« previous next »
Pages: [1]

Author Topic: think I'm infected with spyware  (Read 3446 times)

Alan

  • Guest
think I'm infected with spyware
« on: April 19, 2004, 03:33:27 AM »
Hi,

I think I have some spyware on my system - it keeps trying to connect to the internet.  Can anyone help?  I ahve pasted in a log from hijack this below.

Thanks,

Alan

Logfile of HijackThis v1.97.7
Scan saved at 09:38:10, on 19/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberArmor\casvc.exe
C:\PROGRA~1\CYBERA~1\pcs.exe
C:\PROGRA~1\CYBERA~1\pcshelp.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\EXCLI32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\kdx\KHost.exe
C:\PROGRA~1\ISDApps\LAUNCH~1.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\other\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ukpsswww/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pww.soton.sc.philips.com/liaa.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 161.92.64.33:8080
F2 - REG:system.ini: UserInit=EXCLI32.EXE,C:\WINDOWS\SYSTEM32\Userinit.exe
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DateSetting] regedit /s C:\Windows\Drv\Tools\DateSetting\DateSetting.reg
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [IsdLauncher] C:\PROGRA~1\ISDApps\LAUNCH~1.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O16 - DPF: JavaConnect - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\JavaConnect.cab
O16 - DPF: Sametime BroadCast Client ST30SP1 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STBroadcastClient.cab
O16 - DPF: Sametime Directory Applet ST30SP1 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STDirectoryApplet.cab
O16 - DPF: Sametime Meeting Room Client ST30SP1 - file://C:\Documents and Settings\Administrator\Local Settings\Temp\SISD\STMeetingRoomClient.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0733B8F9-8B52-4693-A9FA-829E12D27F78} (preload control) - http://www.thepaymentcentre.com/build/preload2.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7958.2438078704
O16 - DPF: {af9a5360-f528-11d3-a3da-00c04fa32518} - http://nlvehvva03msfl1.lss.cp.philips.com:.../jinit11728.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SOUMASTER.soton.sc.philips.com
O17 - HKLM\Software\..\Telephony: DomainName = SOUMASTER.soton.sc.philips.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{40C5E5B5-EF71-4690-92F2-9D6F5806EF9E}: NameServer = 130.141.7.10,130.141.7.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SOUMASTER.soton.sc.philips.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = soton.sc.philips.com,diamond.philips.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = soton.sc.philips.com,diamond.philips.com
Logged

Offline Grinler

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
think I'm infected with spyware
« Reply #1 on: April 20, 2004, 08:57:05 AM »
Please follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers.

[color=\"red\"]Step 1:[/color]
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs.  There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below in my signature.

When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items.  Please continue with the next step.

[color=\"red\"]Step 2:[/color]

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe.  A directory like c:\hijackthis.  If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log.  Click on Edit then click on Select all.  Then click on Edit and then Click on Copy.

Create a reply to this post here or at the Bleeping Computer forums, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post.  DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link in my signature below.
Logged

Offline The_Unknown

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
think I'm infected with spyware
« Reply #2 on: April 23, 2004, 12:09:12 PM »
he alreadey posted his hijack this log dumb ass
« Last Edit: April 23, 2004, 12:09:32 PM by The_Unknown »
Logged
Pages: [1]
« previous next »