Jump to content


Photo

Clickscan and other crap


  • This topic is locked This topic is locked
3 replies to this topic

#1 NJgirl

NJgirl

    Member

  • New Member
  • Pip
  • 1 posts

Posted 21 May 2004 - 09:22 AM

At first I thought I couldn't download anything off the Net because of the security policy here at work. But now I'm having second thoughts...

Last week, I got a new hard drive (old one died), and, heaven knows how, I managed to get hit with a TON of Purity Scan, Click Scan, whatever other crap is floating around. I ran Adaware and it got rid of about 200 pieces of stuff. I thought that was the end of it. But I couldn't download anything, and every now and then, the blue menu bar at the top of IE would gray out. All sorts of activity on my hard drive, which made me suspicious.

Since I couldn't download, I finally copied the latest Adaware ref list to my work computer, ran 2 scans (I'm paranoid), and it picked up MORE Click Scan stuff within the System 32 folder.

Anyway...I'm still not sure if I can download; it may be that the policy here at work now forbids it. Would someone pls check the log below and let me know if anything else needs to be cleared out? Pls note that this is a work computer, so I can't necessarily change everything (including the opening page, which is set to the company's website).

Thanks for your help!


Logfile of HijackThis v1.97.7
Scan saved at 10:13:49 AM, on 5/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\NavNT\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\ESDSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\RCSERV.EXE
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\system32\BlvC239.exe
C:\WINNT\system32\Jdwu9.exe
C:\WINNT\KIX32.exe
C:\program files\Lotus\Notes\NLNOTES.EXE
C:\program files\Lotus\Notes\naldaemn.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://uslxproxypac....m/uslxproxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = USLXPROXY.ICI.COM:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.nsc.ici.com;*.pnts.ici.com;*.uniq.ici.com;*.ques.ici.com;*.synx.ici.com;*.ho.i
i.com;*.rib.ici.com;134.239.*.*;161.251.*.*;145.82.*.*;147.82.*.*;145.57.*.*;194
194.75.*;129.39.227.*;135.89.152.181;u*.unilever.com;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Assetscan] c:\scripts\assetscan.vbs
O4 - HKLM\..\Run: [NAVScanRemind] C:\Scripts\ScanRem.EXE
O4 - HKLM\..\Run: [3.exe] C:\documents and settings\beckn02\local settings\temp\3.exe
O4 - HKLM\..\Run: [22NR6P63SEE7W8] C:\WINNT\system32\Xej7.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-k13w13.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapisvsu.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: AnyTime Deluxe Edition.lnk = C:\Program Files\AnyTime Deluxe\Atw.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - http://eformrs.com/RSLoginModule.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.ad.ici.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.ad.ici.com

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 May 2004 - 10:57 AM

:) Being your first post - I get the honour and privilege of welcoming you to our corner of the world where spyware has met it's match - Welcome.

Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

Please keep an eye on this message for a resolution shortly.

#3 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 May 2004 - 11:12 AM

Close all programs and windows.

Download and run this Peper Trojan uninstaller from here.. Once it's finished downloading, and while remaining online, double click it and let it install and run until it's finished. Run it a second time, before rebooting and still online.

Reboot, run the peper removal time one final time

Run HijackThis and delete the following (If still there):
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Assetscan] c:\scripts\assetscan.vbs <= Do you recognize this? If you do and it is used by your company please DO NOT delete it
O4 - HKLM\..\Run: [NAVScanRemind] C:\Scripts\ScanRem.EXE<= Do you recognize this? If you do and it is used by your company please DO NOT delete it
O4 - HKLM\..\Run: [3.exe] C:\documents and settings\beckn02\local settings\temp\3.exe
O4 - HKLM\..\Run: [22NR6P63SEE7W8] C:\WINNT\system32\Xej7.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-k13w13.exe
O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapisvsu.exe

This one is optional to delete as it is a resource hog:
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Please reboot into safe mode - How do I boot into "Safe" mode?

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):
  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files [/color](all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".
  • C:\WINNT\system32\Xej7.exe
  • C:\WINNT\system32\dp-k13w13.exe
  • C:\WINNT\system32\wapisvsu.exe
Reboot again and log in normally, repost a new HijackThis log into this message for further review.

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 October 2004 - 02:09 AM

Due to no response, I am closing this thread.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button