System seems clean but it's still acting up, So PLEASE HELP. :)

Discussion in 'adware, spyware & hijack cleaning' started by tempnexus, May 13, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Apr 16, 2003
    SO I've scanned the system with TDS-3 and KAV with Xbases (all in safemode). THe system had a bunch of trojans etc. Then I've scanned it with Spysweeper and it removed quite a few spyware. BUT if I try to run the TDS3 scan in normal windows the TDS-3 gives me an error and shutsdown after about 2 min. Subseqent scans in Safemode reveal nothing. Also AOL dies once in a while...also gives an incorect state or something like that and quits. The windows search assistant is borked after I've removed a few spyware from this how to get the search assistant back on? Finally could you please check the hijackthis log in order to make sure that there is nothing new.

    StartupList report, 5/13/2004, 9:53:32 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Annlise Calypso\Local Settings\Temporary Internet Files\Content.IE5\K6SWY0YD\HijackThis[1].EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    * Showing rarely important sections

    Running processes:

    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\Program Files\America Online 9.0c\aoltray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Documents and Settings\Annlise Calypso\Local Settings\Temporary Internet Files\Content.IE5\K6SWY0YD\HijackThis[1].exe


    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0c\aoltray.exe
    AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    Verizon Support Center.lnk = C:\Program Files\Support Center\bin\matcli.exe


    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,


    Autorun entries from Registry:

    Dell|Alert = C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe"
    Ink Monitor = C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    DadApp = C:\Program Files\Dell\AccessDirect\dadapp.exe
    Apoint = C:\Program Files\Apoint\Apoint.exe
    type32 = "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    WinTools = C:\Program Files\Common files\WinTools\WToolsA.exe
    Realtime Monitor = C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    nwiz = nwiz.exe /installquiet


    Autorun entries from Registry:

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"


    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install


    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*


    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present


    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll - {87766247-311C-43B4-8499-3D5FEC94A183}


    Enumerating Task Scheduler jobs:

    Disk Cleanup.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job


    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx


    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    AOL Connectivity Service: C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Cnxtdiag: System32\DRIVERS\cnxtdiag.sys (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Diskeeper: C:\Program Files\Executive Software\Diskeeper\DkService.exe (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Fallback: System32\DRIVERS\fallback.sys (autostart)
    Fsks: System32\DRIVERS\fsksnt.sys (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    eTrust Antivirus RPC Server: "C:\Program Files\CA\eTrust Antivirus\InoRpc.exe" (autostart)
    eTrust Antivirus Realtime Server: "C:\Program Files\CA\eTrust Antivirus\InoRT.exe" (autostart)
    eTrust Antivirus Job Server: "C:\Program Files\CA\eTrust Antivirus\InoTask.exe" (autostart)
    INO_FLTR: \??\C:\WINDOWS\System32\Drivers\ino_fltr.sys (autostart)
    K56: System32\DRIVERS\k56nt.sys (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SoftFax: System32\DRIVERS\faxnt.sys (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Tones: System32\DRIVERS\tonesnt.sys (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    V124: System32\DRIVERS\v124nt.sys (autostart)
    Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    WinPPPoverEthernet: C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE (autostart)
    Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    End of report, 11,789 bytes
    Report generated in 0.180 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
  2. snapdragin

    snapdragin Administrator

    Feb 16, 2002
    Southern Ont., Canada

    You have posted a Startup List, and we need a HijackThis log. You are also running Hijackthis from IE's Temporary Internet Files folders. Please create a new, permanent folder for HijackThis on your C drive and move the HijackThis.exe file into the new folder.

    Then open Hijackthis.exe and run it by clicking on the Scan button. When the scan has finished, the "Scan" button will then change to a Save Log button. Press the "Save Log" button and save it to a location you can easily find it. Open the saved log and copy and paste it's contents here in your next post.


  3. tempnexus

    tempnexus Registered Member

    Apr 16, 2003
    Darn it. :(

    Oh well it wasn't my system. I"ve clean it up as much as I could and I let it go, telling the customer that I am not 100% certain about it being completelly clean. He pressured me to give it back since he said he only had 3 hours. I told him that I charge per clean and not per hour. BUt he insisted telling me that he has to give a presentation. OH well. IF I ever get the system back I will post a correct log.

    Sorry. :(

    I've installed CA 7 Promotion with IncoulateIT and VAT both on reviewer mode and VAT being a onDemand and InoculateIT as REAlTime (vat scheduled scan twice a week). Hopefully this will help him since his NOrton WAs hosed by the trojans and even then he only had a 90 day trial from DELL.
Thread Status:
Not open for further replies.