« previous next »
Pages: [1]

Author Topic: My computer is infected with spyware please help  (Read 1295 times)

Offline avanguarde

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
My computer is infected with spyware please help
« on: July 24, 2006, 11:45:57 AM »
I clicked on a link on the stoptazmo.com website and all of a sudden my computer started to slow down. I pressed control alt delete and then all of a sudden i see project 1 running. And then all these ads started to pop up. I immediately ran AdAware but it couldn't remove some of the files. Please help me.

Logfile of HijackThis v1.99.1
Scan saved at 12:32:22 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\IA\command.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
C:\WINDOWS\ms0556734-6579.exe
C:\WINDOWS\system32\zqskw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\{D8C86082-0BB8-1033-0813-040406040001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\WINDOWS\system32\WNSXS~1\nslookup.exe
C:\WINDOWS\qlinesq.exe
C:\WINDOWS\ICROSO~1\DDPLAY~1.EXE
C:\WINDOWS\system32\lfppmg.exe
C:\WINDOWS\system32\lfppmg.exe
C:\Program Files\PSHope\PSHope.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\Spy Axe Removal\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.1/
R3 - URLSearchHook: (no name) - _{49CD68BA-AD24-FDF1-0F97-F04A46AFA49E} - (no file)
R3 - URLSearchHook: (no name) - {49CD68BA-AD24-FDF1-0F97-F04A46AFA49E} - C:\WINDOWS\system32\ncwvbimh.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\yrdib.exe
F2 - REG:system.ini: UserInit=userinit.exe,jmkmlux.exe
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {49CD68BA-AD24-FDF1-0F97-F04A46AFA49E} - C:\WINDOWS\system32\ncwvbimh.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [keyboard] C:\\kybrdef_7.exe
O4 - HKLM\..\Run: [ms0556734-6579] C:\WINDOWS\ms0556734-6579.exe
O4 - HKLM\..\Run: [qlinesqA] C:\WINDOWS\qlinesqA.exe
O4 - HKLM\..\Run: [fune4690] RUNDLL32.EXE w2d09665.dll,n 001e468f000000032d09665
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\WNSXS~1\nslookup.exe" -vt yazr
O4 - HKCU\..\Run: [Hic] C:\WINDOWS\ICROSO~1\DDPLAY~1.EXE
O4 - HKCU\..\Run: [lfppmg] C:\WINDOWS\system32\lfppmg.exe
O4 - HKCU\..\Run: [PSHope] "C:\Program Files\PSHope\PSHope.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.gateway.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100115144062
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - AppInit_DLLs: inicfg32.dll, C:\WINDOWS\system32\winword.dll,molkgdge.dll
O23 - Service: AL_ADSService - Aluria Software, LLC - C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Aluria Message Service (MsgSrvService) - Aluria Software, LLC. - C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qlinesq.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
My computer is infected with spyware please help
« Reply #1 on: July 24, 2006, 06:21:12 PM »
Can you do the following, then we'll run some fixes
Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline avanguarde

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
My computer is infected with spyware please help
« Reply #2 on: July 25, 2006, 04:36:41 AM »
Sorry it took so long.

3D Groove Playback Engine
Ad-Aware SE Personal
Adobe Acrobat 6.0 Standard
Adobe Reader 6.0
Aluria Firewall
Aluria LiteScanner
Aluria Security Center
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BigFix
CleanUp!
Cowabanga by OIN
Digital Media Reader
DivX
DivX Player
E2give Plug-in
EPSON Printer Software
ESPNMotion
ewido anti-malware
Forethought
Gaim (remove only)
GemMaster Mystic
GTK+ Runtime 2.4.10 rev b (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Icons
iPod for Windows 2005-10-12
iTunes
Java 2 Runtime Environment, SE v1.4.2
Learn2 Player (Uninstall Only)
Lexmark 5200 Series
LimeWire
LimeWire 4.9.37
Logger Pro 3.3
Macromedia Flash Player 8
Macromedia Shockwave Player
Marvell Miniport Driver
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Picture It! Photo Premium 9
Microsoft Works
Multimedia Keyboard Driver
MUSICMATCH® Jukebox
Nero BurnRights
Nero OEM
Otto
Plaxo Toolbar for Outlook and Outlook Express
PowerDVD
Pure Networks Port Magic
Quicklinks
QuickTime
Reader Rabbit Thinking Adventures Ages 4-6
RealPlayer
Realtek High Definition Audio Driver
Security Toolbar
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
SoftV92 Data Fax Modem with SmartCP
Sonic Encoders
ToolBar888
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Media Player
Web Nexus Network
webHancer Customer Companion
webHancer Survey Companion
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Overlay Components
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Toolbar
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
My computer is infected with spyware please help
« Reply #3 on: July 25, 2006, 10:56:25 PM »
Roll up your sleeves and let's get to work on cleaning this computer  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Do everything I post below to ensure we have you clean
=
1. Download and save too your desktop
WinsockXP fix.exe
We won't use this, but we have it if needed
Just let it sit on your desktop for now

2. Are you running the free version of Ewido?
You have still  Ewido Anti-Malware installed
Can you uninstall it from Add/remove programs
Reboot the computer if prompted
Then install the latest free version
==Download, install, and update  Ewido anti-Spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close Ewido. Do not run it yet.
3. Download and save [color=\"red\"]Brute Force Uninstaller[/color][/b] to the desktop
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to, click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
[color=\"red\"]RIGHT-CLICK HERE[/color][/b] and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"red\"]Alcan worm remover[/color].
Save it to the same folder you made earlier (c:\BFU).
[/list]Print and/or save the rest of these instructions to a text file saved to desktop

4. Download this file - Combofix.exe and save it too desktop
Do not run it yet

Access your add/remove programs and remove
webHancer Customer Companion
webHancer Survey Companion

IMPORTANT! Reboot the computer afterwards

Back in Windows, go back to Add/remove programs
Remove all the following if you can
Cowabanga by OIN
E2give Plug-in
Java 2 Runtime Environment, SE v1.4.2
Security Toolbar
ToolBar888
Viewpoint Media Player
Web Nexus Network
Windows Overlay Components

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.
Sign in with your normal user account

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer
NOTE: The first time you run CleanUp! it may prompt to run in Demonstration mode
Deny this, we want to run the actual cleanup!!

==Go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Next to the scriptline to execute field click the folder icon and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
==Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process.  A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt

Reboot back to Normal mode

Back in Windows
=Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Can you save the log someplace you will remember
Such as the desktop

Again, reboot back to Safe mode
Once in safe mode

Ewido Scan
  • Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan.  This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).
Reboot back to Normal mode

Access the following link to update your version of Java
http://www.java.com/en/download/manual.jsp
Save the Windows (OFFLINE) installer to your desktop
Double click on the installer and follow the prompts
Once installed delete the installer from desktop

Post back all the following, even if it takes more than one reply

1. Post a fresh hijackthis log
2. Post the Whole report from Ewido's
3. Post the log from Combofix

NOTE: DO NOT let Aluria interfere with any fixes we are trying, if prompted about changes ALLOW them please
Also, if you do happen to lose internet connection after doing any of the fixes above
With all browsers closed, run the fix with WinsockXP fix
Reboot at the prompt, ONLY use it if needed!
« Last Edit: July 25, 2006, 10:59:08 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline avanguarde

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
My computer is infected with spyware please help
« Reply #4 on: July 26, 2006, 03:40:28 PM »
I'm still having problems with adware and ewido still detects it. If there is anything further you can try please do.

Logfile of HijackThis v1.99.1
Scan saved at 4:32:28 PM, on 7/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\system32\ghynf.exe
C:\WINDOWS\system32\wfxqhv.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My Documents\Spy Axe Removal\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.1/
R3 - URLSearchHook: (no name) - _{49CD68BA-AD24-FDF1-0F97-F04A46AFA49E} - (no file)
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: (no name) - {49CD68BA-AD24-FDF1-0F97-F04A46AFA49E} - C:\WINDOWS\system32\ncwvbimh.dll (file missing)
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [fune4690] RUNDLL32.EXE w2d09665.dll,n 001e468f000000032d09665
O4 - HKLM\..\Run: [w0046118.dll] RUNDLL32.EXE w0046118.dll,I2 001e468f00046118
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\WNSXS~1\nslookup.exe" -vt yazr
O4 - HKCU\..\Run: [Hic] C:\WINDOWS\ICROSO~1\DDPLAY~1.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.gateway.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100115144062
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O23 - Service: AL_ADSService - Aluria Software, LLC - C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Aluria Message Service (MsgSrvService) - Aluria Software, LLC. - C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe


ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at:   4:18:36 PM 7/26/2006

 + Scan result:   



C:\WINDOWS\system32\molkgdge.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\Batty\Batty.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nst5A9.dll -> Adware.Ezula : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fune4690.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ncwvbimh.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iqqr.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xeymi.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32n9nyb.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall\WhSurvey.exe -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall\whAgent.inf -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall\whInstaller.ini -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\whInstaller.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\fym9bvo.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w2d09665e.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\pi1_36.exe -> Downloader.Small.cqy : Cleaned with backup (quarantined).
C:\ac3_0003.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\WINDOWS\amm06.ocx -> Downloader.VB.bo : Cleaned with backup (quarantined).
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup (quarantined).
C:\visfx500new.exe -> Dropper.Agent.aie : Cleaned with backup (quarantined).
C:\626_101newer.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end

Start Time= Wed 07/26/2006 15:28:38.57
Running from: C:\Documents and Settings\Owner\Desktop
 
(((((((((((((((((((((((((((((((((((((((((((((   Qoologic's Log   )))))))))))))))))))))))))))))))))))))))))))))))))))

15:29:30.82
 
Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * *  PRE-RUN - Filepaths extracted from the Registry  * * * * * * * * * * * * * * * * * * * * * *



 
* * *  PRE-RUN - Filepaths from Locate  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-20     16:31:36         1,163,264     "C:\WINDOWS\system32\wfxqhv.exe"
2006-07-25     05:25:24            45,056     "C:\WINDOWS\system32\ghynf.exe"
2006-07-24     11:56:08            36,864     "C:\WINDOWS\system32\n9nyb.exe"
2006-07-20     16:31:24            36,864     "C:\WINDOWS\system32\zqskw.exe"
2006-07-24     11:56:30                 2     "C:\WINDOWS\system32\wnstssv.exe"
2006-07-24     11:56:22           380,928     "C:\WINDOWS\system32\WinNB58.dll"
2006-07-24     11:56:10           221,184     "C:\WINDOWS\system32\xeymi.dll"


* * *  POST-RUN - Files in the Quarantine folder  * * * * * * * * * * * * * * * * * * * * * * * * *




DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * *  POST-RUN - Filepaths from Locate  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-24     11:56:30                 2     "C:\WINDOWS\system32\wnstssv.exe"
2006-07-20     16:31:36         1,163,264     "C:\WINDOWS\system32\wfxqhv.exe"
2006-07-25     05:25:24            45,056     "C:\WINDOWS\system32\ghynf.exe"
2006-07-24     11:56:08            36,864     "C:\WINDOWS\system32\n9nyb.exe"
2006-07-20     16:31:24            36,864     "C:\WINDOWS\system32\zqskw.exe"
2006-07-24     11:56:22           380,928     "C:\WINDOWS\system32\WinNB58.dll"
2006-07-24     11:56:10           221,184     "C:\WINDOWS\system32\xeymi.dll"


((((((((((((((((((((((((((((((((((((((((((((((((   Ssk's Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\repairs303169590.dll
C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\Program Files\SurfSideKick 3\SskBho.dll
C:\Program Files\SurfSideKick 3\SskCore.dll
C:\WINDOWS\system32\bk.exe


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

15:32:28.18
((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\atmtd.dll.tmp
C:\Documents and Settings\NetworkService\Application Data\NetMon

 
((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-26     15:15:02        13437          ( A.... )   "C:\smitfrau.reg"
2006-07-26     14:10:48                       ( .D... )   "C:\Program Files\ewido anti-spyware 4.0"
2006-07-26     13:47:56        33012       ( A.... )   "C:\WINDOWS\system32\tpuninstall.exe"
2006-07-26     13:47:52                       ( .D... )   "C:\Program Files\Batty"
2006-07-25     05:31:08        32443       ( A.... )   "C:\WINDOWS\system32\uninstIcn.exe"
2006-07-25     05:25:42        45056       ( A.... )   "C:\WINDOWS\system32ghynf.exe"
2006-07-25     05:25:24        45056       ( A.... )   "C:\WINDOWS\system32\ghynf.exe"
2006-07-24     12:01:40        69632       ( A.... )   "C:\WINDOWS\system32\molkgdge.dll"
2006-07-24     12:01:38        61440       ( A.... )   "C:\WINDOWS\system32\fune4690.dll"
2006-07-24     12:01:38         1063       ( A.... )   "C:\WINDOWS\system32\fune4690.sys"
2006-07-24     12:01:38         1063       ( A.... )   "C:\WINDOWS\system32\fune4690.sys"
2006-07-24     12:01:36        29696       ( A.... )   "C:\WINDOWS\system32\w2d09665e.dll"
2006-07-24     12:01:36         2560          ( A.... )   "C:\ac3_0003.exe"
2006-07-24     12:01:34       235134       ( A.... )   "C:\WINDOWS\srvszkvhfj.exe"
2006-07-24     12:01:34       184829       ( A.... )   "C:\WINDOWS\srvvbfaagc.exe"
2006-07-24     12:01:34                       ( .D... )   "C:\Program Files\PSHope"
2006-07-24     12:01:22       587776          ( A.... )   "C:\626_101newer.exe"
2006-07-24     11:57:06                       ( .D... )   "C:\Program Files\Common Files\fkur"
2006-07-24     11:56:46       232749       ( A.... )   "C:\WINDOWS\pf78.exe"
2006-07-24     11:56:36       467968          ( A.... )   "C:\visfx500new.exe"
2006-07-24     11:56:32        32768       ( A.... )   "C:\WINDOWS\unstall.exe"
2006-07-24     11:56:30         5632       ( A.... )   "C:\WINDOWS\pi1_36.exe"
2006-07-24     11:56:30            2       ( A.... )   "C:\WINDOWS\system32\wnstssv.exe"
2006-07-24     11:56:24            0          ( A.... )   "C:\Documents and Settings\Owner\Application Data\internaldb41.dat"
2006-07-24     11:56:22       380928       ( A.... )   "C:\WINDOWS\system32\WinNB58.dll"
2006-07-24     11:56:12       359634       ( A.... )   "C:\WINDOWS\media_motor_bundle.exe"
2006-07-24     11:56:10       221184       ( A.... )   "C:\WINDOWS\system32\xeymi.dll"
2006-07-24     11:56:10        36864       ( A.... )   "C:\WINDOWS\system32n9nyb.exe"
2006-07-24     11:56:10        28672       ( A.... )   "C:\WINDOWS\system32bez6n4r21.exe"
2006-07-24     11:56:10        28672       ( A.... )   "C:\WINDOWS\system32\iqqr.exe"
2006-07-24     11:56:08        36864       ( A.... )   "C:\WINDOWS\system32\n9nyb.exe"
2006-07-24     11:56:08        28672       ( A.... )   "C:\WINDOWS\system32\bez6n4r21.exe"
2006-07-24     11:56:04                       ( .D... )   "C:\Program Files\Common Files\{D8C86082-0BB8-1033-0813-040406040001}"
2006-07-24     11:56:02       226536       ( A.... )   "C:\WINDOWS\whCC-GIANT.exe"
2006-07-24     11:56:02        57344          ( A.... )   "C:\fym9bvo.exe"
2006-07-24     11:56:02                       ( .D... )   "C:\Program Files\whInstall"
2006-07-24     11:56:00                       ( .D... )   "C:\Program Files\Cowabanga"
2006-07-20     16:31:36      1163264       ( A.... )   "C:\WINDOWS\system32\wfxqhv.exe"
2006-07-20     16:31:24        36864       ( A.... )   "C:\WINDOWS\system32\zqskw.exe"
2006-07-20     16:30:00       159744       ( A.... )   "C:\WINDOWS\system32\cvn0.exe"
2006-07-13     10:38:12       389120       ( A.... )   "C:\WINDOWS\system32\nodeipproc.dll"
2006-07-06     17:01:52                       ( .D... )   "C:\Program Files\QuickTime"
2006-07-06     17:01:08                       ( .D... )   "C:\Program Files\iTunes"
2006-06-29     10:07:36        61440       ( A.... )   "C:\WINDOWS\system32\BattyRun.dll"
2006-06-28     11:08:38       139264       ( A.... )   "C:\WINDOWS\system32\ncwvbimh.dll"
2006-06-21     18:38:40       235228       ( A.... )   "C:\WINDOWS\system32\icon_mediamotor.exe"
2006-06-21     18:38:16       115239       ( A.... )   "C:\WINDOWS\system32\ts_mediamotor.exe"
2006-06-07     13:55:52         3753          ( A.... )   "C:\Program Files\Common Files\kygeb.html"


((((((((((((((((((((((((((((((((((((((   Files Created - Last 30days   )))))))))))))))))))))))))))))))))))))))))))


2006-07-26   15:25   1,071,484,928      C:\hiberfil.sys
2006-07-26   15:14   16,572      C:\replace.cmd
2006-07-26   15:14   13,437      C:\smitfrau.reg
2006-07-25   05:25   45,056      C:\WINDOWS\system32ghynf.exe
2006-07-25   05:25   45,056      C:\WINDOWS\system32\ghynf.exe
2006-07-24   12:01   69,632      C:\WINDOWS\system32\molkgdge.dll
2006-07-24   12:01   61,440      C:\WINDOWS\system32\fune4690.dll
2006-07-24   12:01   587,776      C:\626_101newer.exe
2006-07-24   12:01   33,012      C:\WINDOWS\system32\tpuninstall.exe
2006-07-24   12:01   29,696      C:\WINDOWS\system32\w2d09665e.dll
2006-07-24   12:01   235,134      C:\WINDOWS\srvszkvhfj.exe
2006-07-24   12:01   2,560      C:\ac3_0003.exe
2006-07-24   12:01   184,829      C:\WINDOWS\srvvbfaagc.exe
2006-07-24   12:01   1,063      C:\WINDOWS\system32\fune4690.sys
2006-07-24   11:56   5,632      C:\WINDOWS\pi1_36.exe
2006-07-24   11:56   467,968      C:\visfx500new.exe
2006-07-24   11:56   380,928      C:\WINDOWS\system32\WinNB58.dll
2006-07-24   11:56   36,864      C:\WINDOWS\system32n9nyb.exe
2006-07-24   11:56   36,864      C:\WINDOWS\system32\zqskw.exe
2006-07-24   11:56   36,864      C:\WINDOWS\system32\n9nyb.exe
2006-07-24   11:56   359,634      C:\WINDOWS\media_motor_bundle.exe
2006-07-24   11:56   32,768      C:\WINDOWS\whInstaller.exe
2006-07-24   11:56   32,768      C:\WINDOWS\unstall.exe
2006-07-24   11:56   32,443      C:\WINDOWS\system32\uninstIcn.exe
2006-07-24   11:56   28,672      C:\WINDOWS\system32bez6n4r21.exe
2006-07-24   11:56   28,672      C:\WINDOWS\system32\iqqr.exe
2006-07-24   11:56   28,672      C:\WINDOWS\system32\bez6n4r21.exe
2006-07-24   11:56   232,749      C:\WINDOWS\pf78.exe
2006-07-24   11:56   221,184      C:\WINDOWS\system32\xeymi.dll
2006-07-24   11:56   21,504      C:\WINDOWS\offun.exe
2006-07-24   11:56   2      C:\WINDOWS\system32\wnstssv.exe
2006-07-24   11:56   159,744      C:\WINDOWS\system32\cvn0.exe
2006-07-24   11:56   139,264      C:\WINDOWS\system32\ncwvbimh.dll
2006-07-24   11:56   1,163,264      C:\WINDOWS\system32\wfxqhv.exe
2006-07-24   11:55   57,344      C:\fym9bvo.exe
2006-07-24   11:55   226,536      C:\WINDOWS\whCC-GIANT.exe
2006-07-13   10:38   389,120      C:\WINDOWS\system32\nodeipproc.dll
2006-06-29   10:07   61,440      C:\WINDOWS\system32\BattyRun.dll
2006-06-21   18:38   235,228      C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21   18:38   115,239      C:\WINDOWS\system32\ts_mediamotor.exe


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"CHotkey"="zHotkey.exe"
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
@=""
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"Lexmark 5200 series"="\"C:\\Program Files\\Lexmark 5200 series\\lxbtbmgr.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"webHancer Agent"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"ad8rIU3s"="C:\\WINDOWS\\system32\\cvn0.exe"
"k6mmN5IOU"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
"fune4690"="RUNDLL32.EXE w2d09665.dll,n 001e468f000000032d09665"
"w0046118.dll"="RUNDLL32.EXE w0046118.dll,I2 001e468f00046118"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PlaxoUpdate"="C:\\Program Files\\Plaxo\\2.5.10.21\\PlaxoHelper.exe -a"
"Ealb"="\"C:\\WINDOWS\\system32\\WNSXS~1\\nslookup.exe\" -vt yazr"
"Hic"="C:\\WINDOWS\\ICROSO~1\\DDPLAY~1.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{D8C86082-0BB8-1033-0813-040406040001}"="\"C:\\Program Files\\Common Files\\{D8C86082-0BB8-1033-0813-040406040001}\\Update.exe\" mc-110-12-0000103"
"lfppmg"="C:\\WINDOWS\\system32\\lfppmg.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Common Files\\kygeb.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
  00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}"="Windows Update"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
 
 

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: Wed 07/26/2006 15:32:33.75
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt






Note:

There are still programs in my Add/Remove Program that I suspect and they are called:

Forethought

GemMaster Mystic

Learn2 Player

Otto
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
My computer is infected with spyware please help
« Reply #5 on: July 27, 2006, 07:53:08 PM »
Uninstall Forethought  from add/remove programs

Additionally, the next three you don't recognize may have been preinstalled on your computer
Remove them if you don't use them

Download and save to desktop
this  UNINSTALLER
Run it
Make sure that you reboot the computer after doing the above, it is important!

Back in Windows
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
Decline to log off when it's done

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop>>We will need it later
Ensure to copy from REGEDIT4 and down in the code box

 
Code: [Select]
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{D8C86082-0BB8-1033-0813-040406040001}"=-
"lfppmg"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Ealb"=-
"Hic"=-

I recommend that you print the instructions or save them to a text file on desktop
Try and not open any browser until needed

Please download The Avenger.zip by Swandog46 to your Desktop.

    * Click on Avenger.zip to open the file
    * Extract(Unzip) avenger.exe to your desktop

Copy ALL the text contained in the quote box below  to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard>>don't include the word quote please


Quote
files to delete:
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\system32\ghynf.exe
C:\WINDOWS\system32\wfxqhv.exe
C:\WINDOWS\system32\xeymi.dll
C:\WINDOWS\system32\nodeipproc.dll
C:\WINDOWS\system32\wfxqhv.exe
C:\WINDOWS\system32\n9nyb.exe
C:\WINDOWS\system32\zqskw.exe
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\system32\repairs303169590.dll
C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
C:\WINDOWS\system32\bk.exe
C:\WINDOWS\system32\uninstIcn.exe
C:\WINDOWS\system32\fune4690.sys
C:\WINDOWS\srvszkvhfj.exe
C:\WINDOWS\srvvbfaagc.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\Program Files\Common Files\kygeb.html
C:\WINDOWS\system32\lfppmg.exe

folders to delete:
C:\Program Files\webHancer
C:\Program Files\SurfSideKick 3
C:\Program Files\Batty
C:\Program Files\PSHope
C:\Program Files\Common Files\fkur
C:\Program Files\Cowabanga
C:\Program Files\Common Files\{D8C86082-0BB8-1033-0813-040406040001}

registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | webHancer Agent
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | ad8rIU3s
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | k6mmN5IOU
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | fune4690
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | w0046118.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler | {C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}

Now, start The Avenger program by clicking on its icon on your desktop

    * Under "Script file to execute" choose "Input Script Manually".
    * Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    * Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    * Click Done
    * Now click on the Green Light to begin execution of the script
    * Answer "Yes" twice when prompted.

Avenger should now Reboot your computer
Back in Windows
Double click on fix.reg and allow to add/merge to the registry

Do a "System scan only" with Hijackthis and put a check next to these entries:
If all went well above, not all of them below will be found, but check what you see from below

0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - _{49CD68BA-AD24-FDF1-0F97-F04A46AFA49E} - (no file)
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: (no name) - {49CD68BA-AD24-FDF1-0F97-F04A46AFA49E} - C:\WINDOWS\system32\ncwvbimh.dll (file missing)
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [fune4690] RUNDLL32.EXE w2d09665.dll,n 001e468f000000032d09665
O4 - HKLM\..\Run: [w0046118.dll] RUNDLL32.EXE w0046118.dll,I2 001e468f00046118

O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\WNSXS~1\nslookup.exe" -vt yazr
O4 - HKCU\..\Run: [Hic] C:\WINDOWS\ICROSO~1\DDPLAY~1.EXE
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer one more time

Back in Windows
Can you delete your version of ComboFix that you downloaded earlier
It's been updated to include E2Give, among other fixes
1. Download this file - [color=\"red\"]combofix.exe[/color]
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you.
*****Post that log in your next reply

Also, Include all the following
With the combofix log,
 *****post a fresh hijackthis log

+Smitfraudfix has been updated, can you delete Smitfraudfix your version of Smitfraudfix please, if you have it downloaded, I realized I didn't get you too download it
Download [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
*****Please copy/paste the content of that report into your next reply.

[color=\"#3366FF\"]Note[/color] : [color=\"#FF0000\"]process.exe[/color] [color=\"#3366FF\"]is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.[/color]

EDIT>>Can I also see the log from Avenger>>C:\Avenger.txt
« Last Edit: August 03, 2006, 11:38:39 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline avanguarde

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
My computer is infected with spyware please help
« Reply #6 on: July 27, 2006, 11:11:34 PM »
SmitFraudFix v2.76

Scan done at  0:06:00.85, Fri 07/28/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Common Files\\kygeb.html"
"SubscribedURL"=""
"FriendlyName"=""
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Start Time= Fri 07/28/2006  0:04:18.45
Running from: C:\Documents and Settings\Owner\Desktop
 
QuickScan did not find any signs of infected files

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-27     23:27:34        45056       ( A.... )   "C:\WINDOWS\system32ghynf.exe"
2006-07-26     16:21:22        36864       ( A.... )   "C:\WINDOWS\system32n9nyb.exe"
2006-07-26     16:21:22        28672       ( A.... )   "C:\WINDOWS\system32\iqqr.exe"
2006-07-26     15:15:02        13437          ( A.... )   "C:\smitfrau.reg"
2006-07-26     14:10:48                       ( .D... )   "C:\Program Files\ewido anti-spyware 4.0"
2006-07-26     13:47:56        33012       ( A.... )   "C:\WINDOWS\system32\tpuninstall.exe"
2006-07-24     11:56:24            0          ( A.... )   "C:\Documents and Settings\Owner\Application Data\internaldb41.dat"
2006-07-24     11:56:12       359634       ( A.... )   "C:\WINDOWS\media_motor_bundle.exe"
2006-07-24     11:56:10        28672       ( A.... )   "C:\WINDOWS\system32bez6n4r21.exe"
2006-07-24     11:56:08        28672       ( A.... )   "C:\WINDOWS\system32\bez6n4r21.exe"
2006-07-06     17:01:52                       ( .D... )   "C:\Program Files\QuickTime"
2006-07-06     17:01:08                       ( .D... )   "C:\Program Files\iTunes"
2006-06-29     10:07:36        61440       ( A.... )   "C:\WINDOWS\system32\BattyRun.dll"


((((((((((((((((((((((((((((((((((((((   Files Created - Last 30days   )))))))))))))))))))))))))))))))))))))))))))


2006-07-27   23:27   45,056      C:\WINDOWS\system32ghynf.exe
2006-07-26   16:21   36,864      C:\WINDOWS\system32n9nyb.exe
2006-07-26   16:21   28,672      C:\WINDOWS\system32\iqqr.exe
2006-07-26   16:20   1,071,484,928      C:\hiberfil.sys
2006-07-26   15:14   16,572      C:\replace.cmd
2006-07-26   15:14   13,437      C:\smitfrau.reg
2006-07-24   12:01   33,012      C:\WINDOWS\system32\tpuninstall.exe
2006-07-24   11:56   359,634      C:\WINDOWS\media_motor_bundle.exe
2006-07-24   11:56   28,672      C:\WINDOWS\system32bez6n4r21.exe
2006-07-24   11:56   28,672      C:\WINDOWS\system32\bez6n4r21.exe
2006-06-29   10:07   61,440      C:\WINDOWS\system32\BattyRun.dll


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"CHotkey"="zHotkey.exe"
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
@=""
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"Lexmark 5200 series"="\"C:\\Program Files\\Lexmark 5200 series\\lxbtbmgr.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PlaxoUpdate"="C:\\Program Files\\Plaxo\\2.5.10.21\\PlaxoHelper.exe -a"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{D8C86082-0BB8-1033-0813-040406040001}"="\"C:\\Program Files\\Common Files\\{D8C86082-0BB8-1033-0813-040406040001}\\Update.exe\" mc-110-12-0000103"
"lfppmg"="C:\\WINDOWS\\system32\\lfppmg.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Common Files\\kygeb.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
  03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
  00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
  00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
 
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
NoColorChoice REG_DWORD       0 (0x0)
NoSizeChoice REG_DWORD       0 (0x0)
NoDispScrSavPage REG_DWORD       0 (0x0)
NoDispCPL REG_DWORD       0 (0x0)
NoVisualStyleChoice REG_DWORD       0 (0x0)
NoDispSettingsPage REG_DWORD       0 (0x0)
DisableTaskMgr REG_DWORD       0 (0x0)
NoDispAppearancePage REG_DWORD       0 (0x0)
NoDispBackgroundPage REG_DWORD       0 (0x0)
DisableRegistryTools REG_DWORD       0 (0x0)
 
 

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: Fri 07/28/2006  0:04:29.92
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-28.000418.txt

Logfile of HijackThis v1.99.1
Scan saved at 12:10:54 AM, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\Spy Axe Removal\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.1/
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.gateway.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100115144062
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O23 - Service: AL_ADSService - Aluria Software, LLC - C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Aluria Message Service (MsgSrvService) - Aluria Software, LLC. - C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
My computer is infected with spyware please help
« Reply #7 on: July 27, 2006, 11:18:08 PM »
Sorry, I edited my post when you were responding
Can I also see the log from Avenger please
It's located here
C:\Anvenger.txt
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline avanguarde

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
My computer is infected with spyware please help
« Reply #8 on: July 28, 2006, 08:01:48 PM »
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hrnwxbak

*******************

Script file located at: \??\C:\Program Files\cdxlpuhy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\cvn0.exe not found!
Deletion of file C:\WINDOWS\system32\cvn0.exe failed!

Could not process line:
C:\WINDOWS\system32\cvn0.exe
Status: 0xc0000034

File C:\WINDOWS\system32\ghynf.exe deleted successfully.
File C:\WINDOWS\system32\wfxqhv.exe deleted successfully.


File C:\WINDOWS\system32\xeymi.dll not found!
Deletion of file C:\WINDOWS\system32\xeymi.dll failed!

Could not process line:
C:\WINDOWS\system32\xeymi.dll
Status: 0xc0000034



File C:\WINDOWS\system32\nodeipproc.dll not found!
Deletion of file C:\WINDOWS\system32\nodeipproc.dll failed!

Could not process line:
C:\WINDOWS\system32\nodeipproc.dll
Status: 0xc0000034



File C:\WINDOWS\system32\wfxqhv.exe not found!
Deletion of file C:\WINDOWS\system32\wfxqhv.exe failed!

Could not process line:
C:\WINDOWS\system32\wfxqhv.exe
Status: 0xc0000034



File C:\WINDOWS\system32\n9nyb.exe not found!
Deletion of file C:\WINDOWS\system32\n9nyb.exe failed!

Could not process line:
C:\WINDOWS\system32\n9nyb.exe
Status: 0xc0000034



File C:\WINDOWS\system32\zqskw.exe not found!
Deletion of file C:\WINDOWS\system32\zqskw.exe failed!

Could not process line:
C:\WINDOWS\system32\zqskw.exe
Status: 0xc0000034

File C:\WINDOWS\system32\wnstssv.exe deleted successfully.


File C:\WINDOWS\system32\WinNB58.dll not found!
Deletion of file C:\WINDOWS\system32\WinNB58.dll failed!

Could not process line:
C:\WINDOWS\system32\WinNB58.dll
Status: 0xc0000034



File C:\WINDOWS\system32\repairs303169590.dll not found!
Deletion of file C:\WINDOWS\system32\repairs303169590.dll failed!

Could not process line:
C:\WINDOWS\system32\repairs303169590.dll
Status: 0xc0000034



File C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll not found!
Deletion of file C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll failed!

Could not process line:
C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
Status: 0xc0000034



File C:\WINDOWS\system32\bk.exe not found!
Deletion of file C:\WINDOWS\system32\bk.exe failed!

Could not process line:
C:\WINDOWS\system32\bk.exe
Status: 0xc0000034

File C:\WINDOWS\system32\uninstIcn.exe deleted successfully.
File C:\WINDOWS\system32\fune4690.sys deleted successfully.
File C:\WINDOWS\srvszkvhfj.exe deleted successfully.
File C:\WINDOWS\srvvbfaagc.exe deleted successfully.
File C:\WINDOWS\pf78.exe deleted successfully.
File C:\WINDOWS\system32\icon_mediamotor.exe deleted successfully.
File C:\WINDOWS\system32\ts_mediamotor.exe deleted successfully.
File C:\Program Files\Common Files\kygeb.html deleted successfully.


File C:\WINDOWS\system32\lfppmg.exe not found!
Deletion of file C:\WINDOWS\system32\lfppmg.exe failed!

Could not process line:
C:\WINDOWS\system32\lfppmg.exe
Status: 0xc0000034



Folder C:\Program Files\webHancer not found!
Deletion of folder C:\Program Files\webHancer failed!

Could not process line:
C:\Program Files\webHancer
Status: 0xc0000034



Folder C:\Program Files\SurfSideKick 3 not found!
Deletion of folder C:\Program Files\SurfSideKick 3 failed!

Could not process line:
C:\Program Files\SurfSideKick 3
Status: 0xc0000034

Folder C:\Program Files\Batty deleted successfully.
Folder C:\Program Files\PSHope deleted successfully.
Folder C:\Program Files\Common Files\fkur deleted successfully.
Folder C:\Program Files\Cowabanga deleted successfully.
Folder C:\Program Files\Common Files\{D8C86082-0BB8-1033-0813-040406040001} deleted successfully.


Could not delete registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|webHancer Agent
Deletion of registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|webHancer Agent failed!
Status: 0xc0000034



Could not delete registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|ad8rIU3s
Deletion of registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|ad8rIU3s failed!
Status: 0xc0000034

Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|k6mmN5IOU deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|fune4690 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|w0046118.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler|{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F} deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
My computer is infected with spyware please help
« Reply #9 on: July 28, 2006, 10:07:24 PM »
Let's see what happens when we do the following
Save the rest of these instructions to a text file saved to your desktop please

Copy ALL the text contained in the quote box below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard>>don't include the word quote please

Quote
files to delete:
C:\WINDOWS\system32\ghynf.exe
C:\WINDOWS\system32\n9nyb.exe
C:\WINDOWS\system32\iqqr.exe
C:\WINDOWS\system32\tpuninstall.exe
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\system32\bez6n4r21.exe
C:\WINDOWS\system32\BattyRun.dll

registry values to delete:
HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce | RunNarrator
HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce | RunNarrator

registry keys to delete:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run

Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer
Back in Windows
Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.
Sign in with your normal user account

==Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process.  A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt

Reboot back to Normal mode

Back in windows
Use Internet Explorer and Run the online Panda ActiveScan
    * Once you are on the Panda site click the Scan your PC button.
    * A new window will open...click the big Check Now button.
    * Enter your Country.
    * Enter your State/Province.
    * Enter your e-mail address.
    * Select either "Home User or Company."
    * Click the big Scan Now button.
    * Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
    * Click on Local Disks to start the scan.

When the scan is complete
 click See Report, then click Save Report and save it to your Desktop.

Post back ALL the following please
1. Post back a fresh hijackthis log
2. Post back the log from Avenger>>C:\Avenger.txt
3. Post the Whole report from Panda's

Also, let me know how everythings running please
« Last Edit: July 28, 2006, 10:08:06 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline avanguarde

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
My computer is infected with spyware please help
« Reply #10 on: July 29, 2006, 10:12:33 AM »
Everything seems well but the panda scan says differently and my homepage is now msn.com, which is different than before. If you want I can attach the Panda's scan to a post later. Thanks for the help so far.


Logfile of HijackThis v1.99.1
Scan saved at 11:03:52 AM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Spy Axe Removal\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.1/
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.gateway.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100115144062
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O23 - Service: AL_ADSService - Aluria Software, LLC - C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Aluria Message Service (MsgSrvService) - Aluria Software, LLC. - C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path.  Line will be ignored.
Error code: 1813
Line: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run

so I removed that line


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ecbouenw

*******************

Script file located at: \??\C:\lyavjjef.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\ghynf.exe not found!
Deletion of file C:\WINDOWS\system32\ghynf.exe failed!

Could not process line:
C:\WINDOWS\system32\ghynf.exe
Status: 0xc0000034



File C:\WINDOWS\system32\n9nyb.exe not found!
Deletion of file C:\WINDOWS\system32\n9nyb.exe failed!

Could not process line:
C:\WINDOWS\system32\n9nyb.exe
Status: 0xc0000034

File C:\WINDOWS\system32\iqqr.exe deleted successfully.
File C:\WINDOWS\system32\tpuninstall.exe deleted successfully.
File C:\WINDOWS\media_motor_bundle.exe deleted successfully.
File C:\WINDOWS\system32\bez6n4r21.exe deleted successfully.
File C:\WINDOWS\system32\BattyRun.dll deleted successfully.
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce|RunNarrator deleted successfully.


Could not delete registry value HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce|RunNarrator
Deletion of registry value HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce|RunNarrator failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.


SmitFraudFix v2.76

Scan done at 10:27:23.75, Sat 07/29/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Panda
Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Adware:Adware/PurityScan                                                        Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/Cowabanga/OINSetup.exe]                                                                                                                                                                                
Adware:Adware/MediaTickets                                                      Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/Cowabanga/uninstaller.exe]                                                                                                                                                                            
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/icon_mediamotor.exe]                                                                                                                                                                                  
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/icon_mediamotor.exe][nodeipproc.dll]                                                                                                                                                                  
Virus:Trj/Downloader.HPZ                                                        Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/pf78.exe][pms111x.exe]                                                                                                                                                                                
Virus:Trj/VB.MC                                                                 Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/pf78.exe][SYSC00.exe]                                                                                                                                                                                  
Spyware:Spyware/7r7t                                                            Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/PSHope/Uninstall.exe]                                                                                                                                                                                  
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/srvszkvhfj.exe][nodeipproc.dll]                                                                                                                                                                        
Spyware:Spyware/7r7t                                                            Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/srvvbfaagc.exe]                                                                                                                                                                                        
Spyware:Spyware/7r7t                                                            Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/srvvbfaagc.exe][PSHope.exe]                                                                                                                                                                            
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/ts_mediamotor.exe]                                                                                                                                                                                    
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/ts_mediamotor.exe][²íÇ]                                                                                                                                                                                
Spyware:Spyware/Virtumonde                                                      Not disinfected               C:\avenger\backup-Sat 07.29.2006-10.18.19.10.zip[avenger/{D8C86082-0BB8-1033-0813-040406040001}/services.dll]                                                                                                                                                  
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\avenger\backup.zip[avenger/media_motor_bundle.exe]                                                                                                                                                                                                          
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\avenger\backup.zip[avenger/media_motor_bundle.exe][ts_mediamotor.exe]                                                                                                                                                                                        
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\avenger\backup.zip[avenger/media_motor_bundle.exe][ts_mediamotor.exe][²íÇ]                                                                                                                                                                                  
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\avenger\backup.zip[avenger/media_motor_bundle.exe][icon_mediamotor.exe]                                                                                                                                                                                      
Spyware:Spyware/Media-motor                                                     Not disinfected               C:\avenger\backup.zip[avenger/media_motor_bundle.exe][icon_mediamotor.exe][nodeipproc.dll]                                                                                                                                                                      
Spyware:Spyware/7r7t                                                            Not disinfected               C:\avenger\backup.zip[avenger/tpuninstall.exe]                                                                                                                                                                                                                  
Virus:Exploit/ByteVerify                                                        Disinfected                   C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3dc80a2f-675bb025.zip[Dummy.class]                                                                                                                    
Virus:Exploit/ByteVerify                                                        Disinfected                   C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ed9ba21-50cd2f7b.zip[BlackBox.class]                                                                                                                      
Virus:Exploit/ByteVerify                                                        Disinfected                   C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ed9ba21-50cd2f7b.zip[VerifierBug.class]                                                                                                                  
Virus:Exploit/ByteVerify                                                        Disinfected                   C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ed9ba21-50cd2f7b.zip[Dummy.class]                                                                                                                        
Virus:Exploit/ByteVerify                                                        Disinfected                   C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ed9ba21-50cd2f7b.zip[Beyond.class]                                                                                                                        
Spyware:Cookie/2o7                                                              Not disinfected               C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt                                                                                                                                                                                                        
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt                                                                                                                                                                                                      
Spyware:Cookie/Atwola                                                           Not disinfected               C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt                                                                                                                                                                                                    
Spyware:Cookie/nCase                                                            Not disinfected               C:\Documents and Settings\Owner\Cookies\[email protected][1].txt                                                                                                                                                                                    
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt                                                                                                                                                                                                
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Process.exe                                                                                                                                                                                  
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]                                                                                                                                                                              
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\Documents and Settings\Owner\My Documents\Spy Axe Removal\smitRem\Process.exe                                                                                                                                                                                
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\Documents and Settings\Owner\My Documents\Spy Axe Removal\smitRem.exe[smitRem/Process.exe]                                                                                                                                                                  
Adware:Adware/CommAd                                                            Not disinfected               C:\WINDOWS\IA\KE.vbs                                                                                                                                                                                                                                            
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\WINDOWS\system32\Process.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
My computer is infected with spyware please help
« Reply #11 on: July 29, 2006, 10:47:13 AM »
Sorry about the error with Avenger, that was my fault
It can't process that entry

Can you find and delete this folder
C:\WINDOWS\IA <-this folder

Open the Windows Control panel
Double click to open the Java icon, under the General tab
Delete Files>>Leave all 3 selections checked and click OK

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=-
double click on fix.reg and allow to add/merge to the registry

Reboot the computer, back in Windows
Don't open a browser yet
Instead
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content+Delete Cookies---Also Reset home page

Post back one last hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline avanguarde

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
My computer is infected with spyware please help
« Reply #12 on: July 29, 2006, 04:36:48 PM »
Thanks for taking your time to help me clean my computer. I hope we are all done because everything seems fine. This was quite a troublesome one. So thanks again and here's the last file. I can download java now right?
Logfile of HijackThis v1.99.1
Scan saved at 5:32:49 PM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\Spy Axe Removal\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.1/
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.gateway.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100115144062
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O23 - Service: AL_ADSService - Aluria Software, LLC - C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Aluria Message Service (MsgSrvService) - Aluria Software, LLC. - C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
My computer is infected with spyware please help
« Reply #13 on: July 29, 2006, 05:22:50 PM »
If everything is running better
We should flush all your restore points
    Go to START>>RUN
    Type in
msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]                          
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

I would add Spybot 1.4 to your collection of tools to destroy spyware
Install Spybot 1.4 from
 HERE
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete

Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
If any red entries were fixed, please reboot the computer

                 [indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install  SpywareBlaster 3.5.1 by JavaCool  
    *Will block bad ActiveX Controls
    *Block Malevolent cookies in Internet Explorer and Firefox
    *Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

*Keep up to date on Windows updates (High Priorities)
This is the most important step in keeping your system secure
Make sure you check for updates at least once a month and/or set to Autoupdate
                   
*Make sure your Anti-Virus software is always kept up to date and actively running in the background

*Keep your Firewall protection enabled
A Firewall is also very important
This provides a line of defense against someone who might try to access your computer without your permission

Update and do scan's with your Anti-Spyware programs on a regular basis
In addition, open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Immunize after every update
Ewido will become a limited free version after 30 days of install
Up to you to keep it, it will still update and remove malware in the free state

Quote
I can download java now right?
I thought you downloaded it earlier  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Here's the instructions I posted in a previous reply
Quote
Access the following link to update your version of Java
http://www.java.com/en/download/manual.jsp
Save the Windows (OFFLINE) installer to your desktop
Double click on the installer and follow the prompts
Once installed delete the installer from desktop

Can you let me know the following please
Right click an empty spot on the desktop and select Propertes
Click the Desktop tab.
Click the Customize Desktop button.
Click the Web tab in the Desktop Items window.
Under Web Pages is there anything checked?

+ Many of the files found bad by Panda's are in the Avenger backup folder
You can manually delete Avenger from your desktop plus the remaining folder and file
C:\Avenger <-folder
C:\Avenger.txt <-file
« Last Edit: July 29, 2006, 05:31:28 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline avanguarde

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
My computer is infected with spyware please help
« Reply #14 on: July 29, 2006, 10:33:48 PM »
There was nothing checked and thanks a lot for all the help. I will definitely heed your advice.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
My computer is infected with spyware please help
« Reply #15 on: July 30, 2006, 09:45:06 AM »
Thanks for the info, I'll lock this topic as your problems appear resolved
Take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »