jmorin1
asked on
Spyware and Hijackthis log
I ran the following utils.
Spysweeper
Adaware
spybot
I am unable to clean this machine effectively. I am running WINDOWS 2000 PRO with the latest updates. Attached is a log from hijackthis. I noticed that popups occur and cookies are added to my cookie folder without even launching internet explorer. The list of usual suspects are the following:
z1.adserver[1].txt
www.sandboxer2.txt
servedby.advertising.txt
Attached is a log from hijackthis.
Logfile of HijackThis v1.97.7
Scan saved at 12:27:10 PM, on 9/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost. exe
C:\Program Files\Dell\OpenManage\Clie nt\Iap.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Paul Bunyan\pbserver.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\system32\svchost. exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\uptodate.exe
C:\WINNT\system32\rundll32 .exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\WINNT\rundll16.exe
C:\WINNT\System32\Fqr9U5vF .exe
C:\WINNT\System32\Uguf65HV .exe
C:\WINNT\system32\wuauclt. exe
C:\WINNT\system32\taskmgr. exe
C:\TEMP\temp\JM\hijackthis \HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = file://C:\WINNT\system32/l eft.html
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
O2 - BHO: (no name) - {087173EF-9829-4F49-8340-A 524177D3F6 0} - C:\WINNT\system32\inetp60. dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray .exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\Vrxu.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINNT\system32\inetp60. dll,DllRun Server
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINNT\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINNT\system32\msiefr40 .dll,DllRu nServer
O4 - HKLM\..\Run: [zhkphwirubec] C:\WINNT\system32\wgrxffxd .exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.6120833333
Please help,
Spysweeper
Adaware
spybot
I am unable to clean this machine effectively. I am running WINDOWS 2000 PRO with the latest updates. Attached is a log from hijackthis. I noticed that popups occur and cookies are added to my cookie folder without even launching internet explorer. The list of usual suspects are the following:
z1.adserver[1].txt
www.sandboxer2.txt
servedby.advertising.txt
Attached is a log from hijackthis.
Logfile of HijackThis v1.97.7
Scan saved at 12:27:10 PM, on 9/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.
C:\Program Files\Dell\OpenManage\Clie
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Paul Bunyan\pbserver.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\uptodate.exe
C:\WINNT\system32\rundll32
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\WINNT\rundll16.exe
C:\WINNT\System32\Fqr9U5vF
C:\WINNT\System32\Uguf65HV
C:\WINNT\system32\wuauclt.
C:\WINNT\system32\taskmgr.
C:\TEMP\temp\JM\hijackthis
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: (no name) - {087173EF-9829-4F49-8340-A
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\Vrxu.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINNT\system32\inetp60.
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINNT\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINNT\system32\msiefr40
O4 - HKLM\..\Run: [zhkphwirubec] C:\WINNT\system32\wgrxffxd
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
Please help,
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am doing as you outlined. I have not finished and need to ask the following. Should I use stinger if I already have a Nortan Antivrus on the workstation? Thank you for the input.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
run spybot search and destroy in safe mode. or better yet, run all the programs listed above in safe mode.
ASKER
The problem appears to have been remedied. Excellent feedback! Thank you so much! I will monitor the situation and add those suggestions and tools to my toolkit!
A million thanks! One more thing if I might:
I noticed that a toolbar folder was created in the program files folder. I can't delete the folders. The OS responds by telling me access denied. I have administrative rights on this local machine. The path is as follows:
program files\toolbar\skins
I looked at the folder attributes and they are not restricted in any sence. I will award you the points sheharyaasaahil but was wondering if I might run into future spyware issues if this folder does not get removed.
A million thanks! One more thing if I might:
I noticed that a toolbar folder was created in the program files folder. I can't delete the folders. The OS responds by telling me access denied. I have administrative rights on this local machine. The path is as follows:
program files\toolbar\skins
I looked at the folder attributes and they are not restricted in any sence. I will award you the points sheharyaasaahil but was wondering if I might run into future spyware issues if this folder does not get removed.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jmorin1
Perhaps a update on your situation is in order??
Any on-going problems?
RF
Perhaps a update on your situation is in order??
Any on-going problems?
RF
ASKER
I will have an answer sometime tomorrow regarding the deleting of the folder. I am concerned because I was logged in as the administrator and could not do anything with it by way of deletion. I will be back in the location of the machine that I could not delete the folder.
I have to close out this origional issue and award the majority to the core of the main issue. Thank you one and all for your support!
I have to close out this origional issue and award the majority to the core of the main issue. Thank you one and all for your support!
and then post the LOG here >> http://www.hijackthis.de/index.php?langselect=english
it will automatically analyse it for u,,,,, so u can fix the entries urself :)