mnierman

Members
 View Profile  See their activity

  • Content Count

    4

  • Joined

  • Last visited

 Content Type 

Posts posted by mnierman

  2. Help I've Been Hijacked

    in Malware Removal

    Posted

    :D THanks, I thought those looked iffy. When I rebooted it gave me an error can't find sytem32\spoolsrv32.exe. I don't see that entry in this current log though.

    Logfile of HijackThis v1.99.1

    Scan saved at 3:42:53 PM, on 2/18/2005

    Platform: Windows 2000 SP4 (WinNT 5.00.2195)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINNT\System32\smss.exe

    C:\WINNT\system32\winlogon.exe

    C:\WINNT\system32\services.exe

    C:\WINNT\system32\lsass.exe

    C:\WINNT\system32\svchost.exe

    C:\WINNT\system32\spoolsv.exe

    C:\WINNT\System32\svchost.exe

    C:\WINNT\system32\regsvc.exe

    C:\WINNT\system32\MSTask.exe

    C:\WINNT\system32\ZoneLabs\vsmon.exe

    C:\WINNT\System32\WBEM\WinMgmt.exe

    C:\WINNT\system32\svchost.exe

    C:\WINNT\System32\svchost.exe

    C:\WINNT\Explorer.EXE

    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

    C:\WINNT\system32\rundll32.exe

    C:\WINNT\system32\wuauclt.exe

    C:\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

    O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

  3. Help I've Been Hijacked

    in Malware Removal

    Posted

    Updated hijackthis 1.99.1 log.

    Logfile of HijackThis v1.99.1

    Scan saved at 4:10:57 PM, on 2/16/2005

    Platform: Windows 2000 SP4 (WinNT 5.00.2195)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINNT\System32\smss.exe

    C:\WINNT\system32\winlogon.exe

    C:\WINNT\system32\services.exe

    C:\WINNT\system32\lsass.exe

    C:\WINNT\system32\svchost.exe

    C:\WINNT\system32\spoolsv.exe

    C:\WINNT\System32\svchost.exe

    C:\WINNT\system32\regsvc.exe

    C:\WINNT\system32\MSTask.exe

    C:\WINNT\system32\ZoneLabs\vsmon.exe

    C:\WINNT\System32\WBEM\WinMgmt.exe

    C:\WINNT\system32\svchost.exe

    C:\WINNT\Explorer.EXE

    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

    C:\WINNT\System32\svchost.exe

    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {2D07800E-E1ED-4AF1-93FE-536B6EE56833} - (no file)

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: (no name) - {57952DE8-9126-B7FD-7B66-99DC4C3FE5C9} - C:\WINNT\system32\wvruqlag.dll

    O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINNT\system32\javafix3.dll

    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - (no file)

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

    O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

    O4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

    O4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

    O15 - Trusted Zone: *.skoobidoo.com (HKLM)

    O15 - Trusted Zone: *.slotchbar.com (HKLM)

    O15 - Trusted Zone: *.windupdates.com (HKLM)

    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

  4. Help I've Been Hijacked

    in Malware Removal

    Posted

    Ok- my symtom is n?otepad.exe running and I can't get rid of it. Rapid blaster does'nt find anything. I've deleted and shredded it with CWshredder but it keeps coming back. Logged into safe mode ran Trend micros free online scan and it removed some stuff then ran Symantec security online check then ran mcfee AVERT stinger. Downloaded and rand up to date ADaware Se and Spybot. Ran cccleaner. After reboot it locks in a black screen, if I reboot it does the same, if I then CTRL-ALT-DEL and log off I can log back on and get in but it puts a spyware warning as an active desktop item (desktop.html) By right clicking way on the edge of the screen I can disable the desktop.html file and get to my desktop. Network access to my other computer is iffy and there is a yellow trianble that keeps popping up a spyware warning. Below is my HijackThis log. Thanks this one is messing with me.

    Logfile of HijackThis v1.99.0

    Scan saved at 7:20:01 PM, on 2/15/2005

    Platform: Windows 2000 SP4 (WinNT 5.00.2195)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINNT\System32\smss.exe

    C:\WINNT\system32\winlogon.exe

    C:\WINNT\system32\services.exe

    C:\WINNT\system32\lsass.exe

    C:\WINNT\system32\svchost.exe

    C:\WINNT\system32\spoolsv.exe

    C:\WINNT\System32\svchost.exe

    C:\WINNT\system32\regsvc.exe

    C:\WINNT\system32\MSTask.exe

    C:\WINNT\system32\ZoneLabs\vsmon.exe

    C:\WINNT\System32\WBEM\WinMgmt.exe

    C:\WINNT\system32\svchost.exe

    C:\WINNT\Explorer.EXE

    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

    C:\WINNT\system32\wuauclt.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\WINNT\system32\mshelp32.exe

    C:\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {2D07800E-E1ED-4AF1-93FE-536B6EE56833} - (no file)

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: (no name) - {57952DE8-9126-B7FD-7B66-99DC4C3FE5C9} - C:\WINNT\system32\wvruqlag.dll

    O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINNT\system32\javafix3.dll

    O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - (no file)

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

    O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

    O4 - HKLM\..\Run: [mshelp32] C:\WINNT\system32\mshelp32.exe

    O4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

    O4 - HKCU\..\Run: [Jxe] C:\WINNT\system32\n?tepad.exe

    O4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    O15 - Trusted IP range: 67.19.185.246

    O15 - Trusted IP range: 67.19.185.246 (HKLM)

    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    O23 - Service: NvCplScan - Unknown - C:\WINNT\system32\winasp.exe (file missing)

    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe