Options

Media Motor Popup--another victim

Unknown
edited September 2004 in Spyware & Virus Removal
Posted below is my hijackthis log. I would sincerely appreciate it if anyone was able to point me to particular portions to remove in order to prevent the media motor pop up that's asking for some joystick crap--it's pretty doggone annoying.

Thanks

Logfile of HijackThis v1.98.2
Scan saved at 04:28:54, on 09/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\cusrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\winnt\180ax.exe
C:\Documents and Settings\AU\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://intranet.swedish.org:8765/smcquery.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.swedish.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

provided by Swedish Medical Center
R3 - URLSearchHook: (no name) - {81C80E9C-B40B-46A9-B5B6-E44266A430DF} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: HomepageProtector.Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} -

C:\HomepageProtector\764\HomepageProtector.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -

C:\WINNT\system32\nvms.dll
O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\neti.dll (file

missing)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} -

C:\WINNT\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -

C:\WINNT\system32\msbe.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O4 - HKLM\..\Run: [Audit Wizard] C:\WINNT\Audit\audit.bat
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [180ax] c:\winnt\180ax.exe
O4 - HKLM\..\Run: [rgf] C:\WINNT\rgf.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Rebates - file://C:\Program

Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} -

C:\HomepageProtector\764\HomepageProtector.dll
O9 - Extra 'Tools' menuitem: Homepage Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} -

C:\HomepageProtector\764\HomepageProtector.dll
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} -

C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

(file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINNT\web\related.htm (file missing)
O16 - DPF: {2A6BEC01-15E2-46F0-8ED3-D715DE09A8F9} -

http://www.homepageprotector.com/data/homeproinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{196AB8D5-C4C6-480A-84C2-0D61A71B7DEC}: Domain =

swedish.org

Comments

  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    Welcome to short-media.

    Get rid of the following:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R3 - URLSearchHook: (no name) - {81C80E9C-B40B-46A9-B5B6-E44266A430DF} - (no file)

    O2 - BHO: HomepageProtector.Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\HomepageProtector\764\HomepageProtector.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -
    C:\WINNT\system32\nvms.dll
    O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\neti.dll (file
    missing)
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} -
    C:\WINNT\system32\mscb.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
    C:\WINNT\system32\msbe.dll
    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)

    O4 - HKLM\..\Run: [180ax] c:\winnt\180ax.exe
    O4 - HKLM\..\Run: [rgf] C:\WINNT\rgf.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Web Rebates - file://C:\Program

    Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} -
    C:\HomepageProtector\764\HomepageProtector.dll
    O9 - Extra 'Tools' menuitem: Homepage Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} -
    C:\HomepageProtector\764\HomepageProtector.dll

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    (file missing)
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
    O16 - DPF: {2A6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - http://www.homepageprotector.com/da...eproinstall.cab

    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab

    This looks like it's on a corporate network, so you may want to check with your network administrator about anti-spyware measures.

    Reboot, and post a new log for us.
Sign In or Register to comment.