Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help with Winfixer spyware


  • This topic is locked This topic is locked

#1
flyboyy

flyboyy

    New Member

  • Member
  • Pip
  • 6 posts
I have already ran ad-ware and spybot in safe-mode also spywareblaster, this machine is a networked PC and multiple users logs on it, winfixer2005 installer is only installing on 1 of the users and also on his desktop. if all other users logs onto the machine we dont see the installer winfixer2005 on the desktop nor do we see the pop-up for installing. I have read some of the other topics posted on this subject. So here's my HijackThis log; thenks for help!

Logfile of HijackThis v1.99.1
Scan saved at 3:40:50 PM, on 8/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\eHealth\agent\response\ARProxy.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\eHealth\agent\response\ARWatch.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Tactical Software\DialOutEZ\DialoutEZTray.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\System32\iprntctl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Distillr\acrotray.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oag.silvernet
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\eHealth\agent\response\ARWatch.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: FSIETap Class - {9262EF23-24CA-11D3-A173-00104B1F6E72} - C:\eHealth\agent\response\ariehook.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [DialOut/EZ] C:\Program Files\Tactical Software\DialOutEZ\DialoutEZTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\System32\iprntctl.exe TRAY_ICON
O4 - Startup: NALDESK.BAT.LNK = C:\i386\NALDESK.BAT
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Distillr\acrotray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O15 - Trusted Zone: *.try-p2.oag.silvernet (HKLM)
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://216.177.6.142/cab/Live.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O23 - Service: Application Response Agent Proxy (ARAgent) - Concord Communications, Inc. - C:\eHealth\agent\response\ARProxy.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Oracleoracleclient10gClientCache - Unknown owner - C:\OraClient10g\BIN\ONRSD.EXE
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi flyboy,

Is this the login where you are having issues with Winfixer ??? or is it someother login ???
  • 0

#3
flyboyy

flyboyy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Hi flyboy,
thank you for replying soo soon.

Is this the login where you are having issues with Winfixer ??? or is it someother login ???

View Post

Thank you for replying soo soon.

this is another login which does not have the problem but it is the same machine. The user is away on vacation and I dont have his password to login to his profile. do I need to run hijack while im logged in as him ?

Edited by flyboyy, 17 August 2005 - 02:29 PM.

  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Flyboy,


The Hijack This log you posted is clean !!! So it is quite possible that the winfixer pop-ups are happening due to something which is restricted to the specific login profile.

I would need to see the HJT log from that login profile
  • 0

#5
flyboyy

flyboyy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
do you think its possible that since I ran spywareblaster , spybot and ad-ware that it cleanned it ? I may need to wait til next week inorder to have the user login and then run hijackthis and post the log then. thanks again for your replay.
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

Let me close this topic.

Post the new HJT log when feasible. Also send me a Private message. I will then pick up the topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP