View Full Version : Command Service/SurfSideKick/SmitFraud-C
CurtisCard
2006-06-23, 05:44
Hello,
I have a Windows 2000 machine that keeps popping up advertisements. There are so many of them that it is impossible to work. I've tried running Spybot 1.4, Adaware SE and Windows Defender (Beta 2), all to no avail.
Can you help?
CurtisCard
2006-06-23, 16:40
Here is my HJT log
Logfile of HijackThis v1.99.1
Scan saved at 10:24:41 AM, on 6/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\UStorSrv.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
\bhsu-tss\TrackIt70\Audit32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINNT\thiselt.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\win3207702162586.exe
D:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\My Downloads\AntiSpyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://math.bhsu.edu/~ccard/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Black Hills State University
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\iagjw.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,svmmhts.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29237634-CCDA-DD20-A364-9C1C849DE3C7} - C:\WINNT\system32\lsxt.dll
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINNT\system32\nodeipproc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINNT\system32\adrotate.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - C:\WINNT\DOWNLO~1\mqgold1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\CCZoop05.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [ms03258670216] C:\WINNT\ms03258670216.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [win3207702162586] C:\WINNT\win3207702162586.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/087d27f95ca7127ef505/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150903487870
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://spssevents.webex.com/client/latest/event/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = blackhills.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC358AED-0995-4636-8F16-5DD720D84C52}: NameServer = 206.176.39.72,206.176.39.90
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = blackhills.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = blackhills.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: UStorage Server Service - OTi - C:\WINNT\system32\UStorSrv.exe
O23 - Service: E4200 (winvnc) - Unknown owner - C:\WINNT\system32\WinVNC.exe" -service (file missing)
teacup61
2006-06-25, 23:15
Hello CurtisCard,
Welcome to Safer Networking Forums :)
You have quite a mess here.:( Is your Anti Virus expired? I see a couple of entries in the services, but not in the running processes.
AVG (http://free.grisoft.com/freeweb.php/doc/2/), Avira (http://www.free-av.com/ ) OR Avast (http://www.avast.com/) are good FREE antivirus.
Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!
We need to uninstall these programs first to make it easier to get rid of leftovers later.
To do this : Click start > controlpanel > add/remove Programs and uninstall the following, if present :
SpywareBot
webHancer Survey Companion or just plain WebHancer
Reboot your computer
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to it’s own folder (c:\BFU)
RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).
Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do it’s job.
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Download qoofix.bat (http://downloads.subratam.org/Lon/qooFix.bat) (rightclick on this link and choose save as, if using IE save target as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.
Thanks,
tea
CurtisCard
2006-06-27, 03:09
Tea,
My antivirus software hasn't expired. I'm using Symantec (O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe).
I couldn't find either of the programs
SpywareBot
webHancer Survey Companion or just plain WebHancer
with Add/remove programs.
I've installed BRU and followed your directions, including those about qoofix.bat.
Thanks for the help.
Here is a copy of my HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 8:32:11 AM, on 6/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\UStorSrv.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
D:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\My Downloads\AntiSpyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://math.bhsu.edu/~ccard/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Black Hills State University
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29237634-CCDA-DD20-A364-9C1C849DE3C7} - C:\WINNT\system32\lsxt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - C:\WINNT\DOWNLO~1\mqgold1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/087d27f95ca7127ef505/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150903487870
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://spssevents.webex.com/client/latest/event/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = blackhills.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC358AED-0995-4636-8F16-5DD720D84C52}: NameServer = 206.176.39.72,206.176.39.90
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = blackhills.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = blackhills.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: UStorage Server Service - OTi - C:\WINNT\system32\UStorSrv.exe
O23 - Service: E4200 (winvnc) - Unknown owner - C:\WINNT\system32\WinVNC.exe" -service (file missing)
Thanks,
Curtis
teacup61
2006-06-27, 04:51
Hi Curtis,
You did fine.:) Things don't always go as perfectly as we'd like for them to, as malware is so stubborn and sneaky!:fear:
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make. Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.After all of the fixes are complete it is very important that you enable Real-time Protection again.
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:
O2 - BHO: (no name) - {29237634-CCDA-DD20-A364-9C1C849DE3C7} - C:\WINNT\system32\lsxt.dll
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/087d27f9...p/RdxIE601.cab
Close all browsers and other windows except for HijackThis!, and click "Fix Checked".
Next, delete the following folder and file (if they exist):
C:\Program Files\SpywareBot <---this folder
C:\WINNT\system32\lsxt.dll <----this file
Reboot your computer
* Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.
Navigate to your Prefetch folder and empty everything in there. Not the folder itself!
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.
Please let me know how your computer is running also.:)
Thanks,
tea
CurtisCard
2006-06-27, 18:47
Hi Tea,
Things are beginning to look a lot better. :) I haven't had any pop-ups recently.:bigthumb:
Here is the DrWeb log.
amm06.ocx;C:\Documents and Settings\markgabel\Local Settings\Temp\ICD1.tmp;Adware.MediaMotor;Incurable.Moved.;
backup-20060623-151307-914.dll;C:\My Downloads\AntiSpyware\backups;Adware.Trafgen;Incurable.Moved.;
backup-20060627-080553-912.dll;C:\My Downloads\AntiSpyware\backups;Adware.MediaMotor;Incurable.Moved.;
horr.exe;C:\Program Files\rust;Trojan.PurityAd;Deleted.;
Dc43.exe;C:\RECYCLER\S-1-5-21-3992112140-617196810-2529002952-1418;Trojan.Click.1211;Deleted.;
idlemg.exe;C:\WINNT;Trojan.DownLoader.5013;Deleted.;
thiselt.exe;C:\WINNT;Trojan.Popuper;Deleted.;
unin101.exe;C:\WINNT;Trojan.Click.1166;Deleted.;
win3206670216258.exe;C:\WINNT;Modification of BackDoor.Generic.987;Moved.;
And the current HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:25:01 AM, on 6/27/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\system32\LxrJD31s.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\UStorSrv.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\My Downloads\AntiSpyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://math.bhsu.edu/~ccard/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Black Hills State University
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - C:\WINNT\DOWNLO~1\mqgold1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150903487870
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://spssevents.webex.com/client/latest/event/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = blackhills.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC358AED-0995-4636-8F16-5DD720D84C52}: NameServer = 206.176.39.72,206.176.39.90
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = blackhills.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = blackhills.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: UStorage Server Service - OTi - C:\WINNT\system32\UStorSrv.exe
O23 - Service: E4200 (winvnc) - Unknown owner - C:\WINNT\system32\WinVNC.exe" -service (file missing)
Thanks again. I feel like we are making progress,:D
Curtis
teacup61
2006-06-28, 00:33
Hello again,
Great to hear! Looks a lot better from this end too.:) You did a great job!
If you or an administrator did not set this entry, then run HijackThis and place a check next to the following:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Close all browsers and other windows except for HijackThis!, and click "Fix Checked".
Click Start Menu > Run > type (or copy and paste)
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.
Next goto Start Menu > Run > type
cleanmgr
Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.
To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.
Your log looks clean, but I'd really like a last scan to make sure nothing is lurking in the background.;)
Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online http://www.pandasoftware.com/products/activescan.htm
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply please. Computer still running well?
Thanks,
tea
CurtisCard
2006-06-28, 02:45
Hi again,:confused:
When I attempted to create a restore point I got the following message in a popup dialog box
c:\WINNT\System32\restore is not accessible.
This folder was moved or removed.
I did a search on the entire drive for the restore folder and the executable rstrui.exe, but couldn't find either. I'm running Windows 2000. Could that be
the problem?
Consequently, I didn't continue (yet) with your last instructions.
Thanks,
Curtis
teacup61
2006-06-28, 03:50
Hello,
Let's do it this way.:)
To delete all the restore points on your computer, disable and re-enable System Restore on the system. Click Start, Control Panel, and then the System icon. Click on the System Restore tab in the dialog box, select the Turn off System Restore check box, and click Apply. Clear the check box again to re-enable System Restore and then click OK
CurtisCard
2006-06-28, 04:27
I tried that also. There is no system restore tab.
teacup61
2006-06-28, 05:15
Okay, go ahead with the Panda scan, and I'll see what I can find out about your system restore.:)
CurtisCard
2006-06-28, 17:27
:( Tea,
I'm not sure what's happening, but when I attempt a Panda Online scan, the process ends after scanning about 7000 files (the progress bar has barely moved) and it says that no virus or malicious software have been found. Since this didn't seem valid, I've attempted re-running the scan about a dozen times with similar results. I even rebooted and shutdown bewteen several of the attempts at scanning online.
I then attempted this on a couple of Windows XP machines and everything worked fine. Any ideas?
Thanks,
Curtis
teacup61
2006-06-28, 22:51
Hi,
No problem on the system restore.:) Can I see a new HijackThis log please?
CurtisCard
2006-06-29, 03:52
Tea,
Here is a copy of my most recent HJT:
Logfile of HijackThis v1.99.1
Scan saved at 6:36:50 PM, on 6/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\system32\LxrJD31s.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\UStorSrv.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
D:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\My Downloads\AntiSpyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://math.bhsu.edu/~ccard/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Black Hills State University
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - C:\WINNT\DOWNLO~1\mqgold1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150903487870
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://spssevents.webex.com/client/latest/event/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = blackhills.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC358AED-0995-4636-8F16-5DD720D84C52}: NameServer = 206.176.39.72,206.176.39.90
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = blackhills.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = blackhills.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: UStorage Server Service - OTi - C:\WINNT\system32\UStorSrv.exe
O23 - Service: E4200 (winvnc) - Unknown owner - C:\WINNT\system32\WinVNC.exe" -service (file missing)
Thanks for all your help,
Curtis:)
teacup61
2006-06-29, 08:15
Hi Curtis,
Your log looks clean.:) How is it running?
Don't forget to reenable Windows Defender.
My bad on the system restore question. The information came from Microsoft, on the Windows 2000 page, but was still for xp.....go figure. I'm sorry if I caused undue worry.:blush:
Are you getting any errors when Panda stops?
CurtisCard
2006-06-29, 13:24
Hi Tea,
I haven't seen any popups for quite a while and the system seems to be running faster. :)
Panda doesn't report any errors, but I don't trust it. As I mentioned in an earlier post, it only scans about 7000 files, the progress bar barely moves, and it only runs for about 5 minutes. When I scanned with Spybot or Ad-Aware SE, a deep scan takes over 30 minutes and scans over 200,000 files. Something is clearly amiss.
Thanks,
Curtis
teacup61
2006-06-30, 04:22
Hi Curtis,
Okay, let's forget Panda. It can be quirky anyway, and your log is clean, but I'd really like a last scan just to be sure. I know you're ready to be declared clean, as I would be too.:D
Could you please run another scan with Dr. Web? Post the result in your reply please. How is it running now that you've had some time with it?
Thanks,
tea
CurtisCard
2006-06-30, 20:39
Hi Tea,:) :)
Everything appears to working fine. I can't believe the improvement in the system's performance.
Here is my latest Dr Web log:
amm06.ocx;C:\Documents and Settings\curtiscard\DoctorWeb\Quarantine;Adware.MediaMotor;;
backup-20060623-151307-914.dll;C:\Documents and Settings\curtiscard\DoctorWeb\Quarantine;Adware.Trafgen;;
backup-20060627-080553-912.dll;C:\Documents and Settings\curtiscard\DoctorWeb\Quarantine;Adware.MediaMotor;;
ieatgpc.dll;C:\Documents and Settings\curtiscard\DoctorWeb\Quarantine;Adware.WebEx;;
Curtis
teacup61
2006-07-01, 00:16
Hi,
Looks good to me, and glad it's running so well!:)
Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.
You should definitely maintain a firewall. Some good free firewalls are ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za), or Outpost (http://www.agnitum.com/products/outpostfree/download.php)
A tutorial on understanding and using firewalls may be found here (http://www.bleepingcomputer.com/forums/tutorial60.html)
Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.
In order to protect yourself against spyware, you should consider installing and running the following free programs:
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here (http://www.bleepingcomputer.com/forums/tutorial49.html).
SpywareGuard (http://www.javacoolsoftware.com/spywareguard.html)
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here (http://www.bleepingcomputer.com/forums/tutorial50.html).
Ad-Aware SE (http://www.lavasoftusa.com/software/adaware)
A tutorial on using Ad-Aware to remove spyware from your computer may be found here (http://www.bleepingcomputer.com/forums/tutorial48.html).
A tutorial on using Spybot to remove spyware from your computer may be found here (http://www.bleepingcomputer.com/forums/tutorial43.html). Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm)
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.
* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.
Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
Please make sure to run your antivirus software regularly, and to keep it up-to-date.
Take care!
tea
As the problem appears to be resolved this topic will be archived. :bigthumb:
If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.
Glad we could help, thank you tea :)