined
Sep 7, 2004
Messages
49,014
Download but don’t run CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html

Print this and boot to safe mode

Open cwshredder.exe then click "Fix" and let it run.

Fix these with HJT

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\jlh\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\jlh\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {E7AB695D-F7C0-43F8-8467-38E7CDEF11AB} - C:\WINDOWS\System32\ebmo.dll

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files

C:\WINDOWS\System32\ebmo.dll

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin
Boot and post a new log
 

TomMiller

Thread Starter
Joined
Nov 10, 2004
Messages
48
Thank you very much for your help. This has fixed my problems with the user.

Regards,
Tom.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top