Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Work Computer


  • This topic is locked This topic is locked
4 replies to this topic

#1 bubba54

bubba54

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 26 December 2005 - 04:44 PM

Hi everyone. Well you've helped me before and I'm back. This time it is with a computer from work that a temp fouled up and tech refuses to clean up. I'm only here on and off, so if I don't reply quickly I be back eventually.
The machine is NT4 and I found traces of Spy Sheriff and Paytime on it.
I just ran virus scan, Spybot Search & Destroy and Ad-aware. Then ran the following Hijack File.
I tried the spy sheriff routine but Edwido will not run on NT and Cleanup refuses to start.
Hope you can help.
Bob

Logfile of HijackThis v1.99.1
Scan saved at 4:34:08 PM, on 12/26/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\System32\SysTray.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\explorer.exe
C:\WINNT\Profiles\RPH.000\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O1 - Hosts: 162.88.18.40 TABWSN01 # TabWare Steubenville North
O1 - Hosts: 162.88.18.11 TABWSS01 # TabWare Steubenville South
O1 - Hosts: 162.88.31.11 TABWMF01 # TabWare Martins Ferry
O1 - Hosts: 162.88.25.11 TABWYK01 # TabWare Yorkville
O1 - Hosts: 162.88.124.11 TABWCN01 # TabWare Canfield
O1 - Hosts: 162.88.10.11 TABWAL01 # TabWare Allenport
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O13 - WWW. Prefix: http://
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wpsc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wpsc.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - c:\orant\BIN\ONRSD80.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

BC AdBot (Login to Remove)

 


m

#2 bubba54

bubba54
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 27 December 2005 - 07:09 PM

Did some reading and cleaned up some on my own. The computer is terribly slow still when trying to open anything on the c: drive. Takes forever to just open My Computer. Programs work fine once opened.
Here is the latest HJT File.

Logfile of HijackThis v1.99.1
Scan saved at 7:02:09 PM, on 12/27/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\System32\ddhelp.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wpweb/
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O1 - Hosts: 162.88.18.40 TABWSN01 # TabWare Steubenville North
O1 - Hosts: 162.88.18.11 TABWSS01 # TabWare Steubenville South
O1 - Hosts: 162.88.31.11 TABWMF01 # TabWare Martins Ferry
O1 - Hosts: 162.88.25.11 TABWYK01 # TabWare Yorkville
O1 - Hosts: 162.88.124.11 TABWCN01 # TabWare Canfield
O1 - Hosts: 162.88.10.11 TABWAL01 # TabWare Allenport
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wpsc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wpsc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wpsc.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - c:\orant\BIN\ONRSD80.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

#3 middle of nowhere

middle of nowhere

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 01 January 2006 - 07:02 AM

Hi bubba54

Welcome back to the forum.

I've gone over your log and it seem you managed to remove all traces of spyware etc.

Follow the suggestions below and see if that improves your speed problem.

---------------------------------------------------------

Congratulations! Your log looks clean - good work!

===============

Reboot your computer, and try using different programs and make sure everything is running ok. If your still experiencing problems, post back any concerns or problems you may be having and wait for any advice before continuing with the cleanup.

===============

Download, install and run Cleanup! from Steven Gould, then:

1. Click "Cleanup!"

(wait for the program to finish scanning your system, and selecting files to be removed.)

2. Exit the program and reboot the computer, if necessary.

-

For more information about using Cleanup! see here.

===============

If everything is running ok, let's do the final cleanup...

===============

1. Run "Disk Cleanup" and allow it to remove everything it finds.

2. If you've downloaded MicroWorld AV (MWAV), run it again - but don't scan, just click "Clear Log" and exit the program.

3. Go to www.trendmicro.com and click "Free Online Scan", then "Scan now, it's free!". When it's downloaded, select all available drives, then check(tick) "Auto clean", then click "Scan".

4. Run AdAware SE Personal and "perform a full system scan", then Spybot S&D, and "Check for Problems". Let them both remove the residual 'problems' left that HiJackThis couldn't fix.

5. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.

===============

If your having any more problems, post back with a new Hjt log. Thanks
Middle of Nowhere

#4 middle of nowhere

middle of nowhere

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 13 January 2006 - 04:04 AM

Hi

I am contacting you to see if you still require the help, as i have not heard anything from you.

If you do still need help, please can you Copy/Paste a new HJT Log, back here in this thread.


Do Not Start a New Topic


Regards
Middle of Nowhere

#5 middle of nowhere

middle of nowhere

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 21 January 2006 - 02:31 PM

Due to lack of reponce from poster, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Middle of Nowhere




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users