I've been having problems on this computer at my office for months... have managed to keep it under control, but I can't get rid of the last of these pop-ups.
Spybot continually finds the following:
Elite Bar
CallingHome.biz
winsecure (this is a new one)
Here is the HijackThis logfile:
Logfile of HijackThis v1.99.1
Scan saved at 4:10:06 PM, on 06/20/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\rnaukz.exe
C:\WINNT\System32\Frvvlv.exe
C:\SH5\SH5.EXE
C:\notes\NLNOTES.EXE
C:\notes\naldaemn.EXE
C:\notes\nhldaemn.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=192.168.100.3:8080;gopher=192.168.100.3:8080;http=192.168.100.3:8080;https=1
92.168.100.3:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168;<local>
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [version] C:\WINNT\System32\Wefocn.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\rnaukz.exe reg_run
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Frvvlv.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitexdx32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: COMMANDnetwork.lnk = BIN\CMDNETW.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exeO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain1
O17 - HKLM\System\CCS\Services\Tcpip\..\{81D45D82-4673-4D0F-8D00-956E87911C77}: NameServer = 192.168.1.223
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = domain1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = domain1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = domain1
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
Thanks for any help cleaning this up!
~k
