MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: mypoiskovik.com infection on Win2000
September 20, 2019, 11:22:51 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
September 20, 2019, 11:22:51 PM

Login with username, password and session length
 
News
New  Got pics of your modded PC or want to show off your cool desktop, visit our new Show & Tell forum!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: mypoiskovik.com infection on Win2000  (Read 2448 times)
84Buff
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


Bookmark and Share

View Profile
« on: May 25, 2004, 07:26:34 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:



Windows 2000, Version 5.0
IE Version 6.0.2800

Have seen a lot of requests for help with mypoiskovik.com infection and have followed advice from many forums, but none for Windows2000.  Used CWShredder, (downloaded latest version today), Spybot S&D, etc., and it keeps coming back.  Would appreciate any help.  Here's my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 1:32:26 PM, on 5/25/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\IEengine.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\MS\SMS\BIN\pcmwin32.exe
C:\MS\SMS\BIN\climonnt.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\nunns\My Documents\My Pictures\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens Building Technologies
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
F1 - win.ini: load=smsrun32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AUTOPCC] "C:\Program Files\OfficeScan NT\INTELLISTART.EXE" "X:\AntiVirus\OSCAN\AUTOUPD.EXE" /s
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [tutilsr] C:\WINNT\System32\tutilsr.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [dllhelp] c:\winnt
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\msoffice\Office\OSA9.EXE
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.us.abatos.com
O15 - Trusted Zone: http://*.us.landisstaefa.com
O15 - Trusted Zone: http://*.sbt.siemens.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-00A0247B735B} (Infragistics ActiveTreeView Control) - http://inet16.sbt.siemens.com/esonline/cabs/SSTree.CAB
O16 - DPF: {41E6DDD6-FBD6-4718-80F7-9B160533C2F5} (Infragistics UltraToolbars Control 5.0) - http://inet16.sbt.siemens.com/esonline/cabs/IGToolbars50.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {B3014671-7872-4671-BE73-5D05EB5B2AF5} (Infragistics UltraGrid Control 2.0) - http://inet16.sbt.siemens.com/esonline/cabs/IGUltraGrid20.CAB
O16 - DPF: {B63EA811-FF25-4211-A6D2-58BF767432E1} (PictureLoader.Helpers) - http://inet16.sbt.siemens.com/esonline/cabs/pictureloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0D96671-A5CE-4854-AE49-6835742D232F} (Infragistics Panel Control 4.0) - http://inet16.sbt.siemens.com/esonline/cabs/IGThreed40.cab
Logged

 
84Buff
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 4


Bookmark and Share

View Profile
« Reply #1 on: May 26, 2004, 03:19:34 PM »

I noticed on the mypoiskovik.com site there is a "spyware remove" link.  I'm very leary of testing a theory, but has anyone tried that link to see where it might lead?  They wouldn't actually provide a resolution for removing their own spyware, or would they?
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #2 on: May 27, 2004, 12:39:14 AM »

I wouldn't trust it!

Set Windows to Show all hidden files and folders
Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

Do you know what this entry is?
O4 - HKLM\..\Run: [tutilsr] C:\WINNT\System32\tutilsr.exe


With ALL other window closed do another SCAN with Hijackthis and put
a check next to these entries and then FIX CHECKED

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm

O4 - HKCU\..\Run: [dllhelp] c:\winnt
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
These 2 entries, I suspect were set by Spybot, you can fix them also

Next would you Open CWShredder and let it FIX all problems
RESTART your computer in SAFE MODE

Find and delete these files and folders

c:\winnt\dllhelp.exe <----this file, if it exists
C:\Program Files\Internet Explorer\IEengine.exe <---the IEengine.exe file

You should do another scan with Ad-aware and spybot(Ensure that these are both up to date) in safe mode also
and a disk cleanup

Restart your computer in Normal mode, Don't open a browser yet
Access your Internet Options via Control Panel----
Under the Programs tab "Reset Web Settings"
Under the General tab----Delete files and Reset Home Page

You may also want to do an Online Virus scan, if you can
http://housecall.trendmicro.com/

Post back another log and let me know how your doing....
« Last Edit: May 27, 2004, 12:42:32 AM by benditup » Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 11, 2019, 09:20:54 AM