Client Man (and others)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

_MickC

Thread Starter
Joined
Sep 30, 2003
Messages
44
Hi,

Thanks to the info on your site I was able to download and use firstly spybot then Ad-ware 6 to get rid of the 120 'intruders' found on my pc. It all seems back to normal but worryingly the files (BDE, ClearSearch etc) are still there and will not let me access them or delete them. I would appreciate your help in finally geeting rid. Below is my Highjack log. Thanks again Mick C.

Logfile of HijackThis v1.97.2
Scan saved at 23:48:56, on 30/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NILaunch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Mick Cooney\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/home/today/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.freeserve.com:8080;http=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.hsbc.*;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\Freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Microsoft Office (2).lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Cosmi Popup Blocker (HKLM)
O9 - Extra 'Tools' menuitem: Cosmi Popup Blocker (HKLM)
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37865.592650463
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\IntraLaunch.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89FD3111-E186-4A00-9F6D-95F4E2B7FA87}: NameServer = 195.92.195.94 195.92.195.95
 
Joined
Jul 24, 2003
Messages
420
Close all browser windows , Scan Hijack This , put a check in the following entries and hit ''Fix Checked'' ,

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Reboot your computer in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
Navigate to and Delete the suspect Files and Folders

The following link can assist you in optimizing your start-up applications www.pacs-portal.co.uk/startup_pages/startup_full.htm

Good luck
 

_MickC

Thread Starter
Joined
Sep 30, 2003
Messages
44
Thanks BlueSpruce, I appreciate you taking the time to help.

I did as you suggested and ran 'HighJack This' which then allowed me to delete the three lines you listed. I then restarted the computer in safe mode but when I tried to remove the BDE files and a file named d9e7bfc68a99f44df780 I got exactly the same warning message as I did when I tried to delete them previously with the pc in normal mode i.e.

'Cannot delete file. Access is denied. Make sure the disk is not full or write protected and that the file is not currently in use'

I would appreciate any further suggestions as I will never feel fully free from it until I totally eradicate it from my pc.

Thanks again for your assistance, Mick
 
Joined
Oct 9, 2001
Messages
9,396
And this one:
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll

Re-boot and delete the file.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
Originally posted by _MickC:
Thanks BlueSpruce, I appreciate you taking the time to help.

I did as you suggested and ran 'HighJack This' which then allowed me to delete the three lines you listed. I then restarted the computer in safe mode but when I tried to remove the BDE files and a file named d9e7bfc68a99f44df780 I got exactly the same warning message as I did when I tried to delete them previously with the pc in normal mode i.e.

'Cannot delete file. Access is denied. Make sure the disk is not full or write protected and that the file is not currently in use'

I would appreciate any further suggestions as I will never feel fully free from it until I totally eradicate it from my pc.

Thanks again for your assistance, Mick
find the files that you want to delete and right click, check that read only is not ticked, if it is untick.

some of these files are set to be read only so that they can't be easily deleted
 

_MickC

Thread Starter
Joined
Sep 30, 2003
Messages
44
Hi Guys, thanks for your suggestions.

$teve - I deleted the 02 line you suggested but on re-booting it came up with the error message 'Real Download cannot be started you must re-install' - that is not a problem and I'm sure I'll find it on-line elsewhere

dvk01 - I tried right-clicking on the offending files and you are right they were shown as 'Read Only'. I unchecked the box, selected apply and then tried to delete them but was again met with the warning that I could not access and so it would not let me delete. Strangely when I went back to each file they were again shown as read only.

I would appreciate further ideas, Mick
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top