Lots of spyware....help cleaning it up

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

caminator

Thread Starter
Joined
Sep 17, 2003
Messages
337
I ran hijackthis. Can someone please view my results and tell me which files I want to get rid of and ways to do so. Thanks for all the help!


Logfile of HijackThis v1.97.2
Scan saved at 5:14:03 PM, on 9/17/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\rundll16.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ClientMan\mscman.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\ClientMan\msckin.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
c:\program files\clientman\run\ause3.exe
\MMICServer1\SHARE\Profiles\ahamel\Desktop\msconfig.exe
\MMICServer1\SHARE\Profiles\ahamel\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchandclick.com/metasearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - c:\program files\clientman\run\msvrfy856c4943.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - c:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINNT\System32\stlbupdt.DLL
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINNT\System32\netpal.dll (file missing)
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINNT\rundll16.dll
O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - c:\program files\clientman\run\urlclic565899e.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~2.DLL
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINNT\System32\stlbupdt.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINNT\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [Rundll16] C:\WINNT\rundll16.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Browser Pal Toolbar (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37441.3695023148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash5/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ********
O17 - HKLM\System\CCS\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = ********
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ********
O17 - HKLM\System\CS1\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = **********
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = *******
O17 - HKLM\System\CS2\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = *********

I am also not able to search from google or yahoo, or any search engine I've tried. The reults come back as "things" I can buy from ebay, or other retailers. And popups a stupid screen showing other search results, but none of them are every useful.
 
Joined
Jul 8, 2002
Messages
14,681
Run HijackThis again and Fix these items. Then delete the folder
c:\program files\clientman\ from your computer.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchandclick.com/metasearch.html

O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll

O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll

O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL

O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - c:\program files\clientman\run\msvrfy856c4943.dll

O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - c:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINNT\System32\stlbupdt.DLL

O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINNT\System32\netpal.dll (file missing)

O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)

O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINNT\rundll16.dll

O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - c:\program files\clientman\run\urlclic565899e.dll

O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~2.DLL

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINNT\System32\stlbupdt.DLL

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINNT\System32\stlbupdt.DLL,DllRunMain

O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe

I don't like the looks of these last items, but don't fix them if you think they should be there.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ********

O17 - HKLM\System\CCS\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = ********

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ********
O17 - HKLM\System\CS1\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = **********
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = *******

O17 - HKLM\System\CS2\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = *********
 

caminator

Thread Starter
Joined
Sep 17, 2003
Messages
337
I did all that. Thanks. I cannot delete the folder because there are two files that are still being used. They are:

urlclic565899e.dll
searchrepe44a84f2.dll

How do I remove a file from windows 200 ifd it says it is being used by the computer. (Can I uninstall these to files from dos or the command prompt?)
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
81,598
Just something that I learned from experience. Make sure that you have the correct path name(with upper and lower case letters) written down for both of these files BEFORE you start. Entering the path name in all upper or all lower case letters doesn't always work because your computer won't recognize it without being entered exactly.

(I get the impression that you already know how to restart in DOS mode and use the command prompt, so I'll stop here)


Frank's Windows 95/98 Tips
 
G

greensleeve

A software called diagnose windows can help find out the problem
download at WEDON'TPOSTSPAMHERE.COM!

Link removed!
 

caminator

Thread Starter
Joined
Sep 17, 2003
Messages
337
After running it a second time, is there anything else the needs to be deleted? THanks

Logfile of HijackThis v1.97.2
Scan saved at 9:45:00 AM, on 9/25/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
\MMICServer1\SHARE\Profiles\ahamel\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37441.3695023148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash5/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mobile-medical.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = 192.168.0.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mobile-medical.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = 192.168.0.13
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mobile-medical.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = 192.168.0.13
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top