Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 9 of 9 Posts

·
Registered
Joined
·
18 Posts
Discussion Starter · #1 ·
I was just wondering what are the most up-to-date programs for removing spyware? I just upgraded AdAware6 to SE. I am using HJT v1.97.7, CWS v2.12, and Spyboy S&D 1.3. I started using these a while ago, so I doubt they are up-to-date.

Also, I had some more spyware show up, so here is an HJT log. Please help.

Logfile of HijackThis v1.97.7
Scan saved at 3:02:04 PM, on 1/13/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Documents and Settings\shertz\Application Data\cier.exe
C:\WINNT\system32\w?auclt.exe
C:\Documents and Settings\shertz\Desktop\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.hgsi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.hgsi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Human Genome Sciences
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://w3.hgsi.com/proxy.pac
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D279E26E-29F5-2872-8695-7BA2D88466C0} - C:\WINNT\system32\shu.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ixpewnzunvn] C:\WINNT\system32\nesapq.exe
O4 - HKCU\..\Run: [Tclt] C:\Documents and Settings\shertz\Application Data\cier.exe
O4 - HKCU\..\Run: [Zhlkke] C:\WINNT\system32\w?auclt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://w3.hgsi.com
O16 - DPF: Documentum Content Transfer Applets - http://dmsapppr.hgsi.com:7002/mfgedms/wdk/contentXfer/DwContentXfer.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswax.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {22D12D01-AAFD-4450-850D-DC5BCB103B61} (QMControls.DialogControls) - http://qumas.hgsi.com/eDocCompliance/framework/common/activex/qmcontrols.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38341.5102083333
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
O16 - DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} (SAXFile ActiveX Control) - http://qumas.hgsi.com/eDocCompliance/framework/common/activex/saxfile.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://phobos.apple.com/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F77BA8AB-5ECF-4068-A393-8861AE213C85} (q_CViewer Control) - http://qumas.hgsi.com/eDocCompliance/framework/common/activex/q_ComplianceViewer.cab
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #3 ·
New HJT log as requested.

Logfile of HijackThis v1.99.0
Scan saved at 3:31:02 PM, on 1/13/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Documents and Settings\shertz\Application Data\cier.exe
C:\Documents and Settings\shertz\Desktop\Spyware\HijackThis.exe
C:\WINNT\system32\w?auclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.hgsi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.hgsi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Human Genome Sciences
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://w3.hgsi.com/proxy.pac
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D279E26E-29F5-2872-8695-7BA2D88466C0} - C:\WINNT\system32\shu.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ixpewnzunvn] C:\WINNT\system32\nesapq.exe
O4 - HKCU\..\Run: [Tclt] C:\Documents and Settings\shertz\Application Data\cier.exe
O4 - HKCU\..\Run: [Zhlkke] C:\WINNT\system32\w?auclt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://w3.hgsi.com
O15 - Trusted IP range: (HKLM)
O16 - DPF: Documentum Content Transfer Applets - http://dmsapppr.hgsi.com:7002/mfgedms/wdk/contentXfer/DwContentXfer.cab
O16 - DPF: {22D12D01-AAFD-4450-850D-DC5BCB103B61} (QMControls.DialogControls) - http://qumas.hgsi.com/eDocCompliance/framework/common/activex/qmcontrols.cab
O16 - DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} (SAXFile ActiveX Control) - http://qumas.hgsi.com/eDocCompliance/framework/common/activex/saxfile.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://phobos.apple.com/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F77BA8AB-5ECF-4068-A393-8861AE213C85} (q_CViewer Control) - http://qumas.hgsi.com/eDocCompliance/framework/common/activex/q_ComplianceViewer.cab
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
 

·
Administrator
Joined
·
123,519 Posts
Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll

O2 - BHO: (no name) - {D279E26E-29F5-2872-8695-7BA2D88466C0} - C:\WINNT\system32\shu.dll

O4 - HKLM\..\Run: [ixpewnzunvn] C:\WINNT\system32\nesapq.exe

If you don't recognize this as something valid include this entry as well:
O4 - HKCU\..\Run: [Tclt] C:\Documents and Settings\shertz\Application Data\cier.exe

O4 - HKCU\..\Run: [Zhlkke] C:\WINNT\system32\w?auclt.exe

O15 - Trusted IP range: (HKLM)


Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\Documents and Settings\shertz\Application Data\cier.exe
C:\WINNT\system32\w?auclt.exe (it must have the ? in it)

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

These files may be hidden so double-click on My Computer. Go to Control Panel - Tools - folder options. Click on view tab and make sure “show hidden files and folders” is checked. Uncheck “Hide file extensions for known file types”. Uncheck “hide protected operating system files”. Click Apply then O.K.

Then reboot and post another Hijack This log please.
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #5 ·
JD and Cookie, thanks for your help. I'm pretty much sure you caught most of it.

Logfile of HijackThis v1.99.0
Scan saved at 9:56:09 AM, on 1/14/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Documents and Settings\shertz\Desktop\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.hgsi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.hgsi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Human Genome Sciences
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://w3.hgsi.com/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://w3.hgsi.com
O16 - DPF: Documentum Content Transfer Applets - http://dmsapppr.hgsi.com:7002/mfgedms/wdk/contentXfer/DwContentXfer.cab
O16 - DPF: {22D12D01-AAFD-4450-850D-DC5BCB103B61} (QMControls.DialogControls) - http://qumas.hgsi.com/eDocCompliance/framework/common/activex/qmcontrols.cab
O16 - DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} (SAXFile ActiveX Control) - http://qumas.hgsi.com/eDocCompliance/framework/common/activex/saxfile.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://phobos.apple.com/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F77BA8AB-5ECF-4068-A393-8861AE213C85} (q_CViewer Control) - http://qumas.hgsi.com/eDocCompliance/framework/common/activex/q_ComplianceViewer.cab
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
 

·
Administrator
Joined
·
123,519 Posts
You're welcome. :)

IMPORTANT!: You should go to http://v4.windowsupdate.microsoft.com/en/default.asp and install all "Critical Updates and Service Pack1” (hold off on SP2 for the time being). This will patch numerous security holes in IE and Windows. Otherwise, you are leaving your computer open and vulnerable.

Delete Temporary Files:

In safe mode go to the C:\Windows\Temp folder. Open the Temporary folder. Click on Edit - select all, then Edit - delete to empty the contents.

Next navigate to the C:\Documents and Settings\Owner\Local Settings\Temp folder. Open the Temp folder and delete everything except the Cookies, History and Temporary Internet Files folders

Delete your Internet Temporary Files:

Go to Tools - Internet Options - General tab - delete temporary Internet files – put a check beside delete off-line contents then click OK

Empty your recycle bin.

I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD, for added protection.

http://www.javacoolsoftware.com/spywareblaster.html

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #8 ·
I've been trying to stay up to date with WinUpdates, but I can't install any of them without admin rights from the IT dept at my office. I know about SP2 and how it can mess things up on an internal network, so I'll stay away from that unless I'm told to install it here. I'll make sure to get all the temp stuff on Monday.

Thanks!
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top