Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Diagnose


  • This topic is locked This topic is locked
27 replies to this topic

#1 32red

32red

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 10 March 2007 - 10:22 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:21:11 AM, on 10/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

(Moderator edit: log post moved to HJT Team Forum for analysis and member help. jgweed)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\unzipped\HijackThis\HijackThis.exe
C:\WINNT\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171808847000
O20 - Winlogon Notify: dbf43reg - C:\WINNT\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Edited by jgweed, 10 March 2007 - 10:24 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:55 PM

Posted 10 March 2007 - 07:58 PM

Hello 32red,

I am SifuMike and I will be helping you. :thumbsup:


Before we start, you need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world.

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download one these the free antivirus programs:

Avast or
AntiVir or
AVG antivirus


Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

*************

Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

You already have AVG Anti-Spyware 7.5 installed so please run it again in the Safe Mode.

Please follow the directions below.

Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.

When done, submit the AVG Anti-Spyware 7.5 log and a fresh Hijackthis log.

persistent spyware ssu.exe and attacking programs


What is finding spyware ssu.exe and what are the attacking programs?

http://www.liutilities.com/products/wintas...esslibrary/ssu/

ssu.exe is a process belonging to [b]Webroot Spy Sweeper which protects your computer against Internet-bound threats such as spyware and trojans which can be distributed through e-mail or attack directly to the computer allowing unauthorized access to your computer. This program is important for the stable and secure running of your computer and should not be terminated.


Edited by SifuMike, 10 March 2007 - 08:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 32red

32red
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 12 March 2007 - 06:54 PM

First off

thank you so much for taking your time to look at this. I realy appreciate it.
I had previously installed webroot spy seeper with antivirus but the SSU (spy sweeper update?) began slowing the computer down enormously and could no longer get updates. Later Ii was told I had to teinstall it because core applications were missing.

Here are the logs. thanks again...

Logfile of HijackThis v1.99.1
Scan saved at 6:54:55 PM, on 12/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\unzipped\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171808847000
O20 - Winlogon Notify: dbf43reg - C:\WINNT\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:43:33 PM 12/03/2007

+ Scan result:



Nothing found.


::Report end

Hope this helps.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:55 PM

Posted 12 March 2007 - 07:13 PM

Helllo 32red,

Your log looks clean. :thumbsup:

Are you still having any computer problems?

Please read and follow How did I get infected?, With steps so it does not happen again!

Edited by SifuMike, 12 March 2007 - 07:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 32red

32red
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 13 March 2007 - 07:46 AM

Good morning,

My computer seems to be running worse than ever. I am getting error messages and programs not responding.

I have installed registry mechanic PC tools- and It seems to constantly be scanning errors.

After downloading Spybot, I could not immunize. I tried and once clicked the immunize would bring up a pc tools warning the process was trying to change my homepage to coolsearch. I have since uninstalled it.

I downloaded the free program stopzilla and this began causing me problems. I still cannot remove the "register your stopzilla Icon." Ech time I try the Registry mechanic comes back with 32 shared DLL's.
Stopzilla it came up with some trojan virus name (which I cannot remember) The stopzilla still is displayed in my prorams and I cannot seem to remove it from my computer.

I still have PC with Antivirus though it is not installed. Should I remove the AVG antivirus and try to install the spyweeper with antivirus. I thought I must have something going on because the last time I tried to install the spysweeper, I caouldn't get any updates and it would not recognize the antivirus code.

The zone labs firewall trial had the antivirus etc build in. Will this be a problem with spysweeper?

One last question:

The zonelabs has come up with three ports? I am showing a extension for my ip address and other which I am unclear about and a third named a "loopback adapter?" Can you please let me know what this it?

I appologize for so many questions. Once again thank you so much for your help.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:55 PM

Posted 13 March 2007 - 12:34 PM

Hello 32red,

I am getting error messages and programs not responding.


I need to know what error messages you are getting, and what programs are not responding. Can you write them down and post them?

After downloading Spybot, I could not immunize. I tried and once clicked the immunize would bring up a pc tools warning the process was trying to change my homepage to coolsearch. I have since uninstalled it.


Spybot Immunize will change the registry, but not the homepage.
You are probably infected with malware and it is trying to change your homepage. That was the reason
I asked you to install AVG antivirus. Have you run a full scan with it?


I still have PC with Antivirus though it is not installed.



You lost me. :thumbsup: I asked you to install one of three free antivirus programs and run a full scan.
Did you do that?

Should I remove the AVG antivirus and try to install the spyweeper with antivirus.
I thought I must have something going on because the last time I tried to install the spysweeper, I caouldn't get any updates and it would not recognize the antivirus code.


If you have AVG antivirus on you comptuer, then leave it on your computer.
Spysweeper and AVG antivirus will run OK together.
Spysweeper is not a free antimalware program, but they allow you to use it for several weeks before it requires you to pay for it.


The zone labs firewall trial had the antivirus etc build in. Will this be a problem with spysweeper?


Why buy zone alarm antivirus when you can get three antivirus programs for free (AVG antivirus, Avast antivirus and AntiVir antivirus)? :flowers:

To answer you second question, spysweeper will run OK with any antivirus program.

***************

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". This scan may take a few hours. It all depends on the number of files on your computer.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

***************

Let's look in a different place for signs.

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press 'save list'
A notepad file will open.
Post the content here in your reply.
Close HijackThis.

Edited by SifuMike, 13 March 2007 - 12:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 32red

32red
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 14 March 2007 - 08:02 PM

Hello SifuMike,

Once again thank you for your time and expertise

When I try to uninstall the program Stopzilla this is the message I receive:

Error 1316. A network erro occurred while attempting to read from the file

C:/WINNT/Inataller/SZPrpBase.msi

It then reports a fatal error.


After this message,

I ran registry mechanic – Pc tools and it came up with:

52 shared DLL’s _ before uninstalling I had none.

I am mostly geting not responding messages but they are for minor tasks like openng my documents etc whole nothing else is running. After ending the program, I am getting 5 or 6 windows saying that the program cannot be closed before it s debugged.

I did run the scans you had asked.

I have run scans with spybt but it never finds anything.

I appologize, I must not have explained myself well. I previously purchased Webroot spy Sweeper with Antivirus. I had to uninstall it as I recieved a message after trying to run a scan saying that key components were missing and prompted e to reinstall application. However once reinstalled, the antivirus part of the program did not work. What I mean by this is that it did not recognize the installation code.

I was worried that the anti virus section in spysweeper may not be a good idea o combine with thecurrent zone labs firewall with the built in antivirus (a free trial).

I ran the bit defender log and it came up with nothing.

I am possibly paranoid but believe that my WinMgmt.exe and stisvc are some how corrupted. Even when other tasks are ot running I cannot end them via Crtl Alt Del but of course I may very well be wrong.

here is the HJT log for the uninstal manager:

Ad-Aware SE Personal
Adobe Flash Player 9
Adobe Reader 6.0
Agere Systems AC'97 Modem v2136D
ATK0100 ACPI UTILITY
Authentium AntiVirus SDK - 2
AVG Anti-Spyware 7.5
BlazeDVD 3.5 Professional
Digital Audio MP3 & WMA Player
DivX
DivX Converter
DivX Converter
DivX Player
D-Link 11Mbps Wireless LAN for Windows
Easy DVD Player 2.0
Hero DVD Player
HijackThis 1.99.1
Hotfix for MDAC 2.81 (KB927779)
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
Intel® Processor Frequency ID Utility
Internet Explorer Q903235
iTunes
J2SE Runtime Environment 5.0 Update 3
LimeWire 4.12.8
Logitech Desktop Messenger
Logitech IM Video Companion
Logitech ImageStudio
Logitech Print Service
Macromedia Flash Player
Macromedia Shockwave Player
MailFrontier Desktop
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Office 2000 SR-1 Professional
Microsoft Web Publishing Wizard 1.52
Microsoft Windows Journal Viewer
Microsoft XML Parser and SDK
MSN Messenger 7.0
MSXML 4.0 SP2 (KB927978)
Nero - Burning Rom
QuickTime
Realtek AC'97 Audio
Registry Mechanic 5.1
Rio Internet Update
Rio Music Manager
Rogers Yahoo! Applications
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Shockwave
SiS 900 PCI Fast Ethernet Adapter Driver
SiS M650_651_650_740
Sony USB Driver
SpywareBlaster v3.5.1
STOPzilla!
Synaptics TouchPad
The Logo Creator v3
The Print Shop 21
Update Manager (remove only)
Update Rollup 1 for Windows 2000 SP4
USB EHCI Driver
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB887811
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player system update (9 Series)
WinPatrol
WinZip
Wireless USB Network Adapter Configuration Utility
ZoneAlarm

Once again thank you very much for all your help.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:55 PM

Posted 14 March 2007 - 09:12 PM

Hi 32red



When I try to uninstall the program Stopzilla this is the message I receive:
Error 1316. A network erro occurred while attempting to read from the file
C:/WINNT/Inataller/SZPrpBase.msi
It then reports a fatal error.


Try re-installing Stopzilla, and then uninstalling it again. You probably deleted the file(s) it needed to do an uninstall.


I am possibly paranoid but believe that my WinMgmt.exe and stisvc are some how corrupted. Even when other tasks are ot running I cannot end them via Crtl Alt Del but of course I may very well be wrong.



Why do you want to end them? :thumbsup: They are legitamate programs.

winmgmt.exe is the Windows Management Instrumentation. It is used by system administrators to create Windows management scripts, for example, scripts that handles the user accounts on a server. winmgmt.exe should not be disabled, required for essential applications to work properly.

stisvc.exe is an executable which is installed by Windows together with digital cameras, scanners or another graphical input devices. Hardware device drivers use this service and it should not be terminated whilst these devices are used.

I have run scans with spybt but it never finds anything.


I dont see it installed on your computer. :flowers:
Perhaps it does not find anything because you computer is free of malware.


I previously purchased Webroot spy Sweeper with Antivirus. I had to uninstall it as I recieved a message after trying to run a scan saying that key components were missing and prompted e to reinstall application. However once reinstalled, the antivirus part of the program did not work. What I mean by this is that it did not recognize the installation code.


You need to contact the people at SpySweeprer and they will help you. Use either the Online Support tab or the Requst Support tab.
http://support.webroot.com/ics/support/def...mp;folderID=594


I was worried that the anti virus section in spysweeper may not be a good idea o combine with the current zone labs firewall with the built in antivirus (a free trial).


You are correct. :huh: You should only be running ONE antvirus on you computer. Running two (or more) antivirus will cause you major problems.

It not recommended to have two antivirus running because it can cause file access issues. If there is an infection the multiple programs can block each other from dealing with the infected file, as well as causeing your computer to be slow.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to create "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't.

Also it can cause system performance problems; your system may lock up due to both software products attempting to access the same file at the same time.


See this: http://service1.symantec.com/SUPPORT/nav.n...000031316555206
"Symantec recommends that you have only one anti-virus program installed on your computer."

Start by choosing which antivirus you are going to run and uninstall the other.


J2SE Runtime Environment 5.0 Update 3



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Edited by SifuMike, 14 March 2007 - 09:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 32red

32red
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 15 March 2007 - 08:14 AM

Hi Sifu Mike


Thanks for putting up with my paranoia and multiple questions. You have been a great help.
Maybe just one more ridiculous question (sorry)

Is it possible that stisvc is running because of some legitimate program like sony picture package or Hewitt P

I'm assuming that the uninstalled scan was also clear because everything else looks good.
Thank you for your assistance.
I think that I have been paranoid due to the volume of spyware previously found.

Thanks again

Eric

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:55 PM

Posted 15 March 2007 - 12:14 PM

Hi Eric,

You are welcome. :thumbsup:

Is it possible that stisvc is running because of some legitimate program like sony picture package or Hewitt P


Yes, that is probably right.

I think that I have been paranoid due to the volume of spyware previously found.


A little paranoia with spyware is good, as it keeps you on your toes. :flowers:

Did you get Stopzilla to uninstall?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 32red

32red
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 15 March 2007 - 08:13 PM

Hi sifu Mike

On my zone alarm I'm showing under the internet tab 2 seperate programs called: "new network
noth with seperate ip addresses and what is called a loopback adapter. Is all this legitimate?

I followed your instructions and downloaded the new java environment.
I have been unalbe to uninstall stopzilla though. After downloading the program I receive a messae telling me that I have the most up to date version of the product but the dame result when trying to uninstall it.

I did reinstall spybot.

I recieved this message about three times shortly there after:

After reinstalling Spybot I am receiving this message.


{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
System start up Global entry

ActiveX Distribution Unit
Value Added

I did allow tea time for Spybor-was this a mistake?

I ran an AVG Scan immediately after this message
nothing to report.


I also rant a HJT scan. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 7:49:10 PM, on 15/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RioMSC.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINNT\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\explorer.exe
C:\unzipped\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171808847000
O20 - Winlogon Notify: dbf43reg - C:\WINNT\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Is there something else I can do to uninstall the stopzilla?
Is this log clean?

Thanks

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:55 PM

Posted 15 March 2007 - 10:42 PM

Hi Eric,

After reinstalling Spybot I am receiving this message.
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
System start up Global entry
ActiveX Distribution Unit
Value Added


That is OK, as it looks like the Java plugin.



I did allow tea time for Spybor-was this a mistake?


No, not a mistake. That is a registry protector. But you should only be running one registry protector on your comptuer.
Right now you have three registry protecteors: AVG antispyware guard, Spybot Teatimer and WinPatrol.
So decide which of them you like and disable the other two (so you only have one running).

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


To disable WinPatrol:
Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.

To disable AVG Antispyware Guard:
Open AVG Antispyware and in the main window click "Resident Shield", then toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.

I have been unalbe to uninstall stopzilla though. After downloading the program I receive a messae telling me that I have the most up to date version of the product but the dame result when trying to uninstall it.



For the Stopzilla removal you will have to contact Contact the STOPzilla customer support team.
https://www.stopzilla.com/support/contact.aspx

They usually answer their support quesions in a very short time. Removal requires a special cleanup program that they will email you with removal instructions.


Your log looks clean. :thumbsup:

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.

Please read and follow How did I get infected?, With steps so it does not happen again! :flowers:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 32red

32red
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 19 March 2007 - 09:25 AM

Good morning Sifu MIke,

My computer is running much better.
I have recieved a reply from support services and will uninstall stopzilla.

I have followed your recomendations and all is running smooth. I was unalbe however to find the system restore option by right clicking my computer. Is there anothr way to access this option?

I am running registery mechanic PC tools. I'm wondering if the restore is necessary at this point or if it's safe as is?

Thanks

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:55 PM

Posted 19 March 2007 - 11:50 AM

I have followed your recomendations and all is running smooth. I was unalbe however to find the system restore option by right clicking my computer. Is there anothr way to access this option?




Sorry Karen, I made a mistake. :thumbsup: I am used to working with Windows XP and you have Windows 2000.
System Restore does not exist in Windows 2000.


I am running registery mechanic PC tools. I'm wondering if the restore is necessary at this point or if it's safe as is?

It is safe as is. :flowers:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 32red

32red
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 19 March 2007 - 08:39 PM

Hi Sifu mike.

I was successful in uninstalling the Stopzilla program.

However, when I attempted to enable all security settings from the main page in Spyblaster, I received a message that Spyblaster is attempting to change the internet security settings to this web site:

0190-Dialers.com

I believe there must still be some form of malware still planted in this system.

When I searched the start up features I found the synchronization Manager:

Mobsynch.exe/logon

Product name, company name and product info: All unknown
Is this ok? Is there a way of checking to se if this has been corrupted?

I have run the adaware and spybot scans and provided a Hijack this log.
Please let me know what you think.



Logfile of HijackThis v1.99.1
Scan saved at 8:41:01 PM, on 19/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\RioMSC.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINNT\explorer.exe
C:\unzipped\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171808847000
O20 - Winlogon Notify: dbf43reg - C:\WINNT\
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users