Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 18 of 18 Posts

·
Registered
Joined
·
13 Posts
Discussion Starter · #1 ·
I recently being bombard with porn pop-up screens on my office computer !! On the top of that, I also notice the following:
Power Scan folder
Internet Optimizer Folder
Actalert.exe
Preinsh.exe

I understand that in most case you need a log file. But I’m not sure whether this is possible to do it in the network situation. I meant considering one computer are linked to the other, how long will it take? And where should I put that hijack program? Is it the same: C/:program Files/ Hijakthis

I tried to do scan using VET with the hope that it'll fix. It tells that there are 3 infected files, 50 files that can’t be scanned, but those infected files can’t be deleted:
Counter.exe
Polal!1!.exe (in 2 different locations)

I am now always delete all files & cookies in my temp internet file each time that porn pop-ups start to come out. But it doesn’t seem help either. My homepage address also has been changed. I can’t go back to the default one.

Oh, I think my office use Windows2000 Professional

Please help, I need internet for my work but I don’t dare to use it because of those adult pop-up. And I found this very annoying.
 

·
Retired Moderator
Joined
·
84,301 Posts
It definitely would help to see the Hijack This log.

Hijack This: http://www.majorgeeks.com/download3155.html

You can make a folder in Program Files or My Documents. Download the program to that folder.

Launch it and hit Scan (it only takes a few seconds)
Then hit Save Log
Copy & paste the log into this thread

Do not attempt to fix anything yet
Someone will analyze it for you and give you further instruction :)
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #3 ·
Thank you so much for very prompt reply. really appreciated :)
I did try to reply back via email straight away but it seems it didn't work.
anyway, i managed to save the log file and here is the result.

Logfile of HijackThis v1.99.0
Scan saved at 1:23:03 PM, on 28/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\Vet\VetTray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\program files\180solutions\sais.exe
C:\WINNT\ljtscb.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Cdaidg\Hoqctt.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Vet\VetMsg.exe
H:\hsoft\Apps\Hct.exe
\Nt-server-01\hsoft\hsoft\Apps\Ht04.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\YG\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.163/search.php?v=6&aff=2242854
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.163/index.php?v=6&aff=2242854
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://buysearch.cc/se.php?qq=credit+card+debt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=137233
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.cc/index.php?v=6&aff=2242854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by APC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: FBarStart Class - {044D9F9F-0EE0-4E9B-B89B-5EBCA0F852CC} - C:\WINNT\System32\fsearchbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINNT\System32\WStart.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Fast Search - {85E517D1-1B6B-4662-AF6E-4B9738091DCC} - C:\WINNT\System32\fsearchbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [Solution 6 Workstation] C:\WINNT\System32\S6WorkS.exe PC-ACC-203
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [gnajob] C:\WINNT\gnajob.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [BcWW] C:\WINNT\ljtscb.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
¤Á<ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\ljtscb.exe
O4 - HKLM\..\Run: [Wkntbl] C:\Program Files\Cdaidg\Hoqctt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINNT\System32\xplugin.dll
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

i'll be waiting for your next instructions.

thank you.
 

·
Trusted Advisor
Joined
·
85,507 Posts
I'll let those more experienced than me assist you with the HijackThis log, but it's apparent that you have some problems to get rid of, such as:

sais.exe Read here.

conscorr.exe Read here.

satmat.exe Read here.

istsvc.exe Read here.

There are several more that look suspicious to me.

----------------------------------------------------------------

Once your problem gets taken care of, you need to work on trimming down the startup load and getting rid of unnecessary programs that are running in the background.

----------------------------------------------------------------
 

·
Retired Moderator
Joined
·
84,301 Posts
Download and run these:

Ad-Aware SE: http://www.lavasoftusa.com/support/download/

Install and run it. On the bottom right corner of Ad-Aware you will see an option called "Check for updates now", click on that and choose "connect". Download the updates. Next click on "Scan now" on the left side of Ad-Aware. Make sure that "Search for negligible risk entries" is crossed out and not ticked. Choose "Perform full system scan" and click "Next". After Ad-Aware scans your computer, Ad-Aware may find some bad files on your computer so make sure you tick them all and choose "Next". It will ask if you want to remove those items so just continue. After removing the items close Ad-Aware.

Reboot

SpyBot: http://majorgeeks.com/download2471.html

Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

Reboot again

Post a new log :up:
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #6 ·
alright,

i've done everything as per your instructions.
and here is my new log file.

Logfile of HijackThis v1.99.0
Scan saved at 1:39:04 PM, on 01/02/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Vet\VetMsg.exe
C:\WINNT\Explorer.exe
C:\Vet\VetTray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Cdaidg\Hoqctt.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
H:\hsoft\Apps\Hct.exe
C:\Program Files\Hijakthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.163/search.php?v=6&aff=2242854
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.163/index.php?v=6&aff=2242854
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://82.179.166.163/index.php?v=6&aff=2242854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.cc/index.php?v=6&aff=2242854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by APC
R3 - Default URLSearchHook is missing
O2 - BHO: FBarStart Class - {044D9F9F-0EE0-4E9B-B89B-5EBCA0F852CC} - C:\WINNT\System32\fsearchbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Fast Search - {85E517D1-1B6B-4662-AF6E-4B9738091DCC} - C:\WINNT\System32\fsearchbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [Solution 6 Workstation] C:\WINNT\System32\S6WorkS.exe PC-ACC-203
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
¤Á<ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\ljtscb.exe
O4 - HKLM\..\Run: [Wkntbl] C:\Program Files\Cdaidg\Hoqctt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

i've started using my internet again today for quite a while and so far there isn't any single pop-up ad. i just change back my homepage so i'll find out tomorrow whether or not it stays.

okie dokie......i'm waiting for your diagnosis. i really hope that there is nothing wrong left in my comp. *finger cross* ;)
 

·
Trusted Advisor
Joined
·
85,507 Posts
I don't believe that Windows 2000 has the MSCONFIG.EXE file installed, like Windows 98, ME, and XP does, so I'm not really sure how to disable some of your startup items and trim down the load. I was advised that you can install the MSCONFIG.EXE file from Windows XP into Windows 2000 and that it'll work, but I've never tried it myself, and I'm not sure which folder it goes into.

---------------------------------------------------------------

Do a scan with HijackThis, place a checkmark in the following, then click "Fix Checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing


Someone more experienced than me will have to help you with the rest of the log.

----------------------------------------------------------------
 

·
Retired Moderator
Joined
·
72,109 Posts
Run HJT again and put a check in the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.163/search.php?v=6&aff=2242854
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.163/index.php?v=6&aff=2242854
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://82.179.166.163/index.php?v=6&aff=2242854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.cc/index.php?v=6&aff=2242854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: FBarStart Class - {044D9F9F-0EE0-4E9B-B89B-5EBCA0F852CC} - C:\WINNT\System32\fsearchbar.dll
O3 - Toolbar: Fast Search - {85E517D1-1B6B-4662-AF6E-4B9738091DCC} - C:\WINNT\System32\fsearchbar.dll
O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
¤Á<ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\ljtscb.exe
O4 - HKLM\..\Run: [Wkntbl] C:\Program Files\Cdaidg\Hoqctt.exe

Close all applications and browser windows before you click "fix checked".

Restart in Safe Mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete this folder:
C:\Program Files\ISTsvc

Run adaware again while in safe mode.

Reboot and post another log.
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #9 ·
I have a few problems in following your instructions this time.

I've thicked those items needs to be fixed under HJ. The only thing that i couldn't find is the third one -i.e.
R0- HKCU\Software\Microsoft\Internet Expoler\Main, Start Page = http://82.179.166.163/index.php?v=6&aff=2242854
But it's gone in my new log file anyway.

Here is the problem, I couldn't entered into safe mode. I meant I followed the "F8 key" method but when i tried to log-in using my usual username & password the system doesn't allow me. Could this be because it's office computer hence non-IT person won't have access to safe mode. So the rest of your instructions (to show hidden files, etc....etc....) is done NOT in the Safe Mode.

Also I can't find that "ISTsvc". I've done the search files & folder. The only thing I can found are those "ISTsvc" that have been quarantine by Spyboot (I think). Should I delete that? There are bunch of zip files in this folder which I suspect related to those porn pop-up (by reading the name of file -i.e powerscan, sexlist etc...etc...)

So here is my log-file.

Logfile of HijackThis v1.99.0
Scan saved at 1:24:00 PM, on 02/02/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\Vet\VetTray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Cdaidg\Hoqctt.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hijakthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by APC
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [Solution 6 Workstation] C:\WINNT\System32\S6WorkS.exe PC-ACC-203
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

how does it look this time? :eek:
 

·
Registered
Joined
·
21 Posts
VetMsg.exe<--spyware

internat.exe<--Possible Trojan TROJ/LYDRA-F or a virus NETSNAKE

smss.exe<-- could be Advertisingvision adware or the FLOOD.F virus or ALADINZ.F virus

winlogon.exe<-- Hijacker or adult content dialler - file is located in C:\Windows or C:\Winnt, and not in it's System or System32 subdirectory, as is the case with the legitimate winlogon.exe file

services.exe<--Can be either W32.Neveg.B worm, NETSKY or NETSKY.B virus(s),KAZPING virus, Krepper-G trojan, a CoolWebSearch parasite variant, something added by NEVEG.A or NEVEG.B worm, CIADOOR-F TROJAN, Autotroj-C TROJAN, Browser hijacker, W32.CROWT.A WORM, or W32.MYDOOM.AL WORM.

lsass.exe<-- ALADINZ.F VIRUS

spoolsv.exe<--Spyware

Thats a few I identified with http://computercops.biz/sl-2600.html amd www.google.com

svchost.exe<--DONK VIRUS! Note - this is not the valid svchost.exe
 

·
Registered
Joined
·
3,181 Posts
Pandatech said:
VetMsg.exe<--spyware

internat.exe<--Possible Trojan TROJ/LYDRA-F or a virus NETSNAKE

smss.exe<-- could be Advertisingvision adware or the FLOOD.F virus or ALADINZ.F virus

Thats a few I identified with http://computercops.biz/sl-2600.html amd www.google.com

svchost.exe<--DONK VIRUS! Note - this is not the valid svchost.exe
internat.exe Language selection icon in system tray not spyware

smss.exe is a process which is a part of the Microsoft Windows operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.
 

·
Retired Moderator
Joined
·
72,109 Posts
VetMsg.exe: Candy covered that one
internat.exe: mjack547 covered that one
smss.exe: mjack547 covered that one
spoolsv.exe: http://www.liutilities.com/products/wintaskspro/processlibrary/spoolsv/
winlogon.exe: Pandatech covered that one as it is in C:\WINNT\system32\
services.exe: I would be suspect of if it was not located in C:\WINNT\system32
svchost.exe: I would be suspect of if it was not located in C:\WINNT\system32

cybertech said:
Looks good. Any problems?
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #15 ·
Thank you so much for all your help guys :D

i just back in the office again after working on my client's site for a few days.
anyway, i've used my internet for quite a number of time today and dont have those porn pop-up again.
so i guess my computer is safe now.

just my last question, i notice that those bad file quarantine by spybot-search are still there. should i delete it? is there any chance that they may infect me later on?

also it's just out of my curiosty. how could all of these happened to me. i was told that those porn pop-up came only if someone visit porn web site before. but i never. how could this happen? i don't understand :confused:

can someone explain this to me pleaseeeeeee?
 

·
Registered
Joined
·
14,017 Posts
Firewall you system and get some active x control on it. I'll let somebody else point you to the best. I just barely keep my own head above water.:)
 

·
Trusted Advisor
Joined
·
85,507 Posts
You can delete the quarantine list, if you want to. Leaving them quarantined though won't hurt anything.

You don't necessarily have to visit porn sites to pick up some "nasty" from them. Other sites can do this by installing pop-ups ads in your computer without your knowledge.

Click Tools - Internet Options - Privacy - Advanced, then select these settings:

Overall automatic cookie handling

First part cookies - Allow

Third party cookies - Block

Always allow session cookies


This should help some with getting unwanted cookies installed in your computer.
 
1 - 18 of 18 Posts
Status
Not open for further replies.
Top