Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

possible neededware problem

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 2 posts
I know I had neededware on my computer and thought I had gotten rid of it. As per another topic I did the Active Scan also but the problem seems to be a little worse than that. I've got a bit of experience with this kind of stuff and usually like to just figure it out on my own by googling different files and stuff. I've deleted all registry keys belonging to any sort of spyware/adware, however in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run folder I keep getting a new file name when I reboot along with a folder under the HKEY_LOCAL_MACHINE\SOFTWARE\ with the title of ndwserv followed by some numbers. I can delete that but if I delete the reg keys in the Run folder, they always come back and I cannot delete the file associated with it either. In this Hijack log the file is
O4 - HKLM\..\Run: [jdwemq] C:\WINNT\system32\jdwemq.exe but it changes when I am finally successful at deleting it. I already attempted to fix it through hijackthis but it came back on the next scan I did. I've tried the killbox thing and again, it will delete the old file but then a new file comes up. Any suggestions?

Logfile of HijackThis v1.99.1
Scan saved at 11:23:33 AM, on 6/14/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\kmontano\My Documents\personal\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fsweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fsweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [lcfep] "C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [Oracle Reports Cleanup] C:\fsapps\fssys\oracle\oraclean.lnk
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SwdisUsrPCN.pca2536.r3.fs.fed.us] "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [jdwemq] C:\WINNT\system32\jdwemq.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://fsweb
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = r3.fs.fed.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = r3.fs.fed.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = r3.fs.fed.us,fs.fed.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = r3.fs.fed.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = r3.fs.fed.us,fs.fed.us
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = r3.fs.fed.us,fs.fed.us
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESRI License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\lmgrd.exe
O23 - Service: FS Add Printers (fsaddprn) - Unknown owner - c:\fsapps\fssys\utilities\fsprint\FSPRNSTART.EXE
O23 - Service: IBM Networks Primary Logon Client (IBMNeTNT) - Unknown owner - C:\WINNT\System32\ibmginas.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\lotus\notes\ntmulti.exe
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - c:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: OracleClient8i_HomeClientCache - Unknown owner - C:\oracle\client8i\BIN\ONRSD.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleRuntime6i_HomeClientCache80 - Unknown owner - C:\oracle\runtim6i\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tivephlth - Unknown owner - c:\perl\scripts\tivep\TivCLepHealth.exe

Edited by thpooky, 14 June 2005 - 11:32 AM.

  • 0




    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I think I got it taken care of. After deleting many files associated with spyware I think I finally got rid of the little pest.....
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP