PoohBear's Problems

Discussion in 'adware, spyware & hijack cleaning' started by timr, Jul 6, 2004.

Thread Status:
Not open for further replies.
  1. timr

    timr Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    4
    Good Morning,

    Although this is my first post to this forum, I have browsed through and gleaned information from it often. I manage about 20 PCs in a small printing company. I am more of a Mac and UNIX guy, so this is the least intuitive yet most time-consuming part of my job. As I have several users who love downloading cool stuff, I will probably be posting several HiJackThis logs - unless this is more of a one computer per person type of forum.

    Before I get into the meat of this one, a quick RFO (request for opinion - we use lots of TLAs around here). I would like to implement a centrally administered spyware solution, something similar to Symantec NAV Corporate Edition which we use and has really relieved the load of keeping virus stuff updated. I am looking at Webroot's SpySweeper Enterprise. I know you probably don't want to get into recommending one package over another, but do you have any general suggestions or recommendations to help me along?

    Now to the good stuff - this computer keeps getting messages about being short on resources. I've run SpyBot. The HiJack This log is below.

    Any help you can give would be truly appreciated.

    T.


    Logfile of HijackThis v1.98.0
    Scan saved at 9:24:31 AM, on 7/2/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\DMI\BIN\WIN32SL.EXE
    C:\WINDOWS\PSSVC.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\DMI\BIN\DELLDMI.EXE
    C:\DMI\BIN\MONITOR.EXE
    C:\DMI\BIN\NIC.EXE
    C:\DMI\BIN\COO.EXE
    C:\DMI\BIN\DNAR.EXE
    C:\DMI\BIN\NODEMNGR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\PROGRAM FILES\NMAIL\NOTIFY.EXE
    C:\WINDOWS\DESKTOP\TIM'S SPYS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by United Parcel Service
    O1 - Hosts: 130.130.5.110 Jackson
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [CC2KUI] C:\PROGRA~1\COMET\BIN\CSTRAY.EXE
    O4 - HKLM\..\Run: [PrecisionTime] C:\PROGRA~1\PrecisionTime\PrecisionTime.exe
    O4 - HKLM\..\Run: [Date Manager] "C:\PROGRA~1\Date Manager\DateManager.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\RunServices: [DMILDR] C:\DMI\bin\dmildr.exe
    O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i -p -r
    O4 - HKLM\..\RunServices: [AutoShutdown] C:\WINDOWS\pssvc.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Startup: Notify Mail.lnk = C:\Program Files\NMail\NOTIFY.EXE
    O4 - Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PLDReminder.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
    O9 - Extra button: Dell Home - {448AAC80-CECE-11D3-9C12-00C04F0924E1} - http://www.dell.com/ (file missing) (HKCU)
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/sa/us/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = daviesprinting.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = daviesprinting.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.109.208.1,204.147.80.5

    :) :) :) :)
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi timr,

    Your log is identical to the one you posted in your other thread here:
    https://www.wilderssecurity.com/showthread.php?t=39299

    Since this is a duplicate, I will lock this thread now and remove it shortly.

    Please do not start a new thread, but stay in the first one you started.

    Thank you,

    snap
     
Thread Status:
Not open for further replies.