Solved: Porn pop-up on my office computer

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Tiramisu

Thread Starter
Joined
Jan 23, 2005
Messages
13
I recently being bombard with porn pop-up screens on my office computer !! On the top of that, I also notice the following:
Power Scan folder
Internet Optimizer Folder
Actalert.exe
Preinsh.exe

I understand that in most case you need a log file. But I’m not sure whether this is possible to do it in the network situation. I meant considering one computer are linked to the other, how long will it take? And where should I put that hijack program? Is it the same: C/:program Files/ Hijakthis

I tried to do scan using VET with the hope that it'll fix. It tells that there are 3 infected files, 50 files that can’t be scanned, but those infected files can’t be deleted:
Counter.exe
Polal!1!.exe (in 2 different locations)

I am now always delete all files & cookies in my temp internet file each time that porn pop-ups start to come out. But it doesn’t seem help either. My homepage address also has been changed. I can’t go back to the default one.

Oh, I think my office use Windows2000 Professional

Please help, I need internet for my work but I don’t dare to use it because of those adult pop-up. And I found this very annoying.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
It definitely would help to see the Hijack This log.

Hijack This: http://www.majorgeeks.com/download3155.html

You can make a folder in Program Files or My Documents. Download the program to that folder.

Launch it and hit Scan (it only takes a few seconds)
Then hit Save Log
Copy & paste the log into this thread

Do not attempt to fix anything yet
Someone will analyze it for you and give you further instruction :)
 

Tiramisu

Thread Starter
Joined
Jan 23, 2005
Messages
13
Thank you so much for very prompt reply. really appreciated :)
I did try to reply back via email straight away but it seems it didn't work.
anyway, i managed to save the log file and here is the result.

Logfile of HijackThis v1.99.0
Scan saved at 1:23:03 PM, on 28/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\Vet\VetTray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\program files\180solutions\sais.exe
C:\WINNT\ljtscb.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Cdaidg\Hoqctt.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Vet\VetMsg.exe
H:\hsoft\Apps\Hct.exe
\Nt-server-01\hsoft\hsoft\Apps\Ht04.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\YG\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.163/search.php?v=6&aff=2242854
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.163/index.php?v=6&aff=2242854
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://buysearch.cc/se.php?qq=credit+card+debt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=137233
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.cc/index.php?v=6&aff=2242854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by APC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: FBarStart Class - {044D9F9F-0EE0-4E9B-B89B-5EBCA0F852CC} - C:\WINNT\System32\fsearchbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINNT\System32\WStart.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Fast Search - {85E517D1-1B6B-4662-AF6E-4B9738091DCC} - C:\WINNT\System32\fsearchbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [Solution 6 Workstation] C:\WINNT\System32\S6WorkS.exe PC-ACC-203
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [gnajob] C:\WINNT\gnajob.exe
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\Run: [BcWW] C:\WINNT\ljtscb.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
¤Á<ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\ljtscb.exe
O4 - HKLM\..\Run: [Wkntbl] C:\Program Files\Cdaidg\Hoqctt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINNT\System32\xplugin.dll
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

i'll be waiting for your next instructions.

thank you.
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
81,601
I'll let those more experienced than me assist you with the HijackThis log, but it's apparent that you have some problems to get rid of, such as:

sais.exe Read here.

conscorr.exe Read here.

satmat.exe Read here.

istsvc.exe Read here.

There are several more that look suspicious to me.

----------------------------------------------------------------

Once your problem gets taken care of, you need to work on trimming down the startup load and getting rid of unnecessary programs that are running in the background.

----------------------------------------------------------------
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Download and run these:

Ad-Aware SE: http://www.lavasoftusa.com/support/download/

Install and run it. On the bottom right corner of Ad-Aware you will see an option called "Check for updates now", click on that and choose "connect". Download the updates. Next click on "Scan now" on the left side of Ad-Aware. Make sure that "Search for negligible risk entries" is crossed out and not ticked. Choose "Perform full system scan" and click "Next". After Ad-Aware scans your computer, Ad-Aware may find some bad files on your computer so make sure you tick them all and choose "Next". It will ask if you want to remove those items so just continue. After removing the items close Ad-Aware.

Reboot

SpyBot: http://majorgeeks.com/download2471.html

Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

Reboot again

Post a new log (y)
 

Tiramisu

Thread Starter
Joined
Jan 23, 2005
Messages
13
alright,

i've done everything as per your instructions.
and here is my new log file.

Logfile of HijackThis v1.99.0
Scan saved at 1:39:04 PM, on 01/02/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Vet\VetMsg.exe
C:\WINNT\Explorer.exe
C:\Vet\VetTray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Cdaidg\Hoqctt.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
H:\hsoft\Apps\Hct.exe
C:\Program Files\Hijakthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.163/search.php?v=6&aff=2242854
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.163/index.php?v=6&aff=2242854
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://82.179.166.163/index.php?v=6&aff=2242854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.cc/index.php?v=6&aff=2242854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by APC
R3 - Default URLSearchHook is missing
O2 - BHO: FBarStart Class - {044D9F9F-0EE0-4E9B-B89B-5EBCA0F852CC} - C:\WINNT\System32\fsearchbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Fast Search - {85E517D1-1B6B-4662-AF6E-4B9738091DCC} - C:\WINNT\System32\fsearchbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [Solution 6 Workstation] C:\WINNT\System32\S6WorkS.exe PC-ACC-203
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
¤Á<ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\ljtscb.exe
O4 - HKLM\..\Run: [Wkntbl] C:\Program Files\Cdaidg\Hoqctt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

i've started using my internet again today for quite a while and so far there isn't any single pop-up ad. i just change back my homepage so i'll find out tomorrow whether or not it stays.

okie dokie......i'm waiting for your diagnosis. i really hope that there is nothing wrong left in my comp. *finger cross* ;)
 

flavallee

Frank
Trusted Advisor
Joined
May 12, 2002
Messages
81,601
I don't believe that Windows 2000 has the MSCONFIG.EXE file installed, like Windows 98, ME, and XP does, so I'm not really sure how to disable some of your startup items and trim down the load. I was advised that you can install the MSCONFIG.EXE file from Windows XP into Windows 2000 and that it'll work, but I've never tried it myself, and I'm not sure which folder it goes into.

---------------------------------------------------------------

Do a scan with HijackThis, place a checkmark in the following, then click "Fix Checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing


Someone more experienced than me will have to help you with the rest of the log.

----------------------------------------------------------------
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Run HJT again and put a check in the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://82.179.166.163/search.php?v=6&aff=2242854
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://82.179.166.163/index.php?v=6&aff=2242854
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://82.179.166.163/index.php?v=6&aff=2242854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.cc/index.php?v=6&aff=2242854
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: FBarStart Class - {044D9F9F-0EE0-4E9B-B89B-5EBCA0F852CC} - C:\WINNT\System32\fsearchbar.dll
O3 - Toolbar: Fast Search - {85E517D1-1B6B-4662-AF6E-4B9738091DCC} - C:\WINNT\System32\fsearchbar.dll
O4 - HKLM\..\Run: [¢‰¸ÓÝ4‚’È
¤Á<ÉoUC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\ljtscb.exe
O4 - HKLM\..\Run: [Wkntbl] C:\Program Files\Cdaidg\Hoqctt.exe

Close all applications and browser windows before you click "fix checked".


Restart in Safe Mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete this folder:
C:\Program Files\ISTsvc

Run adaware again while in safe mode.

Reboot and post another log.
 

Tiramisu

Thread Starter
Joined
Jan 23, 2005
Messages
13
I have a few problems in following your instructions this time.

I've thicked those items needs to be fixed under HJ. The only thing that i couldn't find is the third one -i.e.
R0- HKCU\Software\Microsoft\Internet Expoler\Main, Start Page = http://82.179.166.163/index.php?v=6&aff=2242854
But it's gone in my new log file anyway.

Here is the problem, I couldn't entered into safe mode. I meant I followed the "F8 key" method but when i tried to log-in using my usual username & password the system doesn't allow me. Could this be because it's office computer hence non-IT person won't have access to safe mode. So the rest of your instructions (to show hidden files, etc....etc....) is done NOT in the Safe Mode.

Also I can't find that "ISTsvc". I've done the search files & folder. The only thing I can found are those "ISTsvc" that have been quarantine by Spyboot (I think). Should I delete that? There are bunch of zip files in this folder which I suspect related to those porn pop-up (by reading the name of file -i.e powerscan, sexlist etc...etc...)

So here is my log-file.

Logfile of HijackThis v1.99.0
Scan saved at 1:24:00 PM, on 02/02/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\Vet\VetTray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Cdaidg\Hoqctt.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hijakthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.apcstart.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by APC
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [Solution 6 Workstation] C:\WINNT\System32\S6WorkS.exe PC-ACC-203
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PhillipAnthonyPartners.local
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

how does it look this time? :eek:
 
Joined
Feb 1, 2005
Messages
21
VetMsg.exe<--spyware

internat.exe<--Possible Trojan TROJ/LYDRA-F or a virus NETSNAKE

smss.exe<-- could be Advertisingvision adware or the FLOOD.F virus or ALADINZ.F virus

winlogon.exe<-- Hijacker or adult content dialler - file is located in C:\Windows or C:\Winnt, and not in it's System or System32 subdirectory, as is the case with the legitimate winlogon.exe file

services.exe<--Can be either W32.Neveg.B worm, NETSKY or NETSKY.B virus(s),KAZPING virus, Krepper-G trojan, a CoolWebSearch parasite variant, something added by NEVEG.A or NEVEG.B worm, CIADOOR-F TROJAN, Autotroj-C TROJAN, Browser hijacker, W32.CROWT.A WORM, or W32.MYDOOM.AL WORM.

lsass.exe<-- ALADINZ.F VIRUS

spoolsv.exe<--Spyware

Thats a few I identified with http://computercops.biz/sl-2600.html amd www.google.com

svchost.exe<--DONK VIRUS! Note - this is not the valid svchost.exe
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Pandatech said:
VetMsg.exe<--spyware

Process File: vetmsg or vetmsg.exe
Process Name: CA eTrust EZ Antivirus Component
 

mjack547

Malware Specialist
Joined
Sep 1, 2003
Messages
3,181
Pandatech said:
VetMsg.exe<--spyware

internat.exe<--Possible Trojan TROJ/LYDRA-F or a virus NETSNAKE

smss.exe<-- could be Advertisingvision adware or the FLOOD.F virus or ALADINZ.F virus


Thats a few I identified with http://computercops.biz/sl-2600.html amd www.google.com

svchost.exe<--DONK VIRUS! Note - this is not the valid svchost.exe
internat.exe Language selection icon in system tray not spyware

smss.exe is a process which is a part of the Microsoft Windows operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
VetMsg.exe: Candy covered that one
internat.exe: mjack547 covered that one
smss.exe: mjack547 covered that one
spoolsv.exe: http://www.liutilities.com/products/wintaskspro/processlibrary/spoolsv/
winlogon.exe: Pandatech covered that one as it is in C:\WINNT\system32\
services.exe: I would be suspect of if it was not located in C:\WINNT\system32
svchost.exe: I would be suspect of if it was not located in C:\WINNT\system32

cybertech said:
Looks good. Any problems?
 

Tiramisu

Thread Starter
Joined
Jan 23, 2005
Messages
13
Thank you so much for all your help guys :D

i just back in the office again after working on my client's site for a few days.
anyway, i've used my internet for quite a number of time today and dont have those porn pop-up again.
so i guess my computer is safe now.

just my last question, i notice that those bad file quarantine by spybot-search are still there. should i delete it? is there any chance that they may infect me later on?

also it's just out of my curiosty. how could all of these happened to me. i was told that those porn pop-up came only if someone visit porn web site before. but i never. how could this happen? i don't understand :confused:

can someone explain this to me pleaseeeeeee?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top