1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Window Becomes Unactive

Discussion in 'Malware and Virus Removal Archive' started by cintoman, 2005/06/04.

Thread Status:
Not open for further replies.
  1. 2005/06/04
    cintoman

    cintoman Inactive Thread Starter

    Joined:
    2003/03/02
    Messages:
    45
    Likes Received:
    0
    Hello,
    First of all, thanks to all of you for all your hard work and immeasurable experience. It is very much appreciated !!

    Well, ever since I let a friend of mine on my system to do some MBA tests on some site, I've been having a problem with my active window becoming inactive. For example, I have my colors set up so my active window title bar is blue, and my inactive ones are dark blue. Every 30 or so seconds (sometimes more, sometimes less) the window will become inactive and the bar will become dark blue. It's almost as though I left-clicked outside of the active window. It'd maddening, especially when typing something up like I'm doing now. Not sure what's causing this, but no pop-up ever shows up, the screen doesn't blink, and nothing comes up on the taskbar.

    I'm thinking it might be some spyware accessing the net every so often. I ran the new MS Antispyware Beta, CW Shredder, Ad-aware 6.0 and Spybot. They cleaned everything up, but occasionally it still happens. Of course, now it's not, but it was about 5 minutes ago. I have Zone Alarm Pro and CheckIt 86 (pop-up blocker from my Cable ISP, Cox Communications). CheckIt will make a popping sound when blocking pop ups, but it doesn't do so when this is happening.

    I think my Hijack This is pretty clean, but I'm not sure if I'm missing anything or not. I DO have the Nielsen NetRatings software (which monitors my activity), but it was never intrusive. Even disabling it didnt' help. My Hijack This is below, if you dont' mind taking a quick peek at it. I really appreciate it.

    Thanks again for all your time !!!

    Oh, one more thing....I did notice that "www.neededware.com" was somehow put on my trusted sites. Don't know if that has anything to do with it, but I removed it from the trusted site listing. Problem still happens.

    Thanks again
    Cintoman

    Logfile of HijackThis v1.97.7
    Scan saved at 1:28:30 AM, on 6/4/2005
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Software\Norton Anti Virus 2002\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\ZipToA.exe
    C:\WINNT\Explorer.EXE
    C:\Software\NORTON~1\navapw32.exe
    C:\HARDWARE\Mouse\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
    C:\Virus Protection\Microsoft AntiSpyware\gcasServ.exe
    C:\Virus Protection\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Internet\CConnect\CConnect.exe
    C:\Internet\ZoneAlarm\zapro.exe
    C:\Internet\CheckIt 86\CheckIt86.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpotdd01.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpobnz08.exe
    C:\Internet\Nielsen Netratings\NielsenNetratings\bin\insight.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpoevm08.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\Bin\hpoSTS08.exe
    C:\Internet\FolderShare\FolderShare.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Internet\AIM\aim.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Virus Protection\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.probetalk.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.probetalk.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Software\Adobe\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Internet\CheckIt 86\CheckIt86.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Software\Norton Anti Virus 2002\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Software\Norton Anti Virus 2002\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [NAV Agent] C:\Software\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\HARDWARE\Mouse\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [NetMeter] C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [hntnndz] C:\WINNT\System32\hntnndz.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Virus Protection\Microsoft AntiSpyware\gcasServ.exe "
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [dlcapi] C:\WINNT\System32\dlcapi.exe
    O4 - HKCU\..\Run: [FolderShare] "C:\Internet\FolderShare\FolderShare.exe" /background
    O4 - Startup: Nielsen NetRatings.lnk = C:\Internet\Nielsen Netratings\NielsenNetratings\bin\insight.exe
    O4 - Global Startup: CorrectConnect.lnk = C:\Internet\CConnect\CConnect.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Internet\ZoneAlarm\zapro.exe
    O4 - Global Startup: CheckIt 86.lnk = C:\Internet\CheckIt 86\CheckIt86.exe
    O4 - Global Startup: hpoddt01.exe.lnk = C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpobnz08.exe
    O9 - Extra button: AIM (HKLM)
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll
    O15 - Trusted Zone: http://cgi.ebay.com
    O15 - Trusted Zone: http://search.ebay.com
    O15 - Trusted Zone: http://signin.ebay.com
    O15 - Trusted Zone: http://www.ebay.com
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
     
    cintoman,
    #1
  2. 2005/06/04
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    You have LSP Spyware:

    Code:
    What is a Layered Service Provider (LSP)?

Simply put, the LSP is a piece of software that is tightly woven into the networking services of a computer. In particular, when using the protocol of the internet, TCP/IP, the LSP integrates itself with the TCP/IP layer of your network. As such, the LSP has access to all TCP/IP traffic coming into and leaving a computer. If the LSP is from a  "good" author, then the communication can be enhanced and protected in many helpful ways. However, when spyware authors use an LSP, it can be used to spy on the habits and data of the user. Also, because the computer will not see any of the data until the LSP lets it through, it is possible to change information so that the spyware vendor benefits. Worse still, because the LSP is very tightly woven into the TCP/IP layer, trying to remove it without the proper precautions may break the part of the program that handles TCP/IP communications. When the handler is broken, a computer may not be able to connect to the Internet.
    This is tricky to repair because just deleting those entries in HijackThis may cause you to lose internet access, thus you will need to rebuild/fix the lsp layer on your computer using one of the free utilities designed to do that.

    http://www.cexx.org/lspfix.htm

    Prior to doing so, I suggest wait for a few other responses from other members here so as to verify/suggest the correct sequence to go about this repair.
     
    TonyT,
    #2


  3. to hide this advert.

  4. 2005/06/04
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hi cintoman!

    You're using an old version of HijackThis. Please download version 1.99.1 and create, then post a new log.

    The LSP hijack in question is part of the Nielsens Netratings app. Did you knowing opt into that?
     
    noahdfear,
    #3
  5. 2005/06/04
    cintoman

    cintoman Inactive Thread Starter

    Joined:
    2003/03/02
    Messages:
    45
    Likes Received:
    0
    Hello, Here is my new log using HijackThis Ver 1.99.1:

    By the way, I'm holding off a bit on the LSP fix thing until, like you mentioned, I get some other replies.

    Thanks to all for your continued help
    Paul


    Logfile of HijackThis v1.99.1
    Scan saved at 11:44:48 PM, on 6/4/2005
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Software\Norton Anti Virus 2002\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\ZipToA.exe
    C:\WINNT\Explorer.EXE
    C:\Software\NORTON~1\navapw32.exe
    C:\HARDWARE\Mouse\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
    C:\Virus Protection\Microsoft AntiSpyware\gcasServ.exe
    C:\Virus Protection\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Internet\CConnect\CConnect.exe
    C:\Internet\ZoneAlarm\zapro.exe
    C:\Internet\CheckIt 86\CheckIt86.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpotdd01.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpobnz08.exe
    C:\Internet\Nielsen Netratings\NielsenNetratings\bin\insight.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpoevm08.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\Bin\hpoSTS08.exe
    C:\Internet\FolderShare\FolderShare.exe
    C:\Internet\AIM\aim.exe
    C:\Internet\eDonkey\Overnet\overnet.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Virus Protection\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.probetalk.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.probetalk.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Software\Adobe\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Internet\CheckIt 86\CheckIt86.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Software\Norton Anti Virus 2002\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Software\Norton Anti Virus 2002\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [NAV Agent] C:\Software\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\HARDWARE\Mouse\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [NetMeter] C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [hntnndz] C:\WINNT\System32\hntnndz.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Virus Protection\Microsoft AntiSpyware\gcasServ.exe "
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [dlcapi] C:\WINNT\System32\dlcapi.exe
    O4 - HKCU\..\Run: [FolderShare] "C:\Internet\FolderShare\FolderShare.exe" /background
    O4 - Startup: Nielsen NetRatings.lnk = C:\Internet\Nielsen Netratings\NielsenNetratings\bin\insight.exe
    O4 - Global Startup: CorrectConnect.lnk = C:\Internet\CConnect\CConnect.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Internet\ZoneAlarm\zapro.exe
    O4 - Global Startup: CheckIt 86.lnk = C:\Internet\CheckIt 86\CheckIt86.exe
    O4 - Global Startup: hpoddt01.exe.lnk = C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpobnz08.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Internet\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll
    O15 - Trusted Zone: http://cgi.ebay.com
    O15 - Trusted Zone: http://search.ebay.com
    O15 - Trusted Zone: http://signin.ebay.com
    O15 - Trusted Zone: http://www.ebay.com
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Software\Norton Anti Virus 2002\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
     
    cintoman,
    #4
  6. 2005/06/06
    cintoman

    cintoman Inactive Thread Starter

    Joined:
    2003/03/02
    Messages:
    45
    Likes Received:
    0
    Can anybody help out? Thank you so much in advance !!!!

    Cintoman
     
    cintoman,
    #5
  7. 2005/06/06
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Sorry about the delay cintoman. :( One of us will get to you this evening. Just got in and need to cleanup, eat, etc, but will be back on later. Hang in there! ;)
     
    noahdfear,
    #6
  8. 2005/06/07
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Hello.

    Rescan with HJT and remove these.
    O4 - HKLM\..\Run: [hntnndz] C:\WINNT\System32\hntnndz.exe
    O4 - HKCU\..\Run: [dlcapi] C:\WINNT\System32\dlcapi.exe

    When done, click on the 'Config button' in HJT, then 'Misc Tools'. Click on 'Delete a file on reboot', and a File Open window appears, copy/paste this in it,
    C:\WINNT\System32\hntnndz.exe
    Click on Open, and you will be prompted to reboot, select No. Then do the same for this one.
    C:\WINNT\System32\dlcapi.exe
    Then reboot.
    Delete all files and folders located in your Temp folders

    I am assuming you wanted ebay.com in your trusted zone.

    I agree with Noahdfear on the Netrating, you could uninstall it and Norman, and install AVG AV for free.
    Netratings could be called "Premeter" in Add/Remove.
    Do not remove it with HJT, you will lose your internet connection. If you decide to uninstall it, be sure to reboot when prompted, and have LSPfix as suggested by TonyT.
    After the reboot of the uninstall, delete the Netratings folder.
    To use LSP fix, run it, click on "I know what I am doing ", and remove all instances of "c:\winnt\system32\nmtracer.dll ". If not found with LSPfix, the uninstall was successful.
    Then delete the file.


    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server

    The Support.Com can be uninstalled and is a form of spyware. It is there due to one of two reasons, you have Comcast or you bought a Sony Vaio. It will be "Comcast Support Software" or "Sony Vaio Support ".
    http://www.winpatrol.com/db/freesample/tgcmd.html

    In any case, I suggest a visit to RAV Online Scan.
    Please post a new HJT log, and RAV log if any.
     
    markp62,
    #7
  9. 2005/06/08
    cintoman

    cintoman Inactive Thread Starter

    Joined:
    2003/03/02
    Messages:
    45
    Likes Received:
    0
    Hello again,
    Thank you for all your help so far. Well, here's what I did so far:

    I ran HJT, removed the following:
    O4 - HKLM\..\Run: [hntnndz] C:\WINNT\System32\hntnndz.exe
    O4 - HKCU\..\Run: [dlcapi] C:\WINNT\System32\dlcapi.exe

    I had HJT delete the files on reboot. I also removed all the garbage in all my temp folders and all the *.tmp files my system found.

    Yes, I do want ebay in my trusted zone.

    As for the Nielson Netratings deal, I did opt into this a few years back, so I am aware of it. It has never been intrusive at all during web surfiing and using the computer. The only thing it does is whenever I go onto my computer after a period of inactivity (I always leave my system on), a window comes up asking "who is using the computer now." It lists my name, my wife's name, and "guest." I click on the appropriate person, and hit OK. Done deal until there's another long period of inactivity.

    It wasn't until my buddy used my system that I started noticing the window becoming inactive problem, and the "neededware.com" in my trusted zone.

    I would like to keep the NetRatings on my system provided that it doesn't do the window inactive **** anymore. They also send me a $50.00 savings bonds every 6 months which is cool.

    Anyway, continuing on... because I'd like to keep NetRatings, I did not uninstall Netratings, and did not run LSPfix to remove the instances of nmtracer.dll. I rebooted my system.

    I did remove the support.com entry. My PC was built by me from scratch, but I did have the @Home High Speed internet service before they went under. I now have Cox Communications High Speed (Cable).

    After the reboot, I ran HJT, and noticed that: O4 - HKLM\..\Run: [hntnndz] C:\WINNT\System32\hntnndz.exe is back despite me having HJT deleting the file on reboot. I removed it again, and ran HJT once more. The new log is below.

    So far, I haven't had the window inactive problem come up again. Cool so far. Oh, BTW....I ditched Internet Explorer last night in favor of Mozilla. Wow, what a difference !!! 1,000,000 times better !!!

    Few more things: with Mozilla and while on this site, I've noticed on the status bar, it's saying: "transferring data from us.intellitxt.com" and "tranferring data from www.vibrantmedia.com." Hmmm....not sure about this. Is this "site related" or could it be more spyware junk.

    Final thing when looking at my new HJT log below: I'd like to keep NetRatings on my system, but anything else you find bad, I'll be glad to remove. But if you think NetRatings is what's really screwing around with my active windows, then I'll probably end up removing it. So far, while typing this whole thing, the window I'm in hasn't become inactive. Looks great.

    Again, please accept my sincerest THANKS for all of your help so far. You guys deserve all the credit in the world for doing all of this !!!

    Look forward to any new replies !!
    Cintoman

    Logfile of HijackThis v1.99.1
    Scan saved at 1:13:25 AM, on 6/8/2005
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Software\Norton Anti Virus 2002\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Software\NORTON~1\navapw32.exe
    C:\HARDWARE\Mouse\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
    C:\Virus Protection\Microsoft AntiSpyware\gcasServ.exe
    C:\Internet\FolderShare\FolderShare.exe
    C:\Internet\CConnect\CConnect.exe
    C:\Internet\ZoneAlarm\zapro.exe
    C:\Internet\CheckIt 86\CheckIt86.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpotdd01.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpobnz08.exe
    C:\Internet\Nielsen Netratings\NielsenNetratings\bin\insight.exe
    C:\Virus Protection\Microsoft AntiSpyware\gcasDtServ.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpoevm08.exe
    C:\HARDWARE\HP PSC 2110v\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Internet\AIM\aim.exe
    C:\INTERNET\MOZILL~1\FIREFOX.EXE
    C:\Virus Protection\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.probetalk.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.probetalk.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Software\Adobe\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Internet\CheckIt 86\CheckIt86.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Software\Norton Anti Virus 2002\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Software\Norton Anti Virus 2002\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [NAV Agent] C:\Software\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\HARDWARE\Mouse\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [NetMeter] C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Virus Protection\Microsoft AntiSpyware\gcasServ.exe "
    O4 - HKCU\..\Run: [FolderShare] "C:\Internet\FolderShare\FolderShare.exe" /background
    O4 - Startup: Nielsen NetRatings.lnk = C:\Internet\Nielsen Netratings\NielsenNetratings\bin\insight.exe
    O4 - Global Startup: CorrectConnect.lnk = C:\Internet\CConnect\CConnect.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Internet\ZoneAlarm\zapro.exe
    O4 - Global Startup: CheckIt 86.lnk = C:\Internet\CheckIt 86\CheckIt86.exe
    O4 - Global Startup: hpoddt01.exe.lnk = C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\HARDWARE\HP PSC 2110v\Digital Imaging\bin\hpobnz08.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Internet\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nmtracer.dll
    O15 - Trusted Zone: http://cgi.ebay.com
    O15 - Trusted Zone: http://search.ebay.com
    O15 - Trusted Zone: http://signin.ebay.com
    O15 - Trusted Zone: http://www.ebay.com
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Software\Norton Anti Virus 2002\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
     
    cintoman,
    #8
  10. 2005/06/08
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    The reappearance of that file means something else is there. I doubt it is part of Netratings.
    Download the trial version of ewido security suite.
    Install ewido security suite and start the program from the icon on your desktop, then check for and download updates. Close for now.
    Ewido Setup

    Reboot into Safe Mode, and then run the ewido scan. It is good at finding things, and does make automatic backups of all removed, just in case your Netratings is targeted.

    This site does have some ad support, but nothing intrusive.
     
    markp62,
    #9
  11. 2005/06/09
    cintoman

    cintoman Inactive Thread Starter

    Joined:
    2003/03/02
    Messages:
    45
    Likes Received:
    0
    Hello again,
    Well, I downloaded ewido, ran it normally and after rebooting in safe mode. It cleared up a few things.

    Best of all, even before downloading ewido, my active window problem was resolved. This, along with ditching Internet Explorer for Mozilla has made a world of difference in going on the web.

    So I think things are great here. I now want to take this time to say thank you immensely to markp62, noahdfear, and TonyT for all of your help and your constant feedback time and again. You guys have truly helped me out so much, and I want all 3 of you to be certain that I appreciate it so much. I've been on this site quite a few times, and I have never had a problem that didn't get resolved. You guys are truly the best !!!!

    Thanks again,
    Paul (cintoman)
    Cumberland, Rhode Island !!!
     
    cintoman,
    #10
  12. 2005/06/09
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Your welcome!
     
    markp62,
    #11
  13. 2005/06/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Glad to hear things are working right for you again. :)
     
    noahdfear,
    #12
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...