Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

spyware problem - please help [RESOLVED]


  • This topic is locked This topic is locked

#16
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements


#17
gmhendge

gmhendge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:11:44 PM, on 9/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldw...v40/sol/sol.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab

*****
I ran ad-aware and spybot, nothing found.
*****
Yesterday when I rebooted my computer, I had a blue screen with a message in red letters saying Symantec Anti Virus Auto-Protect and then a Gray border with a red interior saying Unable to determine the location of virus definition files.
*****
I still have the java problem but can address that when my computer gets its clean bill of health.
******
also, when you look at directory in your computer, is it suppsed to read

%
THISDIRNAME%

??

I don't recall it being like that (Control Panel looks different as well) before my problems began backin July. Thanks again for your help!
  • 0

#18
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi gmhendge,

I can't say good to see you back, since it's not good to see any user back :tazz:

Please tell me the version of Norton you are using, I guess it's a corporate edition..

Before we focus on Norton however, first let's make sure a virus hasn't corrupted it..your log looks clean, but I'd like to see an online scan..hopefully you won't have an issue with Kaspersky..

I'm not familiar with ME at all, so I will ask around about that directory issue, but could you please elaborate what you mean when you say directory..

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#19
gmhendge

gmhendge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I think I have Norton Systemworks 2003. I rebooted my computer today and didn't have the error. I'm not sure if the other day was a fluke. Anyway, here's the Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, September 25, 2005 19:56:29
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/09/2005
Kaspersky Anti-Virus database records: 151132
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\

Scan Statistics:
Total number of scanned objects: 41738
Number of viruses found: 18
Number of infected objects: 40
Number of suspicious objects: 0
Duration of the scan process: 2353 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\GSM3-0511.exe/data0002 Infected: Trojan.Win32.Registrator.b
c:\WINDOWS\SYSTEM\GSM3-0511.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
c:\WINDOWS\SYSTEM\GSM3-0511.exe Infected: Trojan-Downloader.Win32.Small.ayh
c:\WINDOWS\SYSTEM\ventura-hot_246765.exe/data0003 Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
c:\WINDOWS\SYSTEM\ventura-hot_246765.exe Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
c:\WINDOWS\SYSTEM\bsva-egihsg52.exe/data0003 Infected: not-a-virus:AdWare.Win32.BookedSpace.e
c:\WINDOWS\SYSTEM\bsva-egihsg52.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.q
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.w
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/
data0004/stream/data0007 Infected: not-a-virus:AdWare.BargainBuddy.n
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.BargainBuddy.n
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0004/stream Infected: not-a-virus:AdWare.BargainBuddy.n
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0004 Infected: not-a-virus:AdWare.BargainBuddy.n
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0005/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0005/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0005/stream Infected: not-a-virus:AdWare.BargainBuddy.n
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0006/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.l
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0006/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0006/stream/data0007 Infected: not-a-virus:AdWare.Win32.CashBack.b
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0006/stream/data0008 Infected: not-a-virus:AdWare.Win32.CashBack.d
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0006/stream Infected: not-a-virus:AdWare.Win32.CashBack.d
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.CashBack.d
c:\WINDOWS\SYSTEM\package_MARKETING51.exe/stream Infected: not-a-virus:AdWare.Win32.CashBack.d
c:\WINDOWS\SYSTEM\package_MARKETING51.exe Infected: not-a-virus:AdWare.Win32.CashBack.d
c:\WINDOWS\SYSTEM\VVSNInst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\jao.dll Infected: Trojan-Spy.Win32.Briss.k
c:\WINDOWS\Downloaded Program Files\jao.dll Infected: Trojan-Spy.Win32.Briss.k
c:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b
c:\WINDOWS\NDNuninstall4_80.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
c:\WINDOWS\NDNuninstall4_88.exe Infected: not-a-virus:AdWare.NewDotNet
c:\WINDOWS\NDNuninstall4_94.exe Infected: not-a-virus:AdWare.NewDotNet
c:\WINDOWS\NDNuninstall5_20.exe Infected: not-a-virus:AdWare.NewDotNet
c:\WINDOWS\NDNuninstall5_40.exe Infected: not-a-virus:AdWare.NewDotNet
c:\WINDOWS\NDNuninstall5_48.exe Infected: not-a-virus:AdWare.NewDotNet
c:\WINDOWS\hrrflnro.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
c:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe Infected: Trojan-Downloader.Win32.IstBar.lu

Scan process completed.
  • 0

#20
gmhendge

gmhendge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
also, regarding directory. I think I meant when I cliek on my computer it shows the drives, and the

%THISDIRNAME%

thing
  • 0

#21
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Please first save these directions to the desktop as a text file, because you will need to copy and paste part of them later, once we are in Safe Mode.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\WINDOWS\SYSTEM\GSM3-0511.exe
c:\WINDOWS\SYSTEM\ventura-hot_246765.exe
c:\WINDOWS\SYSTEM\bsva-egihsg52.exe
c:\WINDOWS\SYSTEM\package_MARKETING51.exe
c:\WINDOWS\SYSTEM\VVSNInst.exe
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\jao.dll
c:\WINDOWS\Downloaded Program Files\jao.dll
c:\WINDOWS\Downloaded Program Files\popcaploader.dll
c:\WINDOWS\NDNuninstall4_80.exe
c:\WINDOWS\NDNuninstall4_88.exe
c:\WINDOWS\NDNuninstall4_94.exe
c:\WINDOWS\NDNuninstall5_20.exe
c:\WINDOWS\NDNuninstall5_40.exe
c:\WINDOWS\NDNuninstall5_48.exe
c:\WINDOWS\hrrflnro.exe
c:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Reboot.

As for the directory question, I'm not familiar with ME at all. You could make a post at Windows98/ME section of the main forum. I think it may have something to do with the folder view options.
  • 0

#22
gmhendge

gmhendge

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I followed your instructions, I think all of the files are gone now. I wasn't able to run killbox on the desktop though, but everything else was done in reboot. Am I good to go re: viruses etc?
  • 0

#23
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Yes, you should be :tazz:

Kaspersky has the best detection rates on viruses...it found a few and we removed them..

I'll keep the thread open for a while, if you have any other problems let me know.
  • 0

#24
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP