1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Porn pop-up on my office computer

Discussion in 'Virus & Other Malware Removal' started by Tiramisu, Jan 27, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Tiramisu

    Tiramisu Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    13
    I recently being bombard with porn pop-up screens on my office computer !! On the top of that, I also notice the following:
    Power Scan folder
    Internet Optimizer Folder
    Actalert.exe
    Preinsh.exe

    I understand that in most case you need a log file. But I’m not sure whether this is possible to do it in the network situation. I meant considering one computer are linked to the other, how long will it take? And where should I put that hijack program? Is it the same: C/:program Files/ Hijakthis

    I tried to do scan using VET with the hope that it'll fix. It tells that there are 3 infected files, 50 files that can’t be scanned, but those infected files can’t be deleted:
    Counter.exe
    Polal!1!.exe (in 2 different locations)

    I am now always delete all files & cookies in my temp internet file each time that porn pop-ups start to come out. But it doesn’t seem help either. My homepage address also has been changed. I can’t go back to the default one.

    Oh, I think my office use Windows2000 Professional

    Please help, I need internet for my work but I don’t dare to use it because of those adult pop-up. And I found this very annoying.
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    It definitely would help to see the Hijack This log.

    Hijack This: http://www.majorgeeks.com/download3155.html

    You can make a folder in Program Files or My Documents. Download the program to that folder.

    Launch it and hit Scan (it only takes a few seconds)
    Then hit Save Log
    Copy & paste the log into this thread

    Do not attempt to fix anything yet
    Someone will analyze it for you and give you further instruction :)
     
  3. Tiramisu

    Tiramisu Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    13
    Thank you so much for very prompt reply. really appreciated :)
    I did try to reply back via email straight away but it seems it didn't work.
    anyway, i managed to save the log file and here is the result.

    Logfile of HijackThis v1.99.0
    Scan saved at 1:23:03 PM, on 28/01/2005
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Vet\isafe.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\Explorer.exe
    C:\Vet\VetTray.exe
    C:\WINNT\system32\ntvdm.exe
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\program files\180solutions\sais.exe
    C:\WINNT\ljtscb.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\Cdaidg\Hoqctt.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\Vet\VetMsg.exe
    H:\hsoft\Apps\Hct.exe
    \Nt-server-01\hsoft\hsoft\Apps\Ht04.exe
    C:\Program Files\Microsoft Office\Office\EXCEL.EXE
    C:\Program Files\Microsoft Office\Office\EXCEL.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\YG\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.163/search.php?v=6&aff=2242854
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.163/index.php?v=6&aff=2242854
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://buysearch.cc/se.php?qq=credit+card+debt
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=137233
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.cc/index.php?v=6&aff=2242854
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apcstart.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by APC
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
    O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
    O2 - BHO: FBarStart Class - {044D9F9F-0EE0-4E9B-B89B-5EBCA0F852CC} - C:\WINNT\System32\fsearchbar.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINNT\System32\WStart.dll
    O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Fast Search - {85E517D1-1B6B-4662-AF6E-4B9738091DCC} - C:\WINNT\System32\fsearchbar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
    O4 - HKLM\..\Run: [Solution 6 Workstation] C:\WINNT\System32\S6WorkS.exe PC-ACC-203
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
    O4 - HKLM\..\Run: [gnajob] C:\WINNT\gnajob.exe
    O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
    O4 - HKLM\..\Run: [BcWW] C:\WINNT\ljtscb.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
    ¤Á<ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\ljtscb.exe
    O4 - HKLM\..\Run: [Wkntbl] C:\Program Files\Cdaidg\Hoqctt.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
    O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINNT\System32\xplugin.dll
    O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Vet\isafe.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

    i'll be waiting for your next instructions.

    thank you.
     
  4. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,782
    First Name:
    Frank
    I'll let those more experienced than me assist you with the HijackThis log, but it's apparent that you have some problems to get rid of, such as:

    sais.exe Read here.

    conscorr.exe Read here.

    satmat.exe Read here.

    istsvc.exe Read here.

    There are several more that look suspicious to me.

    ----------------------------------------------------------------

    Once your problem gets taken care of, you need to work on trimming down the startup load and getting rid of unnecessary programs that are running in the background.

    ----------------------------------------------------------------
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download and run these:

    Ad-Aware SE: http://www.lavasoftusa.com/support/download/

    Install and run it. On the bottom right corner of Ad-Aware you will see an option called "Check for updates now", click on that and choose "connect". Download the updates. Next click on "Scan now" on the left side of Ad-Aware. Make sure that "Search for negligible risk entries" is crossed out and not ticked. Choose "Perform full system scan" and click "Next". After Ad-Aware scans your computer, Ad-Aware may find some bad files on your computer so make sure you tick them all and choose "Next". It will ask if you want to remove those items so just continue. After removing the items close Ad-Aware.

    Reboot

    SpyBot: http://majorgeeks.com/download2471.html

    Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

    Reboot again

    Post a new log (y)
     
  6. Tiramisu

    Tiramisu Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    13
    alright,

    i've done everything as per your instructions.
    and here is my new log file.

    Logfile of HijackThis v1.99.0
    Scan saved at 1:39:04 PM, on 01/02/2005
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Vet\isafe.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Vet\VetMsg.exe
    C:\WINNT\Explorer.exe
    C:\Vet\VetTray.exe
    C:\WINNT\system32\ntvdm.exe
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Cdaidg\Hoqctt.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    H:\hsoft\Apps\Hct.exe
    C:\Program Files\Hijakthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.163/search.php?v=6&aff=2242854
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.163/index.php?v=6&aff=2242854
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://82.179.166.163/index.php?v=6&aff=2242854
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.cc/index.php?v=6&aff=2242854
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apcstart.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by APC
    R3 - Default URLSearchHook is missing
    O2 - BHO: FBarStart Class - {044D9F9F-0EE0-4E9B-B89B-5EBCA0F852CC} - C:\WINNT\System32\fsearchbar.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Fast Search - {85E517D1-1B6B-4662-AF6E-4B9738091DCC} - C:\WINNT\System32\fsearchbar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
    O4 - HKLM\..\Run: [Solution 6 Workstation] C:\WINNT\System32\S6WorkS.exe PC-ACC-203
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
    ¤Á<ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\ljtscb.exe
    O4 - HKLM\..\Run: [Wkntbl] C:\Program Files\Cdaidg\Hoqctt.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
    O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Vet\isafe.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

    i've started using my internet again today for quite a while and so far there isn't any single pop-up ad. i just change back my homepage so i'll find out tomorrow whether or not it stays.

    okie dokie......i'm waiting for your diagnosis. i really hope that there is nothing wrong left in my comp. *finger cross* ;)
     
  7. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,782
    First Name:
    Frank
    I don't believe that Windows 2000 has the MSCONFIG.EXE file installed, like Windows 98, ME, and XP does, so I'm not really sure how to disable some of your startup items and trim down the load. I was advised that you can install the MSCONFIG.EXE file from Windows XP into Windows 2000 and that it'll work, but I've never tried it myself, and I'm not sure which folder it goes into.

    ---------------------------------------------------------------

    Do a scan with HijackThis, place a checkmark in the following, then click "Fix Checked":

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    R3 - Default URLSearchHook is missing


    Someone more experienced than me will have to help you with the rest of the log.

    ----------------------------------------------------------------
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.163/search.php?v=6&aff=2242854
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.163/index.php?v=6&aff=2242854
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://82.179.166.163/index.php?v=6&aff=2242854
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.cc/index.php?v=6&aff=2242854
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: FBarStart Class - {044D9F9F-0EE0-4E9B-B89B-5EBCA0F852CC} - C:\WINNT\System32\fsearchbar.dll
    O3 - Toolbar: Fast Search - {85E517D1-1B6B-4662-AF6E-4B9738091DCC} - C:\WINNT\System32\fsearchbar.dll
    O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
    ¤Á<ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\ljtscb.exe
    O4 - HKLM\..\Run: [Wkntbl] C:\Program Files\Cdaidg\Hoqctt.exe

    Close all applications and browser windows before you click "fix checked".


    Restart in Safe Mode

    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete this folder:
    C:\Program Files\ISTsvc

    Run adaware again while in safe mode.

    Reboot and post another log.
     
  9. Tiramisu

    Tiramisu Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    13
    I have a few problems in following your instructions this time.

    I've thicked those items needs to be fixed under HJ. The only thing that i couldn't find is the third one -i.e.
    R0- HKCU\Software\Microsoft\Internet Expoler\Main, Start Page = http://82.179.166.163/index.php?v=6&aff=2242854
    But it's gone in my new log file anyway.

    Here is the problem, I couldn't entered into safe mode. I meant I followed the "F8 key" method but when i tried to log-in using my usual username & password the system doesn't allow me. Could this be because it's office computer hence non-IT person won't have access to safe mode. So the rest of your instructions (to show hidden files, etc....etc....) is done NOT in the Safe Mode.

    Also I can't find that "ISTsvc". I've done the search files & folder. The only thing I can found are those "ISTsvc" that have been quarantine by Spyboot (I think). Should I delete that? There are bunch of zip files in this folder which I suspect related to those porn pop-up (by reading the name of file -i.e powerscan, sexlist etc...etc...)

    So here is my log-file.

    Logfile of HijackThis v1.99.0
    Scan saved at 1:24:00 PM, on 02/02/2005
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Vet\isafe.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\Explorer.exe
    C:\Vet\VetTray.exe
    C:\WINNT\system32\ntvdm.exe
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Cdaidg\Hoqctt.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Hijakthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apcstart.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apcstart.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by APC
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
    O4 - HKLM\..\Run: [Solution 6 Workstation] C:\WINNT\System32\S6WorkS.exe PC-ACC-203
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
    O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Vet\isafe.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

    how does it look this time? :eek:
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Looks good. Any problems?
     
  11. Pandatech

    Pandatech

    Joined:
    Feb 1, 2005
    Messages:
    21
    VetMsg.exe<--spyware

    internat.exe<--Possible Trojan TROJ/LYDRA-F or a virus NETSNAKE

    smss.exe<-- could be Advertisingvision adware or the FLOOD.F virus or ALADINZ.F virus

    winlogon.exe<-- Hijacker or adult content dialler - file is located in C:\Windows or C:\Winnt, and not in it's System or System32 subdirectory, as is the case with the legitimate winlogon.exe file

    services.exe<--Can be either W32.Neveg.B worm, NETSKY or NETSKY.B virus(s),KAZPING virus, Krepper-G trojan, a CoolWebSearch parasite variant, something added by NEVEG.A or NEVEG.B worm, CIADOOR-F TROJAN, Autotroj-C TROJAN, Browser hijacker, W32.CROWT.A WORM, or W32.MYDOOM.AL WORM.

    lsass.exe<-- ALADINZ.F VIRUS

    spoolsv.exe<--Spyware

    Thats a few I identified with http://computercops.biz/sl-2600.html amd www.google.com

    svchost.exe<--DONK VIRUS! Note - this is not the valid svchost.exe
     
  12. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706

    Process File: vetmsg or vetmsg.exe
    Process Name: CA eTrust EZ Antivirus Component
     
  13. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    internat.exe Language selection icon in system tray not spyware

    smss.exe is a process which is a part of the Microsoft Windows operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    VetMsg.exe: Candy covered that one
    internat.exe: mjack547 covered that one
    smss.exe: mjack547 covered that one
    spoolsv.exe: http://www.liutilities.com/products/wintaskspro/processlibrary/spoolsv/
    winlogon.exe: Pandatech covered that one as it is in C:\WINNT\system32\
    services.exe: I would be suspect of if it was not located in C:\WINNT\system32
    svchost.exe: I would be suspect of if it was not located in C:\WINNT\system32

     
  15. Tiramisu

    Tiramisu Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    13
    Thank you so much for all your help guys :D

    i just back in the office again after working on my client's site for a few days.
    anyway, i've used my internet for quite a number of time today and dont have those porn pop-up again.
    so i guess my computer is safe now.

    just my last question, i notice that those bad file quarantine by spybot-search are still there. should i delete it? is there any chance that they may infect me later on?

    also it's just out of my curiosty. how could all of these happened to me. i was told that those porn pop-up came only if someone visit porn web site before. but i never. how could this happen? i don't understand :confused:

    can someone explain this to me pleaseeeeeee?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/323901

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice