|
-
October 8th, 2004, 10:22 AM
#1
Registered User
Virus / and adware
Ok so my bosses box had 3 trojans on it cleaned them off. and there was a copy of virtual bouncer and another of the extortionware spyware removers. I uninstalled them. cleaned the trojans and ran adaware and spybot search and destroy untill they came up with nothing left to fix 190 some odd problems in all. However he is still getting popups with out anywindows being opened.
here is the hijack this log.
Logfile of HijackThis v1.97.7
Scan saved at 9:42:12 AM, on 10/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mnmsrvc.exe
c:\pavfn\platinum\Pavsrv50.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
c:\pavfn\platinum\AVENGINE.EXE
C:\WINNT\TIREMOTE\wuser32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\kukuty.exe
C:\pavfn\platinum\APVXDWIN.EXE
C:\pavfn\Remupd.exe
C:\Program Files\SED\SED.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\macromed\flash\GetFlash.exe
A:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cig/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cig
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ScanInicio] c:\pavfn\platinum\inicio.exe
O4 - HKLM\..\Run: [APVXDWIN] c:\pavfn\platinum\APVXDWIN.EXE
O4 - HKLM\..\Run: [Agente] c:\pavfn\Remupd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\RunServices: [PandaScheduler] c:\pavfn\platinum\Pavsched.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cig
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7470.392662037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://advancedmeetings.webex.com/c...ex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = colinsgrp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD604A9-FD81-4601-AA64-83AE59022770}: Domain = colinsgrp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = colinsgrp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = colinsgrp.com
WOTPP Recruit.
http://www.lp.org/ http://www.badnarik.org/
-
October 8th, 2004, 10:47 AM
#2
Registered User
This line looks weird: O14 - IERESET.INF: START_PAGE_URL=http://cig
Remove it and see.
Also, the popups could be occuring because the Messenger service is still enabled under Windows.
-
October 8th, 2004, 12:25 PM
#3
Registered User
Kill these :
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cig/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cig
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
These look worrisome as well:
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
Very important: Run hijack in same mode to delete the above entries. Then delete the files referenced as well.
Probability factor of one to one...we have normality, I repeat we have normality. Anything you still can't cope with is therefore your own problem.
-
October 8th, 2004, 03:11 PM
#4
Driver Terrier
give a2 a go it has a different perspective. It turns up stuff that spybot and adware don't look for.
Similar Threads
-
By Mich@el in forum Spyware & Antivirus - Security
Replies: 16
Last Post: July 1st, 2004, 11:25 PM
-
By porsche in forum Windows 95/98/98SE/ME
Replies: 10
Last Post: June 24th, 2004, 12:17 PM
-
By dqdave1 in forum Windows 95/98/98SE/ME
Replies: 2
Last Post: June 6th, 2004, 06:26 PM
-
By Zonie in forum Spyware & Antivirus - Security
Replies: 3
Last Post: April 1st, 2004, 09:52 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks