Author Topic: Having Top Spyware Issues (Read 929 times)

atmywitsend · « **on:** March 11, 2006, 08:51:49 PM »

Hello all!

Even though i have AVG and Zonealarm PRO on my machine i seem to have accidentally downloaded this awful TOPspyware, that keeps telling me i have spyware. It also keeps creating a desktop background and also has two icons on the system tray. In addition it seems to have made chnages to my homepage in IE and has "taken it over" in a way(hope u know what i mean).

I have tried many things to get red of it with no success. After having looked about a bit on the web i have discovered, and now run HijackThis. However, i do not feel very confident when it comes to analysing the log and makming neccesary changes. Have read many horror stories on web bout deleting wrong files.

Anyway to cut a long story short i would really appreciate it if someone could take a look at this log asap and recommend a way forward. I have so much work to do! This really is driving me nuts. PLEASE HELP

Logfile of HijackThis v1.99.1
Scan saved at 01:49:34, on 12/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Advanced System Optimizer\wallpaper.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\shell386.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.freeserve.com:8080;http=http://www-cache.freeserve.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: C:\WINDOWS\lbbho.dll - {0B65EF15-36AB-4666-AECB-2984555633C0} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: CvgraphObj Object - {12355F3E-90C3-41AA-8705-15969AF7F210} - C:\WINDOWS\vgraph.dll
O2 - BHO: (no name) - {1e1b2879-88ff-11d3-8d96-d7acac95951a} - (no file)
O2 - BHO: winapi32.MyBHO - {86A0607D-6126-45AE-8A29-46C181AFF4D6} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: (no name) - {8702d9e1-890b-4bf2-a233-fa44e582b2de} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9819c369-5f62-4d37-9a42-44043a742c1e} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-000000000000} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-716d74632608} - (no file)
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - D:\Program Files\Advanced System Optimizer\IEHelper.dll
O2 - BHO: (no name) - {d53b810f-6219-11d4-95b6-0040950375e7} - (no file)
O2 - BHO: (no name) - {dd6f50c0-9f8f-a41c-291e-7b3fb818ef18} - (no file)
O2 - BHO: (no name) - {f21bd77e-0cce-c6cd-4f85-aa3b7895988e} - (no file)
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll
O2 - BHO: (no name) - {ff731508-cd28-e0b0-3e85-0cf55fde9fba} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Gator] C:\WINDOWS\system32\cmeupd.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [Systweak Wallpaper Changer] D:\Program Files\Advanced System Optimizer\wallpaper.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Startup: Wallpaper Changer.lnk = D:\Program Files\Advanced System Optimizer\wallpaper.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamhc.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A54B798-0C81-4AC5-BDBE-8BD7409B2FDB}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A54B798-0C81-4AC5-BDBE-8BD7409B2FDB}: NameServer = 195.92.195.94 195.92.195.95
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Any help would be really appreciated asap!
MANY THANKS

birdman · « **Reply #1 on:** March 11, 2006, 09:09:33 PM »

http://www.antivirusworld.com/articles/virus/topspyware.php

check this link out..!

atmywitsend · « **Reply #2 on:** March 12, 2006, 08:48:25 AM »

Already looked at that site. Am really not sure what to do to get rid of this and is really annoying. Can anyone take a look at my HijackThis log and recommend and a way forward please. Would be really grateful. Getting desperate. Would a windows repair sort the problem? Know this may sound silly but am considering it... will wait for further advice before attempting anything though.

HELP!

birdman · « **Reply #3 on:** March 12, 2006, 12:12:03 PM »

If I were you i would start with running another highjackthis and putting a check on these items

C:\WINDOWS\system32\shell386.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
search for: tsadbot.exe (delete if found)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: C:\WINDOWS\lbbho.dll - {0B65EF15-36AB-4666-AECB-2984555633C0} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: CvgraphObj Object - {12355F3E-90C3-41AA-8705-15969AF7F210} - C:\WINDOWS\vgraph.dll
O2 - BHO: (no name) - {1e1b2879-88ff-11d3-8d96-d7acac95951a} - (no file)
O2 - BHO: winapi32.MyBHO - {86A0607D-6126-45AE-8A29-46C181AFF4D6} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: (no name) - {8702d9e1-890b-4bf2-a233-fa44e582b2de} - (no file)
O2 - BHO: (no name) - {9819c369-5f62-4d37-9a42-44043a742c1e} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-000000000000} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)
O2 - BHO: (no name) - {d53b810f-6219-11d4-95b6-0040950375e7} - (no file)
O2 - BHO: (no name) - {dd6f50c0-9f8f-a41c-291e-7b3fb818ef18} - (no file)
O2 - BHO: (no name) - {f21bd77e-0cce-c6cd-4f85-aa3b7895988e} - (no file)
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll
O2 - BHO: (no name) - {ff731508-cd28-e0b0-3e85-0cf55fde9fba} - (no file)

After putting a check on those items,click fix checked
That should get ya started untill guestolo can help you with the rest of removal process

guestolo · « **Reply #4 on:** March 12, 2006, 12:33:45 PM »

Can I see a fresh hijackthis log please

atmywitsend · « **Reply #5 on:** March 12, 2006, 12:42:26 PM »

As requested, Please find a fresh hijackthis log below. Yuor help is extremly gratefully appreciated and i willl be making a donation once the problem is fixed.

Logfile of HijackThis v1.99.1
Scan saved at 17:41:54, on 12/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Advanced System Optimizer\wallpaper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\system32\shell386.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\osaupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\slrundll.exe
C:\WINDOWS\system32\mswinf32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...w.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.freeserve.com:8080;http=http://www-cache.freeserve.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: C:\WINDOWS\lbbho.dll - {0B65EF15-36AB-4666-AECB-2984555633C0} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: CvgraphObj Object - {12355F3E-90C3-41AA-8705-15969AF7F210} - C:\WINDOWS\vgraph.dll
O2 - BHO: (no name) - {1e1b2879-88ff-11d3-8d96-d7acac95951a} - (no file)
O2 - BHO: (no name) - {2bc43670-c0bd-4794-bb11-f60f3e001dc5} - (no file)
O2 - BHO: winapi32.MyBHO - {86A0607D-6126-45AE-8A29-46C181AFF4D6} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: (no name) - {8702d9e1-890b-4bf2-a233-fa44e582b2de} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9819c369-5f62-4d37-9a42-44043a742c1e} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-000000000000} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-716d74632608} - (no file)
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - D:\Program Files\Advanced System Optimizer\IEHelper.dll
O2 - BHO: (no name) - {d53b810f-6219-11d4-95b6-0040950375e7} - (no file)
O2 - BHO: (no name) - {dd6f50c0-9f8f-a41c-291e-7b3fb818ef18} - (no file)
O2 - BHO: (no name) - {f21bd77e-0cce-c6cd-4f85-aa3b7895988e} - (no file)
O2 - BHO: (no name) - {ff731508-cd28-e0b0-3e85-0cf55fde9fba} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Gator] C:\WINDOWS\system32\cme.exe
O4 - HKLM\..\Run: [cme] C:\WINDOWS\system32\cme.exe
O4 - HKLM\..\Run: [cmesys] C:\WINDOWS\system32\cmesys.exe
O4 - HKLM\..\Run: [cmeupd] C:\WINDOWS\system32\cmeupd.exe
O4 - HKLM\..\Run: [gmt] C:\WINDOWS\system32\gmt.exe
O4 - HKLM\..\Run: [Cydoor] C:\WINDOWS\system32\cd_htm.dll
O4 - HKLM\..\Run: [Dynamic Desktop Media] C:\WINDOWS\system32\ddm_d.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AdwareAdmess] C:\WINDOWS\system32\wstart.dll
O4 - HKLM\..\Run: [DialerActiveX] C:\WINDOWS\system32\dialer_activex.ocx
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [Systweak Wallpaper Changer] D:\Program Files\Advanced System Optimizer\wallpaper.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Startup: Wallpaper Changer.lnk = D:\Program Files\Advanced System Optimizer\wallpaper.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamhc.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A54B798-0C81-4AC5-BDBE-8BD7409B2FDB}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A54B798-0C81-4AC5-BDBE-8BD7409B2FDB}: NameServer = 195.92.195.94 195.92.195.95
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

atmywitsend · « **Reply #6 on:** March 12, 2006, 02:56:32 PM »

Guestolo,

Any idea when u can look at my new hijackthis log? sorry to be pushy.. problem seems to be getting worse... is it ok to carry out birdman's suggestion or should i wait until you've had a chnce to look at the log and recommend a way forward?(no offence meant birdman..am just being cautious)

Yours and Birdman's assistance is very much appreciated.

Look forward to hearing from you soon.

Many Thanks.

guestolo · « **Reply #7 on:** March 12, 2006, 03:29:49 PM »

Sorry, just had some guests over, just got back to finish my instructions:
Can I have you disable Window Defenders realtime protections until we have you clean please
It will interfere with any fixes we try
Go to START>>All Programs>>Windows Defender
Click on TOOLS>>General Settings
Scroll down and uncheck
"Turn on Realtime protection (recommended)
Then click SAVE
Exit Windows Defender

=Download FixSF.reg
to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.

==Download SmitRem.exe by Noahdfear and save the file to your desktop.
Don't run it yet

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

=Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" Uncheck
"Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

Double click on FixSF.reg and allow to add/merge to the registry at the prompt

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu

Access your add/remove programs via control panel and remove if found
SpyFalcon
and/or
Gator
DO NOT reboot if prompted to do so, remain in safe mode

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete these files or folders if found
EXACT file names and locations please
Don't remove something because it looks similiar or in the wrong folder
C:\WINDOWS\wupdmgr.exe <-this file, ONLY in the Windows folder
C:\WINDOWS\osaupd.exe <-this file
C:\WINDOWS\vgraph.dll <-file
C:\WINDOWS\system32\shell386.exe <-this file
C:\WINDOWS\system32\mswinf32.exe <-this file
C:\WINDOWS\system32\cme.exe <-file
C:\WINDOWS\system32\winapi32.dll <-file
C:\WINDOWS\system32\gmt.exe <-file
C:\WINDOWS\system32\cmesys.exe <-file
C:\WINDOWS\system32\cmeupd.exe <-file
C:\WINDOWS\system32\cd_htm.dll <-file
C:\WINDOWS\system32\ddm_d.exe <-file
C:\WINDOWS\system32\wstart.dll <-file
C:\WINDOWS\system32\dialer_activex.ocx <-file

C:\Program Files\SpyFalcon <-this folder
C:\Program Files\Ebates_MoeMoneyMaker <-folder

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
If you have not intentionally saved any files to a temp location, use the Standard CleanUp!
If you have or unsure
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish. Remain in safe mode

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: C:\WINDOWS\lbbho.dll - {0B65EF15-36AB-4666-AECB-2984555633C0} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: CvgraphObj Object - {12355F3E-90C3-41AA-8705-15969AF7F210} - C:\WINDOWS\vgraph.dll
O2 - BHO: (no name) - {1e1b2879-88ff-11d3-8d96-d7acac95951a} - (no file)
O2 - BHO: (no name) - {2bc43670-c0bd-4794-bb11-f60f3e001dc5} - (no file)
O2 - BHO: winapi32.MyBHO - {86A0607D-6126-45AE-8A29-46C181AFF4D6} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: (no name) - {8702d9e1-890b-4bf2-a233-fa44e582b2de} - (no file)

O2 - BHO: (no name) - {9819c369-5f62-4d37-9a42-44043a742c1e} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-000000000000} - (no file)

O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-716d74632608} - (no file)

O2 - BHO: (no name) - {d53b810f-6219-11d4-95b6-0040950375e7} - (no file)
O2 - BHO: (no name) - {dd6f50c0-9f8f-a41c-291e-7b3fb818ef18} - (no file)
O2 - BHO: (no name) - {f21bd77e-0cce-c6cd-4f85-aa3b7895988e} - (no file)
O2 - BHO: (no name) - {ff731508-cd28-e0b0-3e85-0cf55fde9fba} - (no file)

O4 - HKLM\..\Run: [Gator] C:\WINDOWS\system32\cme.exe
O4 - HKLM\..\Run: [cme] C:\WINDOWS\system32\cme.exe
O4 - HKLM\..\Run: [cmesys] C:\WINDOWS\system32\cmesys.exe
O4 - HKLM\..\Run: [cmeupd] C:\WINDOWS\system32\cmeupd.exe
O4 - HKLM\..\Run: [gmt] C:\WINDOWS\system32\gmt.exe
O4 - HKLM\..\Run: [Cydoor] C:\WINDOWS\system32\cd_htm.dll
O4 - HKLM\..\Run: [Dynamic Desktop Media] C:\WINDOWS\system32\ddm_d.exe

O4 - HKLM\..\Run: [AdwareAdmess] C:\WINDOWS\system32\wstart.dll
O4 - HKLM\..\Run: [DialerActiveX] C:\WINDOWS\system32\dialer_activex.ocx

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamhc.redhotnetworks.com/cabs/videox.cab

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode

Use Internet Explorer and Run the online Panda ActiveScan
* Once you are on the Panda site click the Scan your PC button.
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.

When the scan is complete
click See Report, then click Save Report and save it to your Desktop.

I need to see the following please
1. Post the report from Panda's
2. Post a fresh hijackthis log
3. Post the whole report from Ewido's
4. Post the Whole log made from SmitRem located here C:\Smitfiles.txt

NOTE: You will have to reset your background in Display properties
XP users using the XP theme may experience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

atmywitsend · « **Reply #8 on:** March 13, 2006, 09:57:35 AM »

Guestolo,

Have followed your instructions to the letter. Much appreciated.
Seem to be winning now i think? A couple of things to mention. Firstly, i only deleted
the items that exactly matched what you specified so although there were some
that looked similar i took no action with regards to these. There were a few files
i could not find (both from top list and from list of files in Hijackthis). Apart from that all went well.

IMPORTANT NOTE:
---------------
I ran ewido last night and was extremly tired so stopped it when it was 58%
through and had found 30 infections. Although i ran another complete scan this morning i can
only include this morning's log as i accidentally overwrote the other one(sorry hope this doesnt
cause problems). Also when i rebooted into normal mode, a command prompt came up and seem to be trying
to run something in following path c:\windows\system32\sysu.exe(not sure if that exactly right path but definetly
that exe it was trying to run). Anything that i should be worried about?

Your ongoing help is very much appreciated (seems to be working wonders so far)
and i look forward to hearing from you imminently with regards to the next steps to be taken.

Thanks

LOGS AS REQUESTED
-----------------

1. PANDA ACTIVESCAN LOG
--------------------
Incident Status Location

Potentially unwanted tool:application/adwaresheriff Not disinfected C:\Documents and Settings\Andy\Desktop\Adware Reviews.url
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andy\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andy\Desktop\Spyware Fix\smitRem.exe[Process.exe]
Adware:adware/dollarrevenue Not disinfected C:\drsmartload1.exe
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\CE30EC82-2E49-4B84-90A9-F50CF3\87F78D62-364C-4E2C-BE2E-7EEDF2
Adware:adware/secure32 Not disinfected C:\WINDOWS\country.exe
Adware:Adware/AzeSearch Not disinfected C:\WINDOWS\Downloaded Program Files\azesearch.inf
Adware:adware/startpage.na Not disinfected C:\WINDOWS\dpe.dll
Adware:adware/ipinsight Not disinfected C:\WINDOWS\farmmext.ini
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\ceres.inf
Adware:adware/transponder Not disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\farmmext.inf
Adware:adware/fastvideoplayer Not disinfected C:\WINDOWS\inf\fastvideoplayer.inf
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\kl.exe
Possible Virus. Not disinfected C:\WINDOWS\loadadv728.exe
Adware:adware/adwaresheriff Not disinfected C:\WINDOWS\security.html
Adware:adware/azesearch Not disinfected C:\WINDOWS\system32\azebar.xml
Adware:adware/cydoor Not disinfected C:\WINDOWS\system32\cd_clint.dll
Adware:adware/wupd Not disinfected C:\WINDOWS\system32\ide21201.vxd
Virus:Trj/Downloader.HYC Disinfected C:\WINDOWS\system32\loader.exe
Adware:adware/cashdeluxe Not disinfected C:\WINDOWS\system32\mswinup32.dll
Adware:adware/tubby Not disinfected C:\WINDOWS\system32\mtc.dll
Spyware:spyware/dynadesk Not disinfected C:\WINDOWS\system32\redirect.dll
Adware:adware/admess Not disinfected C:\WINDOWS\system32\tcpservice2.exe
Adware:adware/cws Not disinfected C:\WINDOWS\tool2.exe
Spyware:Cookie/Tickle Not disinfected D:\Documents and Settings\Milis\Cookies\milis@tickle[2].txt
Virus:Trj/Clicker.MW Disinfected D:\Documents and Settings\Milis\My Documents\Software\IPOD Software\iPod.Access.for.Windows.v2.5.zip[crack-inf.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected D:\Program Files\cladDVD 1.65\c4.exe

2. NEW HIJACKTHIS LOG
------------------
Logfile of HijackThis v1.99.1
Scan saved at 14:38:43, on 13/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...w.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...B_PVER}&ar=home
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - D:\Program Files\Advanced System Optimizer\IEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Gator] C:\WINDOWS\system32\gmt.exe
O4 - HKLM\..\Run: [Dynamic Desktop Media] C:\WINDOWS\system32\sysu.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CWS hijacker] C:\WINDOWS\dpe.dll
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [Systweak Wallpaper Changer] D:\Program Files\Advanced System Optimizer\wallpaper.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Startup: Wallpaper Changer.lnk = D:\Program Files\Advanced System Optimizer\wallpaper.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

3. WHOLE REPORT FROM EWIDO(SEE IMPORTANT NOTE AT TOP)
----------------------------------
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         10:57:18, 13/03/2006
+ Report-Checksum:      819A8572

+ Scan result:

   C:\WINDOWS\system32\azesearch4.ocx -> Adware.AzSearch : Cleaned with backup
   C:\WINDOWS\system32\iasada.dll -> Adware.AzSearch : Cleaned with backup
   C:\WINDOWS\system32\intxt.exe -> Adware.CashDeluxe : Cleaned with backup
   C:\WINDOWS\system32\mswinf32.dll -> Not-A-Virus.Hoax.Win32.VB.j : Cleaned with backup
   C:\WINDOWS\system32\srsiagn.exe -> Adware.Apropos : Cleaned with backup
   C:\WINDOWS\system32\temp.exe -> Adware.WinAD : Cleaned with backup
   D:\APPS\Documents and Settings\Milis\Cookies\milis@com[2].txt -> TrackingCookie.Com : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\milis@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\milis@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\milis@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\milis@com[2].txt -> TrackingCookie.Com : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\milis@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\milis@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\milis@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : Cleaned with backup
   D:\Documents and Settings\Milis\Cookies\milis@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
   D:\Documents and Settings\Milis\My Documents\Software\Advanced_system_optimizer_2.01.4_crack_by_rev.zip/crack.exe -> Downloader.Small.cgl : Cleaned with backup
   D:\Program Files\Advanced System Optimizer\Loader.exe -> Not-A-Virus.VirTool.Win32.Patcher.a : Cleaned with backup

::Report End

4. WHOLE LOG MADE FROM SMITREM
---------------------------------------
smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 13/03/2006
The current time is: 0:32:50.15

Running from
C:\Documents and Settings\Andy\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

logfiles

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

secure32.html

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 760 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

am i ok to turn on windows defender real time protection yet or shall i leave till we have finished completly?

birdman · « **Reply #9 on:** March 13, 2006, 10:57:57 AM »

Im sure Its kool to turn on windows defender when your not trying to download or remove those bad guyz.Looks like you still have some cleaning to do .

O4 - HKLM\..\Run: [Gator] C:\WINDOWS\system32\gmt.exe

This is Adware,remove it if possible with highjackthis.

atmywitsend · « **Reply #10 on:** March 13, 2006, 02:42:25 PM »

Guestolo,

Sorry to be a pain and ask for a second opinion again but is ok to delete above key? and also have u had chance to look at logs to see what further action/cleaning i need to undertake?

Your help is extremly gratefully appreciated.

I look forward to hearing from you imminently.

guestolo · « **Reply #11 on:** March 13, 2006, 07:54:39 PM »

Sorry for the delay, that regular work thing gets in the way

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Can you do the following
==Download The Avenger by Swandog46
and save it to your Desktop.
Right click on it and Extract avenger.exe from the Zip file and save that to your desktop

From the bottom of this reply box, download and save to your C:\drive
"Witsend.txt"
So you now have C:\Witsend.txt

Run avenger.exe by double-clicking on it.
Ensure Load Script from File: is selected
and then click the folder Icon on the right side of that section.
Then browse to C:\Witsend.txt
Left click once to Highlight it and then click Open
To Select it
Click on the "Traffic light" icon and OK the prompt
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it.

Back in Windows
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

Post back the following please
1. Post a fresh hijackthis log
2. Avenger.exe would of produced a report>>>C:\avenger.txt
Please post the whole contents
Do you still have Spybot 1.4 installed?

Do you know what this program is related too?
Potentially unwanted tool:Application/KillApp.B Not disinfected D:\Program Files\cladDVD 1.65\c4.exe

guestolo · « **Reply #12 on:** April 09, 2006, 07:02:15 PM »

As the original poster has not returned
This topic is now locked

TheTechGuide Forum

News:

Author Topic: Having Top Spyware Issues (Read 929 times)

atmywitsend

Having Top Spyware Issues

birdman

Having Top Spyware Issues

atmywitsend

Having Top Spyware Issues

birdman

Having Top Spyware Issues

guestolo

Having Top Spyware Issues

atmywitsend

Having Top Spyware Issues

atmywitsend

Having Top Spyware Issues

guestolo

Having Top Spyware Issues

atmywitsend

Having Top Spyware Issues

birdman

Having Top Spyware Issues

atmywitsend

Having Top Spyware Issues

guestolo

Having Top Spyware Issues

guestolo

Having Top Spyware Issues