OK, here we go. I have installed and run:
CWShredder
Spybot S&D
AdAware
McAfee Stinger
I rebooted after each. I even ran each of them a second time to check that what they had removed hadn't reinstalled. All came back clear on the second running.
I have now run HijackThis. I have copied the log file & the start up list below.
NOTE: The process that is causing the problems is C:\TEMP\GLBF.tmp
I can end this process and delete the executables from C:\TEMP. However, upon restarting it has been reinstalled and restarted. This process, while it is running, uses up a huge amount of the system resources, making it very difficult to run anything.
HijackThis log file:
Logfile of HijackThis v1.99.0
Scan saved at 16:28:57, on 16/12/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\cusrvc.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tapisrv.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINNT\system32\rasman.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\winmgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\IBM\CLIENT~1\cwbbs.exe
C:\PROGRA~1\IBM\CLIENT~1\cwbntred.exe
C:\WINNT\system32\nddeagnt.exe
C:\Program Files\IBM\Client Access\CWBPROVD.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\IBM\Client Access\cwbuitsk.exe
C:\Program Files\IBM\Client Access\CWBSVD.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
C:\Program Files\Novell\ZENworks\naldesk.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compuware\QALoad\plgui.exe
C:\Program Files\Compuware\QALoad\PlayerAgent.exe
C:\PROGRA~1\Plus!\MICROS~1\IEXPLORE.EXE
U:\Snapshot\Utils\WMICORE.exe
C:\TEMP\GLBF.tmp
K:\OpsSupport\SoftwareDownloads\Spyware Removal\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.qbe-europe.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;10.0.0.0;172.30.0.0;192.23.134.253;*.itnetplc.com;ecase.ricksons.co.uk;*qbe-warranty.com;<local>
F2 - REG:system.ini: UserInit=C:\PROGRA~1\IBM\CLIENT~1\cwbbs.exe,C:\PROGRA~1\IBM\CLIENT~1\cwbntred.exe,C:\PROGRA~1\IBM\CLIENT~1\cwbprovd.exe,userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [NAL] naldesk.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKCU\..\RunOnce: [MovingCacheA Wininet Settings] rundll32.exe C:\WINNT\System32\wininet.dll,RunOnceUrlCache C:\WINNT\Profiles\SHARDY\TEMPOR~1
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Player Agent.lnk = C:\Program Files\Compuware\QALoad\plgui.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = qbe-europe.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = qbe-europe.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qbe-europe.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qbe-europe.com
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: Client Access Remote Command - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
Sartup List:
StartupList report, 16/12/04, 16:29:16
StartupList version: 1.52.2
Started from : K:\OpsSupport\SoftwareDownloads\Spyware Removal\HijackThis\HijackThis.EXE
Detected: Windows NT 4 SP6 (WinNT 4.00.1381)
Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
* Using default options
==================================================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\cusrvc.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tapisrv.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINNT\system32\rasman.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\winmgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\IBM\CLIENT~1\cwbbs.exe
C:\PROGRA~1\IBM\CLIENT~1\cwbntred.exe
C:\WINNT\system32\nddeagnt.exe
C:\Program Files\IBM\Client Access\CWBPROVD.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\IBM\Client Access\cwbuitsk.exe
C:\Program Files\IBM\Client Access\CWBSVD.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
C:\Program Files\Novell\ZENworks\naldesk.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compuware\QALoad\plgui.exe
C:\Program Files\Compuware\QALoad\PlayerAgent.exe
C:\PROGRA~1\Plus!\MICROS~1\IEXPLORE.EXE
U:\Snapshot\Utils\WMICORE.exe
C:\TEMP\GLBF.tmp
K:\OpsSupport\SoftwareDownloads\Spyware Removal\HijackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup]
Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
Player Agent.lnk = C:\Program Files\Compuware\QALoad\plgui.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\PROGRA~1\IBM\CLIENT~1\cwbbs.exe,C:\PROGRA~1\IBM\CLIENT~1\cwbntred.exe,C:\PROGRA~1\IBM\CLIENT~1\cwbprovd.exe,userinit,nddeagnt.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SystemTray = SysTray.Exe
NDPS = C:\WINNT\System32\dpmw32.exe
NWTRAY = NWTRAY.EXE
Client Access Service = "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
Client Access Taskbar = "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
Client Access API Daemon = "C:\Program Files\IBM\Client Access\cwbappcd.exe"
Client Access Check Version = "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
fwenc.exe = "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
NAL = naldesk.exe
ZENRC Tray Icon = zentray.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
MovingCacheA Wininet Settings = rundll32.exe C:\WINNT\System32\wininet.dll,RunOnceUrlCache C:\WINNT\Profiles\SHARDY\TEMPOR~1
--------------------------------------------------
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
--------------------------------------------------
Enumerating Task Scheduler jobs:
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_PC-0247_Administrator.job
--------------------------------------------------
Enumerating Download Program Files:
[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
CODEBASE =
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE =
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: C:\WINNT\System32\webcheck.dll
--------------------------------------------------
End of report, 5,986 bytes
Report generated in 0.380 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Thanks,
Simon