Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Maleware eating my clients server


  • Please log in to reply

#1
NecroCom

NecroCom

    New Member

  • Member
  • Pip
  • 3 posts
So I am trying to get rid of dataminer/spyware on a clients computer through PC anywhere and I am having a [bleep] of a time doing so.

The computer is running Windows 2000 with service pack 3 and I cannot get rid of a small red bubble with a white "X" through it similar to the windows error icon that sits in the tray. it brings up [bleep] pop-ups and I have noticed it talks about "Specialgood.com" a lot.

I ran everything I know so far and all I have left is a Hijackthis log file for you to read:


--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 3:25:24 PM, on 5/23/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\DDwin\DDHLSRV.EXE
D:\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgo...info/ad/ad0195/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Promise Tech.] "C:\Program Files\Promise\Utility\pam.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Automation Manager.LNK = C:\WINNT\system32\AUTMGR32.EXE
O4 - Startup: DDStart.LNK = ?
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RamadaFargo.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D1F302B-132F-40EE-B2E1-33A5C5D93E19}: NameServer = 192.168.1.100,192.168.1.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RamadaFargo.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RamadaFargo.local
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Promise FastTrak DMI Service (FastTrakDMISvc) - Unknown owner - C:\Program Files\Promise\FastTrak\ftdmisvc.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
--------------------------------------------------------------------------

Help would be much appreaciated...

Edited by NecroCom, 23 May 2005 - 03:18 PM.

  • 0

Advertisements


#2
NecroCom

NecroCom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
So I am trying to get rid of dataminer/spyware on a clients computer through PC anywhere and I am having a [bleep] of a time doing so.

The computer is running Windows 2000 with service pack 3 and I cannot get rid of a small red bubble with a white "X" through it similar to the windows error icon that sits in the tray. it brings up [bleep] pop-ups and I have noticed it talks about "Specialgood.com" a lot.

I ran everything I know so far and all I have left is a Hijackthis log file for you to read:


--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 3:25:24 PM, on 5/23/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\DDwin\DDHLSRV.EXE
D:\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgo...info/ad/ad0195/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Promise Tech.] "C:\Program Files\Promise\Utility\pam.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Automation Manager.LNK = C:\WINNT\system32\AUTMGR32.EXE
O4 - Startup: DDStart.LNK = ?
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RamadaFargo.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D1F302B-132F-40EE-B2E1-33A5C5D93E19}: NameServer = 192.168.1.100,192.168.1.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RamadaFargo.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RamadaFargo.local
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Promise FastTrak DMI Service (FastTrakDMISvc) - Unknown owner - C:\Program Files\Promise\FastTrak\ftdmisvc.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
--------------------------------------------------------------------------

Help would be much appreaciated...
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Do a find files for param32.dll , systr.dll or popup_bl.dll and guninst.exe
Most likely they will be in your C:\WINDOWS\System32\ folder

Let me know which ones are found where.

Regards,
  • 0

#4
NecroCom

NecroCom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Param32.dll, popup_bl.dll and guninst.exe are all in C:\WINNT\system32 folder.

Not in any extension inside the system32 folder.


ps metallica is my favorite band... them and zeppelin =D

Edited by NecroCom, 25 May 2005 - 02:12 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP