Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I am Getting 69-Popups [Resolved]

Started by ThomasLon , Apr 12 2005 06:59 AM

  • This topic is locked This topic is locked

#1
ThomasLon
Posted 12 April 2005 - 06:59 AM

ThomasLon

    New Member

  • Member
  • Pip
  • 6 posts
I have two computers that I am having problems with. For now, I will concentrate on this particular one. Rest assured, both is currently unplugged from the network/internet (I plug in occassionally for updates to Adaware, ectc). I have followed the reccomendations (Adware, CWShredder, sbybot S&D, etc). Below is my HJT log. Any help would be greatly appreciated. The operating system on this PC is Windows 2000 Server.

Logfile of HijackThis v1.99.1
Scan saved at 09:45:16, on 4/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\lkcitdl.exe
C:\WINNT\System32\lkads.exe
C:\WINNT\System32\lktsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\TouchKit\TouchTray.exe
C:\Program Files\National Instruments\Logos\smgr.exe
C:\HJT\Hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitefpl32.exe
O4 - HKLM\..\Run: [System Services] oah.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [System Services] oah.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [System Services] oah.exe
O4 - Startup: NI Service Manager.lnk = C:\Program Files\National Instruments\Logos\smgr.exe
O4 - Global Startup: LookoutDirect.lnk = C:\DirectSOFT4\Bin\lookout.exe
O4 - Global Startup: TouchMon.lnk = C:\Program Files\TouchKit\TouchTray.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51718847-2B95-4891-B9C9-0CE933B582F0}: NameServer = 192.168.237.134
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINNT\System32\lkcitdl.exe
O23 - Service: Lookout Classified Ads (LkClassAds) - National Instruments, Inc. - C:\WINNT\System32\lkads.exe
O23 - Service: Lookout Time Synchronization (LkTimeSync) - National Instruments, Inc. - C:\WINNT\System32\lktsrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

By the way, lookoutDirect is our manufacturing application. Again, any help is appreciated. This PC has been DOA for a while as I have tried to clean it myself using the instructions to be done prior to submitting this log. any help is appreciated.
  • 0

Advertisements

#2
Crustyoldbloke
Posted 19 April 2005 - 02:58 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Thomas Lon and welcome to Geeks to Go.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the Internet, or my instructions!

Not a huge amount to do on this one. Now if you are ready, let’s get fixing!

To start please download the following programme, we will run it later. Please save it to a place that you will remember, I suggest the Desktop:

CCleaner

Your HJT log shows that you either have a backdoor Trojan/Virus, or have had, and some of the remnants are remaining. To be on the safe side, I would recommend that you visit Trend Housecall for an online scan.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - Default URLSearchHook is missing
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitefpl32.exe
O4 - HKLM\..\Run: [System Services] oah.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [System Services] oah.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [System Services] oah.exe

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Elitebar
Windupdates

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\Media Access
C:\Program Files\ISTbar


Please delete these files (if present) using Windows Explorer:

C:\winnt\system32\elitefpl32.exe
oah.exe Use search to find this and the one below
msa.exe

Close Windows Explorer and Reboot normally.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and we will take another look.
  • 0

#3
ThomasLon
Posted 19 April 2005 - 09:02 AM

ThomasLon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I did what you suggested, however, I am still getting the elite32fpl.exe (among a few other things) appearing in my log.

Logfile of HijackThis v1.99.0
Scan saved at 11:03:41, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\lkcitdl.exe
C:\WINNT\System32\lkads.exe
C:\WINNT\System32\lktsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\TouchKit\TouchTray.exe
C:\Program Files\National Instruments\Logos\smgr.exe
C:\WINNT\System32\svchost.exe
C:\Spyware Removal\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitefpl32.exe
O4 - Startup: NI Service Manager.lnk = C:\Program Files\National Instruments\Logos\smgr.exe
O4 - Global Startup: LookoutDirect.lnk = C:\DirectSOFT4\Bin\lookout.exe
O4 - Global Startup: TouchMon.lnk = C:\Program Files\TouchKit\TouchTray.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{51718847-2B95-4891-B9C9-0CE933B582F0}: NameServer = 192.168.237.134
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lookout Citadel Server - National Instruments, Inc. - C:\WINNT\System32\lkcitdl.exe
O23 - Service: Lookout Classified Ads - National Instruments, Inc. - C:\WINNT\System32\lkads.exe
O23 - Service: Lookout Time Synchronization - National Instruments, Inc. - C:\WINNT\System32\lktsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  • 0

#4
Crustyoldbloke
Posted 19 April 2005 - 09:24 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Thomas Lon and welcome back

So we have a stubborn bit to deal with. We’ll have to persuade it to go away.

To start please download the following programme, we will run it later. Please save it to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitefpl32.exe

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the killbox programme, select the Delete on Reboot option.
*In the field labelled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\winnt\system32\elitefpl32.exe

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.


Close Windows Explorer and Reboot normally.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Please note that you are running an out-of-date version of HijackThis; the latest version could reveal more than previous ones. Please download a new copy HijackThis unzip it, and replace your existing copy with the new version.

Post back a fresh HijackThis log and we will take another look.

I take it that this is a different computer since it has a different HJT location and version.

Edited by Crustyoldbloke, 19 April 2005 - 09:58 AM.

  • 0

#5
ThomasLon
Posted 19 April 2005 - 12:11 PM

ThomasLon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
No, this is the same computer, however, you are right, different version. I had an older version of HJT installed from a previous problem. I mistakenly ran it this last time instead of the the newer version.

i will try this and let you know. Thanks
  • 0

#6
ThomasLon
Posted 19 April 2005 - 12:55 PM

ThomasLon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok this is looking good. I performed as instructed (no forseen problems). I rebooted and ran HJT (newr version) and this is what it scanned:

Logfile of HijackThis v1.97.7
Scan saved at 14:43:05, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\lkcitdl.exe
C:\WINNT\System32\lkads.exe
C:\WINNT\System32\lktsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\TouchKit\TouchTray.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\National Instruments\Logos\smgr.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Spyware Removal\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - Startup: NI Service Manager.lnk = C:\Program Files\National Instruments\Logos\smgr.exe
O4 - Global Startup: LookoutDirect.lnk = C:\DirectSOFT4\Bin\lookout.exe
O4 - Global Startup: TouchMon.lnk = C:\Program Files\TouchKit\TouchTray.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51718847-2B95-4891-B9C9-0CE933B582F0}: NameServer = 192.168.237.134

________________________________________________________________
****************************************************************

I then ran Adaware (with updated definitions). It found 8 critical problems. I saved the log file below:

Ad-Aware SE Build 1.05
Logfile Created on:Tuesday, April 19, 2005 14:39:11
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R39 15.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adintelligence.AproposToolbar(TAC index:5):7 total references
ImIServer IEPlugin(TAC index:5):1 total references
MRU List(TAC index:0):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R36 01.04.2005
Internal build : 43
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 438128 Bytes
Total size : 1378904 Bytes
Signature data size : 1348736 Bytes
Reference data size : 29656 Bytes
Signatures total : 38426
Fingerprints total : 758
Fingerprints size : 28416 Bytes
Target categories : 15
Target families : 644

4-19-2005 14:38:52 Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R39 15.04.2005
Internal build : 46
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 459480 Bytes
Total size : 1389159 Bytes
Signature data size : 1358772 Bytes
Reference data size : 29875 Bytes
Signatures total : 38701
Fingerprints total : 794
Fingerprints size : 29979 Bytes
Target categories : 15
Target families : 649


4-19-2005 14:39:01 Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:42 %
Total physical memory:252720 kb
Available physical memory:105784 kb
Total page file size:611836 kb
Available on page file:464108 kb
Total virtual memory:2097024 kb
Available virtual memory:2042624 kb
OS:Microsoft Windows 2000 Advanced Server Service Pack 4 (Build 2195)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


4-19-2005 14:39:11 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Administrator\recent
Description : list of recently opened documents

____________________________________________________________________
********************************************************************

I selected and removed all critical issues. I rebooted the machine and re-ran adaware. This time it found no critical issues. I rescanned with HJT and posting the new log.

Logfile of HijackThis v1.97.7
Scan saved at 14:50:21, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\lkcitdl.exe
C:\WINNT\System32\lkads.exe
C:\WINNT\System32\lktsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\TouchKit\TouchTray.exe
C:\Program Files\National Instruments\Logos\smgr.exe
C:\WINNT\System32\svchost.exe
C:\Spyware Removal\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - Startup: NI Service Manager.lnk = C:\Program Files\National Instruments\Logos\smgr.exe
O4 - Global Startup: LookoutDirect.lnk = C:\DirectSOFT4\Bin\lookout.exe
O4 - Global Startup: TouchMon.lnk = C:\Program Files\TouchKit\TouchTray.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51718847-2B95-4891-B9C9-0CE933B582F0}: NameServer = 192.168.237.134

____________________________________________________________________
********************************************************************

Clean? More work?

Thanks
  • 0

#7
Crustyoldbloke
Posted 19 April 2005 - 02:12 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Thomas Lon

Confusion reigns. This version of HijackThis is even older. Please download the new version from here: HijackThis unzip it to its own folder and rescan your PC. FYI it should read v1.99.1.

Please post the log for me to view. The version you have used is too old to be reliable.

Thanks.
  • 0

#8
ThomasLon
Posted 19 April 2005 - 02:30 PM

ThomasLon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Oops, Lets try it again......

Logfile of HijackThis v1.99.1
Scan saved at 16:33:01, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\lkcitdl.exe
C:\WINNT\System32\lkads.exe
C:\WINNT\System32\lktsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\TouchKit\TouchTray.exe
C:\Program Files\National Instruments\Logos\smgr.exe
C:\WINNT\System32\svchost.exe
C:\DirectSOFT4\Bin\lookout.exe
C:\Spyware Removal\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - Startup: NI Service Manager.lnk = C:\Program Files\National Instruments\Logos\smgr.exe
O4 - Global Startup: LookoutDirect.lnk = C:\DirectSOFT4\Bin\lookout.exe
O4 - Global Startup: TouchMon.lnk = C:\Program Files\TouchKit\TouchTray.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{51718847-2B95-4891-B9C9-0CE933B582F0}: NameServer = 192.168.237.134
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINNT\System32\lkcitdl.exe
O23 - Service: Lookout Classified Ads (LkClassAds) - National Instruments, Inc. - C:\WINNT\System32\lkads.exe
O23 - Service: Lookout Time Synchronization (LkTimeSync) - National Instruments, Inc. - C:\WINNT\System32\lktsrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  • 0

#9
Crustyoldbloke
Posted 19 April 2005 - 04:22 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Thomas Lon

Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one.

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one spyware detector/prevention programmes, having two or more antivirus systems would be really bad as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep Windows and your Anti-Virus updated. ;)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP