mnierman Posted February 16, 2005 Report Share Posted February 16, 2005 Ok- my symtom is n?otepad.exe running and I can't get rid of it. Rapid blaster does'nt find anything. I've deleted and shredded it with CWshredder but it keeps coming back. Logged into safe mode ran Trend micros free online scan and it removed some stuff then ran Symantec security online check then ran mcfee AVERT stinger. Downloaded and rand up to date ADaware Se and Spybot. Ran cccleaner. After reboot it locks in a black screen, if I reboot it does the same, if I then CTRL-ALT-DEL and log off I can log back on and get in but it puts a spyware warning as an active desktop item (desktop.html) By right clicking way on the edge of the screen I can disable the desktop.html file and get to my desktop. Network access to my other computer is iffy and there is a yellow trianble that keeps popping up a spyware warning. Below is my HijackThis log. Thanks this one is messing with me.Logfile of HijackThis v1.99.0Scan saved at 7:20:01 PM, on 2/15/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINNT\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINNT\system32\mshelp32.exeC:\HijackThis\HijackThis.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {2D07800E-E1ED-4AF1-93FE-536B6EE56833} - (no file)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {57952DE8-9126-B7FD-7B66-99DC4C3FE5C9} - C:\WINNT\system32\wvruqlag.dllO2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINNT\system32\javafix3.dllO2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [mshelp32] C:\WINNT\system32\mshelp32.exeO4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exeO4 - HKCU\..\Run: [Jxe] C:\WINNT\system32\n?tepad.exeO4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO15 - Trusted IP range: 67.19.185.246O15 - Trusted IP range: 67.19.185.246 (HKLM)O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: NvCplScan - Unknown - C:\WINNT\system32\winasp.exe (file missing)O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe Link to post Share on other sites
Dan Posted February 16, 2005 Report Share Posted February 16, 2005 Hi mnierman,I am looking at your log and will have a responce soon.dk Link to post Share on other sites
Dan Posted February 16, 2005 Report Share Posted February 16, 2005 Hi,This morning HijackThis version 1.99.1 has come out. Please download that from http://dknoppix.com/Downloads/HijackThis.exePost a new log with that version.Thanks,dk Link to post Share on other sites
mnierman Posted February 16, 2005 Author Report Share Posted February 16, 2005 Updated hijackthis 1.99.1 log. Logfile of HijackThis v1.99.1Scan saved at 4:10:57 PM, on 2/16/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINNT\System32\svchost.exeC:\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htmO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {2D07800E-E1ED-4AF1-93FE-536B6EE56833} - (no file)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {57952DE8-9126-B7FD-7B66-99DC4C3FE5C9} - C:\WINNT\system32\wvruqlag.dllO2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINNT\system32\javafix3.dllO2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exeO4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exeO15 - Trusted Zone: *.skoobidoo.com (HKLM)O15 - Trusted Zone: *.slotchbar.com (HKLM)O15 - Trusted Zone: *.windupdates.com (HKLM)O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cabO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe Link to post Share on other sites
Dan Posted February 17, 2005 Report Share Posted February 17, 2005 Hi mnierman,I will be reviewing your HijackThis log. Open HijackThis, press the "Scan" button, and check the following items:O2 - BHO: (no name) - {2D07800E-E1ED-4AF1-93FE-536B6EE56833} - (no file)O2 - BHO: (no name) - {57952DE8-9126-B7FD-7B66-99DC4C3FE5C9} - C:\WINNT\system32\wvruqlag.dllO2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINNT\system32\javafix3.dllO2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-7173706D1316} - (no file)O4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exeO4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINNT\System32\spoolsrv32.exeO15 - Trusted Zone: *.skoobidoo.com (HKLM)O15 - Trusted Zone: *.slotchbar.com (HKLM)O15 - Trusted Zone: *.windupdates.com (HKLM)Close all windows except HijackThis, and click the "Fix Checked" button.Reboot into Safe Mode. To do this:* During reboot immediately begin tapping the F8 key when the OS is starting to load up* Windows Advanced Options menu appears.* Use the arrow keys to select Safe mode* press Enter.When Safe Mode boots up, find the following file and delete it:C:\WINNT\System32\spoolsrv32.exeReboot and post a new log.dk Link to post Share on other sites
mnierman Posted February 18, 2005 Author Report Share Posted February 18, 2005 THanks, I thought those looked iffy. When I rebooted it gave me an error can't find sytem32\spoolsrv32.exe. I don't see that entry in this current log though.Logfile of HijackThis v1.99.1Scan saved at 3:42:53 PM, on 2/18/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINNT\system32\rundll32.exeC:\WINNT\system32\wuauclt.exeC:\HijackThis\HijackThis.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cabO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe Link to post Share on other sites
mnierman Posted February 18, 2005 Author Report Share Posted February 18, 2005 After another reboot I didn't get the can't find spoolsrv32.exe. Am currently downloading all updates and rerunning adaware and spybot. thanks again for the help Link to post Share on other sites
Dan Posted February 18, 2005 Report Share Posted February 18, 2005 No problem. Your log is clean. Follow these steps to keep your computer clean.Please follow these simple steps in order to keep your computer clean and secure:Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. Here is a great free one: http://www.kerio.com/us/kpf_home.htmlVisit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. Download it here: http://www.javacoolsoftware.com/spywareblaster.htmlUpdate all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.I think that you would benifit from reading "How did I get infected in the first place??".Follow this list and your potential for being infected again will reduce dramatically. Glad I was able to help,dk Link to post Share on other sites
Dan Posted February 19, 2005 Report Share Posted February 19, 2005 I am moving this to the HijackThis Logs (Resoved) section.If you need more assistence:1) Post in the Windows Help forum2) Post a new HJT log.Thanks,dk Link to post Share on other sites
Recommended Posts