Options
Powerscan
Greetings,
My problem is that when I boot up(Windows 2000), I get a Powerscan pop up window. Then just random pop-ups. My internet hompage tries to go to www.optimizer.com and does not connect. After doing an Ad-aware scan and spybot scan, It looks as if the system has been cleaned but upon reboot the problem returns. My program files have Internet OPtimizer, Powerscan as well as many other folders that I recognize as spyware. Now I just randomly get popups even when not trying to access the internet. I also notice that I now have the Elite toolbar in IE which was never there before. Here is my Hijack This log. It seems as though something in startup is reinstalling several pieces of spyware after it is cleaned. Any clues that you could give me as to what is going on here would be greatly appreciated. Thanks.
FDC326
Logfile of HijackThis v1.99.0
Scan saved at 1:41:45 PM, on 12/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Compaq\Easy Access Keyboard\MEDIACTR.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Documents and Settings\image\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dma-iis/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dma-iis/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Division of Medical Assistance
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EASY ACCESS KEYBOARD] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvwgl32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://dma-iis/
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
My problem is that when I boot up(Windows 2000), I get a Powerscan pop up window. Then just random pop-ups. My internet hompage tries to go to www.optimizer.com and does not connect. After doing an Ad-aware scan and spybot scan, It looks as if the system has been cleaned but upon reboot the problem returns. My program files have Internet OPtimizer, Powerscan as well as many other folders that I recognize as spyware. Now I just randomly get popups even when not trying to access the internet. I also notice that I now have the Elite toolbar in IE which was never there before. Here is my Hijack This log. It seems as though something in startup is reinstalling several pieces of spyware after it is cleaned. Any clues that you could give me as to what is going on here would be greatly appreciated. Thanks.
FDC326
Logfile of HijackThis v1.99.0
Scan saved at 1:41:45 PM, on 12/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Compaq\Easy Access Keyboard\MEDIACTR.EXE
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Documents and Settings\image\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dma-iis/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dma-iis/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Division of Medical Assistance
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EASY ACCESS KEYBOARD] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvwgl32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://dma-iis/
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
0
Comments
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
Fix those entries then find and delete all .exe and .pf files in your system32 and Prefetch folder that begin with kalv, reboot and post a new log.