1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Lots of spyware....help cleaning it up

Discussion in 'Virus & Other Malware Removal' started by caminator, Sep 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. caminator

    caminator Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    337
    I ran hijackthis. Can someone please view my results and tell me which files I want to get rid of and ways to do so. Thanks for all the help!


    Logfile of HijackThis v1.97.2
    Scan saved at 5:14:03 PM, on 9/17/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\pctspk.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\rundll16.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\ClientMan\mscman.exe
    C:\PROGRA~1\Cacheman\Cacheman.exe
    C:\Program Files\ClientMan\msckin.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    c:\program files\clientman\run\ause3.exe
    \MMICServer1\SHARE\Profiles\ahamel\Desktop\msconfig.exe
    \MMICServer1\SHARE\Profiles\ahamel\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchandclick.com/metasearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll
    O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll
    O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - c:\program files\clientman\run\msvrfy856c4943.dll
    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - c:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINNT\System32\stlbupdt.DLL
    O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINNT\System32\netpal.dll (file missing)
    O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINNT\rundll16.dll
    O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - c:\program files\clientman\run\urlclic565899e.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~2.DLL
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINNT\System32\stlbupdt.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINNT\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [Rundll16] C:\WINNT\rundll16.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe
    O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Browser Pal Toolbar (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37441.3695023148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash5/cabs/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ********
    O17 - HKLM\System\CCS\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = ********
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ********
    O17 - HKLM\System\CS1\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = **********
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = *******
    O17 - HKLM\System\CS2\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = *********

    I am also not able to search from google or yahoo, or any search engine I've tried. The reults come back as "things" I can buy from ebay, or other retailers. And popups a stupid screen showing other search results, but none of them are every useful.
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Run HijackThis again and Fix these items. Then delete the folder
    c:\program files\clientman\ from your computer.


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchandclick.com/metasearch.html

    O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll

    O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll

    O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - c:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL

    O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - c:\program files\clientman\run\msvrfy856c4943.dll

    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - c:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL

    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINNT\System32\stlbupdt.DLL

    O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINNT\System32\netpal.dll (file missing)

    O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)

    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINNT\rundll16.dll

    O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - c:\program files\clientman\run\urlclic565899e.dll

    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - c:\PROGRA~1\CLIENT~1\run\METAHE~2.DLL

    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINNT\System32\stlbupdt.DLL

    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINNT\System32\stlbupdt.DLL,DllRunMain

    O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe

    I don't like the looks of these last items, but don't fix them if you think they should be there.

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ********

    O17 - HKLM\System\CCS\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = ********

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ********
    O17 - HKLM\System\CS1\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = **********
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = *******

    O17 - HKLM\System\CS2\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = *********
     
  3. caminator

    caminator Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    337
    I did all that. Thanks. I cannot delete the folder because there are two files that are still being used. They are:

    urlclic565899e.dll
    searchrepe44a84f2.dll

    How do I remove a file from windows 200 ifd it says it is being used by the computer. (Can I uninstall these to files from dos or the command prompt?)
     
  4. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,991
    First Name:
    Frank
    Just something that I learned from experience. Make sure that you have the correct path name(with upper and lower case letters) written down for both of these files BEFORE you start. Entering the path name in all upper or all lower case letters doesn't always work because your computer won't recognize it without being entered exactly.

    (I get the impression that you already know how to restart in DOS mode and use the command prompt, so I'll stop here)


    Frank's Windows 95/98 Tips
     
  5. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Delete the files from Safe Mode or DOS.
     
  6. greensleeve

    greensleeve Guest

    A software called diagnose windows can help find out the problem
    download at WEDON'TPOSTSPAMHERE.COM!

    Link removed!
     
  7. caminator

    caminator Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    337
  8. caminator

    caminator Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    337
    After running it a second time, is there anything else the needs to be deleted? THanks

    Logfile of HijackThis v1.97.2
    Scan saved at 9:45:00 AM, on 9/25/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\pctspk.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    \MMICServer1\SHARE\Profiles\ahamel\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37441.3695023148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash5/cabs/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mobile-medical.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = 192.168.0.13
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mobile-medical.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = 192.168.0.13
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mobile-medical.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{43CAC377-9CC5-4BD0-BA51-FB82CD1CEE4A}: NameServer = 192.168.0.13
     
  9. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    R3 - Default URLSearchHook is missing
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Lots spyware help
  1. dano_61
    Replies:
    14
    Views:
    464
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165489

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice