4 replies to this topic

[Kenobi]

I'm working on this computer which appears to have a very strange, spyware infection. It's to the point where I can't navigate anywhere and any attempts to instal anti spyware programs are blocked - apparently by Windows XP itself.

The only way I got Hijack This! to install and run was to put it on a floppy and bring it to the infected computer.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:26:51 PM, on 8/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
c:\fgc\fgcrepl.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\VN7F4C.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\jordanc1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\fgc\f101\fortres.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chs.columbia.k12.fl.us
O17 - HKLM\Software\..\Telephony: DomainName = chs.columbia.k12.fl.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{F925B31C-216B-4CAA-9F30-3BDB95CF8464}: NameServer = 10.40.210.2,150.176.12.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chs.columbia.k12.fl.us
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: FGC Replication (fgcrepl) - Fortres Grand Corporation - c:\fgc\fgcrepl.exe
O23 - Service: Fortres 101 Update (fgcupdate) - Unknown owner - c:\fgc\f101\fgcupd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe


I hope you will be able to help me.

Thanks,

Kenobi

[LoPhatPhuud]

Your problem most likely stems from running Fortres. (F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\fgc\f101\fortres.exe)

If you did not install it, then use Add/Remove Programs to uninstall it.

Note: you will need to be an adminstrator (or have admin rights) to do anything.

[Kenobi]

Ok, I will share this with our network administrator on Monday and post the results. So you believe that the security software Fortres maybe corrupted? These are school computers and Fortres prevents students from tampering with computer settings.

Could it be anything else? There is a strange entry in the temp folder..

[LoPhatPhuud]

Cleaing the temp folders would resolve any issue there.

Note: Since these are School computers and there is a Network Administrator, and I assume, School policies, we will not be able to offer any assistance here. All help needs to come from the school IT department.

[Kenobi]

The school IT director gave me permission to research this issue as there was no other available solution (short of an FFR). I understand your position and will relay your advice to the Media center director.

Thank you..