just another "SPYware detected! error 348

Discussion in 'adware, spyware & hijack cleaning' started by thomasKA, Jul 6, 2004.

Thread Status:
Not open for further replies.
  1. thomasKA

    thomasKA Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    2
    I have tried to read through other's posts with this problem, but have had no luck, so here is my hijackthis log.

    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Altiris\AClient\AClient.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Documents and Settings\t318\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\t318\Application Data\Mozilla\Profiles\default\dlnsccvp.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\t318\Application Data\Mozilla\Profiles\default\dlnsccvp.slt\prefs.js)
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - http://tolaltiris/aexns/NSCap/Bin/Win32/x86/AeXClientBootstrap.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = slk.local
    O17 - HKLM\Software\..\Telephony: DomainName = slk.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = slk.local
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Your log looks clean. Is it the case where you see these errors when you visit certain websites ? can you give us an example ?

    If so, they are probably just popup windows designed to scare you into clicking on them, and ultimately buying their junk
     
  3. thomasKA

    thomasKA Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    2
    No, it's not pop-ups. My homepage keeps being reset to an "eshredder" website (about:blank). I also believed my log to be clean, and that is why I am quite confused.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thomas, could it be something your Altiris server is doing? Can you find out about that? Suppose this is a system in a network; are there more computers with the same happening?
    I'm no expert in the HJT field, i thought these about:blank things appeared on the R0 R1 lines which i don't see in your log and can't tell if they should be :)

    How did you conclude it is the "SPYware detected! system error #384", that was not on the About:blank changes only i guess?
     
Thread Status:
Not open for further replies.