One of my network users is "infected" with something, it's not picked up by any AV software. An exe file is planted in WINNT directory,a nd a shortcut to it is created in the user's startup and the allusers startup folder. A registry entry is created. The filename is any-combination-of-6-letters.exe. If I end the process in task manager, delete the .exe file, remove the shortcut that it places in the startup folder, and delete the registry key pertaining to it, it will reform with a different filename next time I log on. The only discernible effect I can tell is that it seems to cause Word to crash and the user cannot print anything from Word either, the print spooler fails. But I can't stop it happening! Help! I tried spybot, adaware and shredder in SAFE mode and offline and it still re-propagates itself. Also SP-ed the OS (Win 2K) Have now run HijackIt and received the log as below: (Actually, after deleting the user profile and doing all of the above it seems much "cleaner" now) Logfile of HijackThis v1.97.7 Scan saved at 11:03:22, on 25/03/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0809/bl8.asp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.2:8080 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.yahoo.com/ F1 - win.ini: load= dvwin.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINNT\BrowserHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.exe O4 - HKLM\..\Run: [Promon.exe] Promon.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [PspContr] PspContr.exe O4 - HKLM\..\Run: [PspUsbCf] PspUsbCf.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37901.3445138889 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ckft.local.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ckft.local.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ckft.local.com

It's HijackThis, not HijackIt!!! :) El-Trucha

First, move Hijack This to a permanent directory like c:\program files\hijack this\hijackthis.exe. This way we can make backups if something goes wrong. Put a check next to these, click "fix checked" and reboot. O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINNT\BrowserHelper.dll O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab There may be something I missed. Some other log reading sites, for second opinion. http://www.wilderssecurity.com/archive/ http://forums.net-integration.net/ http://www.computercops.biz/modules.php?name=Forum/ http://spywarewarrior.com/ http://forums.tomcoyote.com/