Hi,
I'd appreciate a check of this...
I ran Spybot S&D and it had to run again as the OS started to kill all the adware.
Please note, Windows 2000 and IE 6 are both required to run a mainframe emulator, so changing those is not an option.
ESET NOD32 is the AV that is (and should be) running on this PC.
It seems I cannot get rid of McAfee, even using McAfee's MCPR.exe removal tool.
Thanks,
Temmu the TreeFrog
(formerly of the Borg)
Logfile of HijackThis v1.99.1
Scan saved at 10:28:45 AM, on 2/14/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\~Anti-Malware-Kit~\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm399YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sshla.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sshla.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sshla.local
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
Copy and paste of log for ease of reading ..
Paddy... :)
Logfile of HijackThis v1.99.1
Scan saved at 10:28:45 AM, on 2/14/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\~Anti-Malware-Kit~\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm399YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http:>>installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sshla.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sshla.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sshla.local
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
Who ever is looking on I did and edit to kill a link ..
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http:>>installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
That I wasent sure of till an Expert had a look ..
Paddy ...
is this the answer or just a re-post of the question?
thanks!
It's just a repost of the logfile you've posted for ease of reading for the experts ..
Tho there are a few things I would'nt want on my computer showing I have to leave it up to them above to post instructions :
Paddy.. :wub:
thanks, i await the results!
anything??
Hi, Temmu. I'm sorry. I have just been too tied up with real life and other online obligations (Ryan's log required a lot of research time). I was hoping someone else would have had the time to respond but it appears they have all been busy as well.
I suggest installing HJT in a permanent folder on the W2K machine before doing any removals.
According to the SpywareGuide, SpamBLocker (http://www.spywareguide.com/spydet_2185_spamblockerutility.html) is described as "adware". In other words, you get ads with the free version.
QuoteCategory Description: Program that delivers advertisements on your PC.
Note that many websites have their own advertising, unrelated to adware.
Adware is any software application in which advertising is displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen and sometimes through text links or in integrated search results. Adware may or may not track personal information. It may also gather information anonymously or in aggregate only. Users should check the EULA and Privacy policy to ensure if the adware on their machines conforms to their standards.
Comment: The free version is ad supported. Though Hotbar states that you can disable ads through the preference menu.
Danger Levels Explained
Level 1: Minor annoyance
No immediate threat, may profile users, but has specific privacy policies in place.
Not so dangerous, fairly easy to remove, using standard "Add/Remove Programs" function.
If you elect to remove SpamBlocker, I suggest doing so via add/remove programs. The removal shown below is only for the downloaded file, not the installation.
The 08 entry below appears to be a leftover from the MyWay Search bar.
I found only one other result in searching for the 017 entries in your log. Generally, this is a location where LOP infections show up. However, that would not be a local entry. If you know what it is and are not having any problems, leave the three 017 entries. Otherwise remove with HijackThis as indicated below.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O8 - Extra context menu item: &Search - ?p=ZUxdm399YYUS
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http:>>installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sshla.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sshla.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sshla.localClick on Fix Checked when finished and exit HijackThis.
You have a vulnerable version of Adobe Acrobat installed. To check if your system is missing security updates or has any additional insecure applications installed, visit http://secunia.com/software_inspector/ . The Secunia Software Inspector runs through your browser with no installation or download required and does the following:
- Detects insecure versions of applications installed
- Verifies that all Microsoft patches are applied
- Assists you in updating your system and applications
Please post a fresh HJT log.
Thanks, Temmu. :rose:
thanks, Corrine, i will do that and post my results.
here's the results after the suggested action:
Logfile of HijackThis v1.99.1
Scan saved at 8:00:56 AM, on 2/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
I:\@Software\collection\~Anti-Malware-Kit~\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
And is the machine working ok?
As I recall, you have a home network, pretty well locked down. Even so, what about a software firewall for this particular machine?
Temmu, I just took a look at your log for the XP box. That is the one that seems to be showing the leftover for McAfee, not W2K. It looks like you have some other outdated software on XP also.
Don't you run Linux on one of your machines too?