|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
03-12-2005, 01:11 PM
|
#1 (permalink) |
|
Registered User
Join Date: Mar 2005
Location: Ottawa
Posts: 8
OS: Win 2000
|
HJT Log - have run Ad Aware and Spybot S&D and still getting overloaded with pop ups
Hi folks,
I have managed to get my PC to boot up - finally. I ran Ad Aware SE (latest patch level) and found 9 items mostly iSearch. Then I ran Spybot S&D (latest patch level) and nothing was found. I'm still getting bombarded with popups. Any help would be greatly appreciated. Thanks, Sherm Logfile of HijackThis v1.99.1 Scan saved at 3:03:10 PM, on 12/03/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\system32\internat.exe C:\WINNT\system32\dvdconv.exe C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe C:\WINNT\System32\rsvp.exe C:\Program Files\NetAssistant\bin\mpbtn.exe C:\downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.42.87.219/sidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.42.87.219/sidesearch.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.my.msn.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local> F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: (no name) - {207AEF46-0596-4966-A7BF-098F247E85BB} - (no file) O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [RSync] C:\WINNT\system32\netsync.exe O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe O4 - HKLM\..\Run: [rvxhtj] c:\winnt\system32\rvxhtj.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [I02qRWc3Q] dvdconv.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/...s/MsnPUpld.cab O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/c...on=4,3,2,20802 O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
03-12-2005, 04:23 PM
|
#2 (permalink) |
|
Assistant Manager, Microsoft Support
Join Date: Jan 2005
Location: Six-burgh, Pennsylvania
Posts: 14,164
OS: XP Home SP3/XP Pro SP3/Vista Ultimate SP2/Windows 7 Professional
|
Hi and welcome to TSF.
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time.
__________________
 .jpg) Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!! The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!! 
|
|
|
|
|
03-13-2005, 08:36 AM
|
#3 (permalink) |
|
Assistant Manager, Microsoft Support
Join Date: Jan 2005
Location: Six-burgh, Pennsylvania
Posts: 14,164
OS: XP Home SP3/XP Pro SP3/Vista Ultimate SP2/Windows 7 Professional
|
Hello again and Welcome to TSF
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Scan your pc with Housecall. Its a free online scanner. Be sure to put a check the box beside AutoClean The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! ( Alternate Link if main link don't work) and install it. You will use this later. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one (You must kill them one at a time). C:\WINNT\system32\dvdconv.exe Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.42.87.219/sidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.42.87.219/sidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll O3 - Toolbar: (no name) - {207AEF46-0596-4966-A7BF-098F247E85BB} - (no file) O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe O4 - HKLM\..\Run: [rvxhtj] c:\winnt\system32\rvxhtj.exe O4 - HKCU\..\Run: [I02qRWc3Q] dvdconv.exe O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com...es/MsnPUpld.cab O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/...ion=4,3,2,20802 O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) Please remember to close all other windows, including browsers then click Fix checked. Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINNT\system32\dvdconv.exe C:\WINNT\system32\rsyncmon.dll C:\WINNT\isrvs\desktop.exe C:\WINNT\farmmext.exe c:\winnt\system32\rvxhtj.exe Locate and delete this file, it may or may not be there: farmmext.ini Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Empty your Recycle Bin. Reboot your System in normal mode. Please post a fresh Hijack This log so that we can check if your system is clean.
__________________
Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!! The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!
|
|
|
|
|
03-13-2005, 02:35 PM
|
#4 (permalink) |
|
Registered User
Join Date: Mar 2005
Location: Ottawa
Posts: 8
OS: Win 2000
|
New HJT Log
Hi Geekgirl,
Thank you very much for the instructions. I think I followed them as you described. Here is my new HJT Log Logfile of HijackThis v1.99.1 Scan saved at 4:33:21 PM, on 13/03/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe C:\WINNT\system32\internat.exe C:\WINNT\System32\rsvp.exe C:\Program Files\NetAssistant\bin\mpbtn.exe C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe C:\WINNT\explorer.exe C:\downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.my.msn.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local> F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" O4 - HKLM\..\Run: [RSync] C:\WINNT\system32\netsync.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe Thank you very much for all your help. Sincerely, Sherm |
|
|
|
|
03-14-2005, 07:52 AM
|
#5 (permalink) |
|
Assistant Manager, Microsoft Support
Join Date: Jan 2005
Location: Six-burgh, Pennsylvania
Posts: 14,164
OS: XP Home SP3/XP Pro SP3/Vista Ultimate SP2/Windows 7 Professional
|
Hello again log looking good, one thing left
Turn off System Restore by doing the following: Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O4 - HKLM\..\Run: [RSync] C:\WINNT\system32\netsync.exe Please remember to close all other windows, including browsers then click Fix checked. Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINNT\system32\netsync.exe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Empty your Recycle Bin. Reboot your System in normal mode. Please post a fresh Hijack This log so that we can check if your system is clean.
__________________
Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!! The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!
|
|
|
|
|
03-19-2005, 05:29 PM
|
#6 (permalink) |
|
Registered User
Join Date: Mar 2005
Location: Ottawa
Posts: 8
OS: Win 2000
|
Hi again.
Sorry for the delay. My power supply in the ole beast died and took a while to get it replaced. Here is a log file for your review. Thanks again for everything. Sherm ___________________ Logfile of HijackThis v1.99.1 Scan saved at 7:27:15 PM, on 19/03/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe C:\WINNT\system32\internat.exe C:\WINNT\System32\rsvp.exe C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe C:\Program Files\NetAssistant\bin\mpbtn.exe C:\downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.my.msn.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local> F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: Corel Colleagues & Contacts Reminders.LNK = C:\Program Files\Corel\Print Office\cffrem.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/...s/MsnPUpld.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe |
|
|
|
|
03-20-2005, 04:08 PM
|
#7 (permalink) |
|
Analyst, Security Team
|
One more to go...
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINNT\system32\rsyncmon.dll Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-27-2005, 06:59 PM
|
#8 (permalink) |
|
Registered User
Join Date: Mar 2005
Location: Ottawa
Posts: 8
OS: Win 2000
|
Here is the results from running KRC Hijack This Analyzer.exe
Thanks for all the help. Hopefully, we are getting close... ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 8:55:25 PM, on 27/03/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe C:\WINNT\System32\rsvp.exe C:\downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.my.msn.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local> F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/...s/MsnPUpld.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
03-28-2005, 07:48 AM
|
#9 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Your log is clean. If you disabled System Restore, make sure to enable it now.
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Are there any problems now? If not, you should be set to go.
__________________
 GO BIG BLUE!! |
|
|
|
| Thread Tools | |
|
|
