Author Topic: Spyware? (Read 1849 times)

fobulous · « **on:** March 08, 2008, 02:10:33 PM »

er i've been getting a lot of popups lately. there has also been i think a trojan on my computer. help?
Logfile of HijackThis v1.99.1
Scan saved at 2:18:02 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\PROGRA~1\AVG\AVG8\avgam.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Steam\Steam.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Hamachi\hamachi.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn25\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn25\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn25\yt.dll
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update x86] firefox.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "E:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: hamachi.lnk = E:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: hp psc 2000 Series.lnk = E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://E:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LMIinit - E:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - E:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe

guestolo · « **Reply #1 on:** March 08, 2008, 02:17:02 PM »

Hi fobulos

Can you do the following please
Download [color=\"red\"]SDFix[/color] and save this to your desktop
We will need it in a bit

Reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In safe mode

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix) in your case it should be F:\SDFix
Go to START>>My Computer>>Double click to open the C:\ folder or F:\folder

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

I'll need to see that report later

Your version of Hijackthis is outdated
Can you uninstall it from Add or Remove Programs
Then do the following
Download Hijackthis Installer from [color=\"#FF0000\"]HERE[/color]
For an alternate download location, you can try HERE
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum

Also include the report from SDFix

fobulous · « **Reply #2 on:** March 08, 2008, 05:03:26 PM »

er when i select safe mode, it starts loading stuff, then it goes to a screen saying cannot display this video mode or something.
i have a dell 17'' monitor.

guestolo · « **Reply #3 on:** March 09, 2008, 12:13:32 AM »

Can you try the following in Normal windows
Uninstall your version of Hijackthis
Then download install the latest version from the instructions I posted earlier

Afterwards:
Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKLM\..\RunServices: [Microsoft Windows Update x86] firefox.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Afterwards:
Download this file - Combofix.exe and save it ONLY to your desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
I'll need to see this log later
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back all the following
1. Post the log from Combofix
2.. Run a fresh scan>>save logfile with Hijackthis and post the log also

fobulous · « **Reply #4 on:** March 09, 2008, 10:10:23 AM »

Okay, I did that. Here are the logs...
the combofix log:
ComboFix 08-03-08.2 - george 2008-03-09 11:06:42.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.363 [GMT -4:00]
Running from: E:\Documents and Settings\george\Desktop\ComboFix.exe
* Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\drivers\core.cache.dsk
E:\WINDOWS\system32\drivers\kbdclasss.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_KBDCLASSS
-------\kbdclasss

((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-08 17:54 . 2008-03-08 17:55 1,412,207 --a------ E:\SDFix.exe
2008-03-08 17:42 . 2008-03-08 17:42 <DIR> d-------- E:\Program Files\Trend Micro
2008-03-08 15:35 . 2008-03-08 15:33 13,824 --a------ E:\Documents and Settings\george\Application Data\qhzfr.exe
2008-03-08 14:02 . 2008-03-08 17:56 <DIR> d-------- E:\Program Files\SUPERAntiSpyware
2008-03-08 14:02 . 2008-03-08 17:56 <DIR> d-------- E:\Documents and Settings\george\Application Data\SUPERAntiSpyware.com
2008-03-08 14:02 . 2008-03-08 14:02 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-05 21:32 . 2008-03-09 11:14 <DIR> d-------- E:\WINDOWS\system32\drivers\Avg
2008-03-05 21:32 . 2008-03-05 21:32 <DIR> d-------- E:\Program Files\AVG
2008-03-05 21:32 . 2008-03-05 22:42 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\avg8
2008-03-05 21:32 . 2008-03-05 21:32 96,520 --a------ E:\WINDOWS\system32\drivers\avgldx86.sys
2008-03-05 21:32 . 2008-03-05 21:32 73,864 --a------ E:\WINDOWS\system32\drivers\avgtdix.sys
2008-03-05 21:32 . 2008-03-05 21:32 14,104 --a------ E:\WINDOWS\system32\avgrsstx.dll
2008-03-05 21:32 . 2008-03-05 21:32 12,424 --a------ E:\WINDOWS\system32\drivers\avgrkx86.sys
2008-02-29 09:48 . 2008-02-29 09:48 <DIR> d-------- E:\Documents and Settings\george_2\Application Data\ORSLN
2008-02-24 17:26 . 2008-02-24 17:26 <DIR> d-------- E:\Program Files\Realtek AC97
2008-02-20 13:15 . 2008-02-20 13:37 <DIR> d-------- E:\Program Files\MP3 WAV Converter
2008-02-17 00:08 . 2006-03-14 03:26 53,248 --a------ E:\WINDOWS\system32\ImageOle.dll
2008-02-17 00:07 . 2008-02-17 00:07 <DIR> d-------- E:\Documents and Settings\george\Application Data\InstallShield
2008-02-17 00:06 . 2008-02-17 00:06 <DIR> d-------- E:\Program Files\Ocean Technologies & Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 15:16 --------- d-----w E:\Program Files\Steam
2008-03-09 15:13 --------- d-----w E:\Documents and Settings\george\Application Data\Hamachi
2008-03-08 21:56 --------- d-----w E:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 20:35 --------- d-----w E:\Program Files\Starcraft
2008-03-08 19:12 --------- d-----w E:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-07 02:55 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-02-24 20:33 --------- d-----w E:\Program Files\Winamp
2008-02-20 17:31 --------- d-----w E:\Documents and Settings\george\Application Data\TransRender
2008-02-20 17:21 --------- d-----w E:\Documents and Settings\george\Application Data\Temporary
2008-02-20 17:13 --------- d-----w E:\Program Files\Blaze Media Pro
2008-02-19 23:03 --------- d-----w E:\Program Files\Warcraft III
2008-02-18 17:27 --------- d-----w E:\Program Files\NetBattle
2008-02-17 04:08 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-02-09 23:57 --------- d-----w E:\Program Files\QuickTime
2008-02-09 20:25 --------- d-----w E:\Program Files\AoA Audio Extractor
2008-02-05 03:59 --------- d-----w E:\Program Files\Advanced Sound Recorder
2008-01-26 17:39 --------- d-----w E:\Program Files\mIRC
2008-01-24 21:36 4,127,488 ----a-r E:\WINDOWS\system32\drivers\alcxwdm.sys
2008-01-21 00:50 --------- d-----w E:\Program Files\Kitsune RO
2008-01-21 00:46 --------- d-----w E:\Program Files\Gravity
2008-01-20 22:00 --------- d-----w E:\Program Files\Ventrilo
2008-01-20 20:56 --------- d-----w E:\Program Files\Teamspeak2_RC2
2008-01-20 20:56 --------- d-----w E:\Documents and Settings\george\Application Data\teamspeak2
2008-01-16 07:14 --------- d-----w E:\Program Files\Microsoft Solutions
2008-01-16 07:14 --------- d-----w E:\Documents and Settings\george\Application Data\ORSLN
2007-12-14 22:58 86,016 ----a-w E:\Documents and Settings\george_2\IDHWTSS1.dll
2007-12-14 22:58 81,920 ----a-w E:\Documents and Settings\george_2\hobjni.dll
2007-05-19 10:32 86,016 ----a-w E:\Documents and Settings\george\IDHWTSS1.dll
2007-05-19 10:32 81,920 ----a-w E:\Documents and Settings\george\hobjni.dll
2006-05-05 11:39 36,868 ----a-w E:\Documents and Settings\george_2\PrtDLL.dll
2006-04-28 18:33 36,868 ----a-w E:\Documents and Settings\george\PrtDLL.dll
2006-03-04 04:25 557,056 ----a-w E:\Documents and Settings\george\chatlnk.exe
2005-02-24 16:35 36,664 ----a-w E:\Documents and Settings\george\Application Data\GDIPFONTCACHEV1.DAT
2004-12-28 22:09 954,430 ----a-w E:\Documents and Settings\OpenKoreBot\openkore.exe
2004-12-26 18:33 24,814 ----a-w E:\Documents and Settings\OpenKoreBot\Tools.dll
2004-12-25 23:07 133,254 ----a-w E:\Documents and Settings\OpenKoreBot\Inject.dll
2004-11-17 22:46 56 --sha-r E:\WINDOWS\system32\9DD3F33CD7.sys
2004-11-17 22:46 1,890 --sha-w E:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2008-01-01 12:21 15360]
"Steam"="E:\Program Files\Steam\Steam.exe" [2008-01-01 18:45 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002A"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-01 12:21 455168]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="E:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48 479232]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 E:\WINDOWS\soundman.exe]
"AVG8_TRAY"="E:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-03-05 21:32 899864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Windows Update x86"="firefox.exe" []

E:\Documents and Settings\george_2\Start Menu\Programs\Startup\
HotSync Manager.lnk - E:\Program Files\Palm\HOTSYNC.EXE [2003-10-14 15:04:06 299008]

E:\Documents and Settings\george\Start Menu\Programs\Startup\
hamachi.lnk - E:\Program Files\Hamachi\hamachi.exe [2007-08-09 16:37:42 597544]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02:06:58 28672]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 E:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=E:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=E:\WINDOWS\pss\DataViz Messenger.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=E:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk
backup=E:\WINDOWS\pss\KODAK Picture Transfer Software.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=E:\WINDOWS\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=E:\WINDOWS\pss\Verizon Online Support Center.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^george^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=E:\Documents and Settings\george\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=E:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\E:^Documents and Settings^george^Start Menu^Programs^Startup^Kitsune RO.lnk]
path=E:\Documents and Settings\george\Start Menu\Programs\Startup\Kitsune RO.lnk
backup=E:\WINDOWS\pss\Kitsune RO.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!1_pgaccount]
E:\Program Files\ProcessGuard\pgaccount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!xSpeed]
C:\!xSpeedPro\!xSpeedPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
E:\Program Files\a2\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-06-07 16:53 61440 E:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 17:17 50736 E:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 18:05 81920 E:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
E:\PROGRA~1\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
E:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
E:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Update x86]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 12:24 1694208 E:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
E:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
E:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-03-28 18:10 224248 E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"E:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"E:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6885:TCP"= 6885:TCP:BitComet 6885 TCP
"6885:UDP"= 6885:UDP:BitComet 6885 UDP

R0 AvgRkx86;avgrkx86.sys;E:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-03-05 21:32]
R1 AvgLdx86;AVG AVI Loader Driver x86;E:\WINDOWS\system32\Drivers\avgldx86.sys [2008-03-05 21:32]
R2 avg8emc;AVG8 E-mail Scanner;E:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-03-05 21:32]
R2 avg8wd;AVG8 WatchDog;E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-03-05 21:32]
R2 AvgTdiX;AVG8 Network Redirector;E:\WINDOWS\system32\Drivers\avgtdix.sys [2008-03-05 21:32]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;E:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
R2 SVKP;SVKP;E:\WINDOWS\System32\SVKP.sys [2005-03-01 23:03]
R2 UxTuneUp;TuneUp Theme Extension;E:\WINDOWS\System32\svchost.exe [2004-08-03 20:56]
R3 kbdcap;kbdcap;E:\WINDOWS\system32\drivers\kbdcap.sys [2007-11-30 00:17]
R3 moufiltr;Mouse Filter Driver;E:\WINDOWS\system32\DRIVERS\moufiltr.sys [2004-08-27 11:07]
S1 SABKUTIL;SABKUTIL;E:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S2 LMIInfo;LogMeIn Kernel Information Provider;E:\Program Files\LogMeIn\x86\RaInfo.sys []
S3 cheetah1;cheetah1;E:\Documents and Settings\george\Desktop\Cheetah Engine 1.4\cheetah.sys []
S3 DADriv1;DADriv1;E:\Documents and Settings\george\Desktop\Hackzor packz0r\DaEngine\DAK32.sys []
S3 ESISTEMA53;ESISTEMA53;E:\Program Files\RuanEngine\sistema32.sys []
S3 g0wkudr1ver;g0wkudr1ver;E:\Documents and Settings\george\Desktop\super\g0wku.sys []
S3 geebers12;geebers12;E:\Documents and Settings\george\Desktop\blorbslayerengine\nvid888.sys []
S3 HRESTIME;HRESTIME;E:\PROGRA~1\TPWINS32\HRESTIME.SYS []
S3 kaspersky1;Kaspersky1;E:\Documents and Settings\george\Desktop\Kaspersky AntiGG\Kaspersky.sys []
S3 KIKIDRIVER;KIKIDRIVER;E:\Documents and Settings\george\Desktop\Kiki Engine 1.41 [Unpacked]\kiki.sys []
S3 Networktemple01;Networktemple01;E:\Documents and Settings\george\Desktop\DK Hack\Networktemple.sys []
S3 projectx1;projectx1;E:\Documents and Settings\george\Desktop\ProjectX3.0 Tux-Hack\FelipeZe.sys []
S3 puma1;puma1;E:\DOCUME~1\george\LOCALS~1\Temp\Rar$EX00.485\PumaByZÃ©\puma.sys []
S3 saruenGang;saruenGang;E:\Documents and Settings\george\Desktop\saruenGang\saruenGang.sys []
S3 ShaK31;ShaK31;E:\Documents and Settings\george\Desktop\Revolution Engine\ShaK3.sys []
S3 SoRa01;SoRa01;E:\Documents and Settings\george\Desktop\G-Bot\PedZing Engine\SoRa.sys []
S3 spuce1;spuce1;E:\Documents and Settings\george\Desktop\Spuc3nginef\spuce.sys []
S3 usbprint;Microsoft USB PRINTER Class;E:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 xp1;xp1;E:\Documents and Settings\george\Desktop\xpengine\xp.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 22:33:57 E:\WINDOWS\Tasks\1-Click Maintenance.job"
- E:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-03-06 01:26:01 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 11:15:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="system32\drivers\drvnddm.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\E:]
"ImagePath"="\??\E:\Documents and Settings\george\Desktop\Kiki Engine 1.41
[Unpacked]\kiki.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\KIKIDRIVER]
"ImagePath"="\??\E:\Documents and Settings\george\Desktop\Kiki Engine 1.41
.
------------------------ Other Running Processes ------------------------
.
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgam.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2008-03-09 11:21:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-09 15:21:25
.
2007-12-28 08:00:21 --- E O F ---

and new hijack this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:00 AM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\AVG\AVG8\avgam.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Steam\Steam.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Hamachi\hamachi.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn25\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn25\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn25\yt.dll
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update x86] firefox.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "E:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: hamachi.lnk = E:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: hp psc 2000 Series.lnk = E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://E:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - E:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7035 bytes

guestolo · « **Reply #5 on:** March 09, 2008, 11:30:20 AM »

How are things running?
What version of AVG8 did you install?
The trial version Internet Security or just the AntiVirus software?
Or the paid version?

guestolo · « **Reply #6 on:** March 09, 2008, 12:26:13 PM »

Can you also do the following
Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\RunServices: [Microsoft Windows Update x86] firefox.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in Windows
Run a fresh scan >> save logfile with hijackthis and post it

Also, supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

guestolo · « **Reply #7 on:** April 26, 2008, 05:04:44 PM »

Since your problems appear resolved, I'll lock this topic

TheTechGuide Forum

News:

Author Topic: Spyware? (Read 1849 times)

fobulous

Spyware?

guestolo

Spyware?

fobulous

Spyware?

guestolo

Spyware?

fobulous

Spyware?

guestolo

Spyware?

guestolo

Spyware?

guestolo

Spyware?