Jump to content

[SOLVED]I Hate Spyware


Sith_Apprentice
 Share

Recommended Posts

Here is my hijack this log. I have panda antivirus, spybot, spyware blaster, adaware, and spyguard all installed on my machine. They seem to remove some of the entires but not all. Please help me.

 

Logfile of HijackThis v1.98.2

Scan saved at 12:28:03 PM, on 10/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Executive Software\Diskeeper\DkService.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

D:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe

D:\WINDOWS\inetg\services.exe

D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe

D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

D:\WINDOWS\system32\t?skmgr.exe

D:\WINDOWS\explorer.exe

D:\PROGRA~1\AIM\aim.exe

D:\Program Files\SpywareGuard\sgmain.exe

D:\Program Files\SpywareGuard\sgbhp.exe

D:\Program Files\Yahoo!\Messenger\YPager.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\WinRAR\WinRAR.exe

D:\Documents and Settings\Ulic\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com

R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)

F3 - REG:win.ini: run=D:\WINDOWS\inetg\services.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {4AFA6559-9210-0FEF-8325-675578AE274E} - D:\WINDOWS\System32\egtugekd.dll

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {815A82AE-CDEF-11D8-BA48-A6D245798277} - (no file)

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [sCANINICIO] "D:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [xp_system] D:\WINDOWS\inetg\services.exe

O4 - HKLM\..\Run: [spybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose /waitstart

O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunOnce: [Ad-aware] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"

O4 - HKCU\..\Run: [xp_system] D:\WINDOWS\inetg\services.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: SpywareBlaster (2).lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe

O15 - Trusted Zone: www.mt-download.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...c5501e7089a2147

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

 

Thank you very much for all your help.

Link to comment
Share on other sites

Here is my new HJT log. I saw that it should be in its own folder so i did that, i also ran adaware and spybot.

 

Logfile of HijackThis v1.98.2

Scan saved at 8:47:31 PM, on 10/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Executive Software\Diskeeper\DkService.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

D:\WINDOWS\system32\t?skmgr.exe

D:\Documents and Settings\Ulic\Desktop\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com

R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {4AFA6559-9210-0FEF-8325-675578AE274E} - D:\WINDOWS\System32\egtugekd.dll

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {815A82AE-CDEF-11D8-BA48-A6D245798277} - (no file)

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [sCANINICIO] "D:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [spybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: SpywareBlaster (2).lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe

O15 - Trusted Zone: www.mt-download.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...c5501e7089a2147

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

Link to comment
Share on other sites

Hi Sith_Apprentice,

 

Please resan with HJT, close all browser/explorer window, check these items, then click 'fix checked':

 

R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)

 

F3 - REG:win.ini: run=D:\WINDOWS\inetg\services.exe

 

O2 - BHO: (no name) - {4AFA6559-9210-0FEF-8325-675578AE274E} - D:\WINDOWS\System32\egtugekd.dll

 

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

 

O3 - Toolbar: (no name) - {815A82AE-CDEF-11D8-BA48-A6D245798277} - (no file)

 

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

If you or an administrator didn't set these policies , then check and fix these items

 

O15 - Trusted Zone: www.mt-download.com

 

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...c5501e7089a2147

 

Reboot into safe mode:

Restart the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

 

Show Hidden Files and Folders

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

Find and delete:

 

D:\WINDOWS\inetg\services.exe

D:\WINDOWS\System32\egtugekd.dll <-- if still present

 

Reboot into normal mode...go into Internet Options - General tab. Delete temporary internet files, and choose to delete all Offline content. Also, go to Start - Find - Files or folders - in the named box, type: *.tmp and choose Edit - select all - File - delete. Empty the contents of the C:\Windows\temp folder and C:\temp folder, if you have one. Empty Recycle bin, clear history and cookies.

 

Rescan and post a new log

 

Please find this item while in 'safe mode' and right click on it. Look at the properties and see if you recognize it.

D:\WINDOWS\system32\t?skmgr.exe

Tell us what it says if you don't recognize it

***This question mark ? is important for the research that's going on :)

Link to comment
Share on other sites

Here is my HJT log. Also, the t?skmgr said Application. Windows TaskManager.

 

Logfile of HijackThis v1.98.2

Scan saved at 12:46:39 AM, on 10/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Executive Software\Diskeeper\DkService.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

D:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe

D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

D:\Program Files\SpywareGuard\sgmain.exe

D:\Program Files\SpywareGuard\sgbhp.exe

D:\Program Files\Microsoft Office\Office10\WINWORD.EXE

D:\Program Files\Internet Explorer\iexplore.exe

D:\Documents and Settings\Ulic\Desktop\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: Popup Blocker - {815A82AE-CDEF-11D8-BA48-A6D245798277} - d:\windows\20040818\TOOLBA~1.DLL

O4 - HKLM\..\Run: [sCANINICIO] "D:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [spybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SpywareBlaster (2).lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe

O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

Link to comment
Share on other sites

Rescan with HJT..follow the above procedures. Check these items and 'fix'

 

O3 - Toolbar: Popup Blocker - {815A82AE-CDEF-11D8-BA48-A6D245798277} - d:\windows\20040818\TOOLBA~1.DLL

 

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

 

Reboot into safe mode and show hidden files and folders...see if you can locate this file and delete it:

d:\windows\20040818\TOOLBA~1.DLL

 

Reboot into normal mode. Please post a new log and let us know how you're doing.

 

edit...I can't speil :blushing:

Link to comment
Share on other sites

Well i am not seeing any more occurances as of yet. Of course it has only been a little while, but i am keeping my fingers crossed. I rebooted, ran in safe mode, deleted those files you spoke of, also ran a spybot and an adaware and they both came up with nothing. here is my new revised HJT log.

 

 

Logfile of HijackThis v1.98.2

Scan saved at 1:19:58 AM, on 10/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Executive Software\Diskeeper\DkService.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

D:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

D:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe

D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

D:\Program Files\Microsoft ActiveSync\WCESMgr.exe

D:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE

D:\WINDOWS\msagent\AgentSvr.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Documents and Settings\Ulic\Desktop\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [sCANINICIO] "D:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [spybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SpywareBlaster (2).lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe

O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

 

 

 

Thank you for your help, it is greatly appreciated/

Link to comment
Share on other sites

Something is still wrong here :huh:

 

Rescan with HJT, fix these items:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com

 

O4 - Global Startup: SpywareBlaster (2).lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe

 

Reboot into safe mode, find and delete:

 

D:\WINDOWS\msagent\AgentSvr.exe

 

Reboot.

 

Uninstall SpywareBlaster, reinstall and update it:

http://www.javacoolsoftware.com/products.html

(follow the links to MajorGeeks)

 

Run Bitdefender http://www.bitdefender.com/scan/licence.php

and post a new log

Link to comment
Share on other sites

Logfile of HijackThis v1.98.2

Scan saved at 9:12:46 AM, on 10/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\Documents and Settings\Ulic\Desktop\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - D:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [sCANINICIO] "D:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [spybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &AIM Search - res://D:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INetRepl.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

 

 

 

BitDefender found that my notepad.exe was infected. i removed the file and there is my HJT log. I was told panda antivirus was one of th ebetter AV programs out there. Was i misled or should i just use it as well as the online scan?

Link to comment
Share on other sites

ugh, it looks like i got infected with some spyware at work. well rather, my office computer got infected from one of my employees. I have this annoying Websearch toolbar that refuses to go away. I have tried the normal websearch removal methods and they arent working at least, not yet. I will download HJT tomorrow and run it, as well as post a new log. I deal with sensative information on this machine so i want to be able to make it as safe as possible for a system connected to the internet via broadband.

Link to comment
Share on other sites

Here is the HJT log from my work.

 

 

Logfile of HijackThis v1.98.2

Scan saved at 2:20:59 PM, on 10/6/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\WinTools\WToolsS.exe

C:\Program Files\RealVNC\WinVNC\WinVNC.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINDOWS\SYSTEM32\USRshutA.exe

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Common Files\WinTools\WSup.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Documents and Settings\Store\Desktop\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.simplywireless.com/stores

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...jsp?forceLoad=1

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/konti...current/kdx.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7821E05A-208C-4911-9BBB-3F7B50450531}: NameServer = 207.172.3.8,207.172.3.9

 

 

 

 

Any help would definately be appreciated. Thanks in advance

Link to comment
Share on other sites

 Share

×
×
  • Create New...