Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

possible neededware problem

Started by thpooky , Jun 14 2005 11:29 AM

  • Please log in to reply

#1
thpooky
Posted 14 June 2005 - 11:29 AM

thpooky

    New Member

  • Member
  • Pip
  • 2 posts
I know I had neededware on my computer and thought I had gotten rid of it. As per another topic I did the Active Scan also but the problem seems to be a little worse than that. I've got a bit of experience with this kind of stuff and usually like to just figure it out on my own by googling different files and stuff. I've deleted all registry keys belonging to any sort of spyware/adware, however in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run folder I keep getting a new file name when I reboot along with a folder under the HKEY_LOCAL_MACHINE\SOFTWARE\ with the title of ndwserv followed by some numbers. I can delete that but if I delete the reg keys in the Run folder, they always come back and I cannot delete the file associated with it either. In this Hijack log the file is
O4 - HKLM\..\Run: [jdwemq] C:\WINNT\system32\jdwemq.exe but it changes when I am finally successful at deleting it. I already attempted to fix it through hijackthis but it came back on the next scan I did. I've tried the killbox thing and again, it will delete the old file but then a new file comes up. Any suggestions?

Logfile of HijackThis v1.99.1
Scan saved at 11:23:33 AM, on 6/14/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\lotus\notes\NLNOTES.EXE
C:\lotus\notes\ntaskldr.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\WINNT\regedit.exe
C:\Documents and Settings\kmontano\My Documents\personal\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fsweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fsweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [lcfep] "C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [Oracle Reports Cleanup] C:\fsapps\fssys\oracle\oraclean.lnk
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SwdisUsrPCN.pca2536.r3.fs.fed.us] "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [jdwemq] C:\WINNT\system32\jdwemq.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://fsweb
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = r3.fs.fed.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = r3.fs.fed.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = r3.fs.fed.us,fs.fed.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = r3.fs.fed.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = r3.fs.fed.us,fs.fed.us
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = r3.fs.fed.us,fs.fed.us
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESRI License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\lmgrd.exe
O23 - Service: FS Add Printers (fsaddprn) - Unknown owner - c:\fsapps\fssys\utilities\fsprint\FSPRNSTART.EXE
O23 - Service: IBM Networks Primary Logon Client (IBMNeTNT) - Unknown owner - C:\WINNT\System32\ibmginas.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\lotus\notes\ntmulti.exe
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - c:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: OracleClient8i_HomeClientCache - Unknown owner - C:\oracle\client8i\BIN\ONRSD.EXE
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleRuntime6i_HomeClientCache80 - Unknown owner - C:\oracle\runtim6i\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tivephlth - Unknown owner - c:\perl\scripts\tivep\TivCLepHealth.exe

Edited by thpooky, 14 June 2005 - 11:32 AM.

  • 0

Advertisements

#2
thpooky
Posted 15 June 2005 - 12:12 PM

thpooky

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I think I got it taken care of. After deleting many files associated with spyware I think I finally got rid of the little pest.....
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP