[FIXED] Library of Spyware and Adware on my PC

Tigereye1786 · 09-22-2005

Hi,
It seems that my laptop could be used as an example of infection of, what seems to be, every spyware/adware progam known to man. The ones that I have identified and quasi-researched were PeopleOnPage, IST bar, and The Best Offers which somehow installed itself on my Add/Remove programs list (which I am so far unable to remove). I have run CCleaner, ewido, and HijackThis. The scan and HJT logs are attached. So if you can help me with the remaining bugs other than the 45 or so infected files that ewido found, your help is greatly appriciated. Thanks.

Hengis · 09-22-2005

Welcome to the forum Tigereye1786

Before you send that PC off to be forensically tested and stored in the X-Files (Spyware Dept.) bunker, I would like to say that we have some excellent Spyware minds that work tirelessly on this site and they will be more than happy to vanquish those nasties from your PC. I am sure one of them will be along soon to cast their eyes over your logs

Tigereye1786 · 09-22-2005

Boy, do I hope so! :-o
Thanks.

ladygreenwitch · 09-22-2005

:-D Hey Tigereye,

Can you do me a favor please. Post the ewido log by copying and pasting into your post. they don't convert well to text, (They actually turn into Chinese :lol

In the mean time I'll take a look at your HJT log.

Also, when you ran ewido, did you allow it to fix the items it found?

TTFN

T

Tigereye1786 · 09-22-2005

Here is the ewido log file.
Yes I did let it correct the infected files.

+ Created on: 12:48:40 AM, 9/22/2005
+ Report-Checksum: 62599C72

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\ISTsvc -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\ISTsvc -> Spyware.ISTBar : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\IST -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Settings\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{00000000-F09C-02B4-6EC2-AD0300000000} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0} -> Spyware.Webhancer : Cleaned with backup
HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
[892] C:\WINDOWS\system32\qrstlkr.exe -> Trojan.Agent.cp : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.6:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.7:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.8:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.10:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.11:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.17:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.18:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.28:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.29:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.34:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.51:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.52:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning
C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\DNS\gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup
C:\Program Files\DVD Author\TMPGEnc.DVD.Author.v1.6.26.73.Incl.Keygen-PARADOX\pdx-td16.exe -> TrojanDropper.Delf.fl : Cleaned with backup
C:\Program Files\DVD Author\TMPGEnc.DVD.Author.v1.6.26.73.Incl.Keygen-PARADOX.zip/pdx-td16.exe -> TrojanDropper.Delf.fl : Error during cleaning
C:\Program Files\ISTsvc -> Spyware.ISTBar : Cleaned with backup
C:\Program Files\ISTsvc\istsvc.exe -> Spyware.ISTBar : Cleaned with backup
C:\Program Files\Tesosoft\Cache\00004e45_432c1466_0005b89e -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Program Files\Tesosoft\Cache\000056ae_432c14c4_000de61e -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\WINDOWS\imgnwqo.exe -> TrojanDownloader.IstBar.ij : Cleaned with backup
C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup
C:\WINDOWS\system32\wingmt32.exe -> Worm.Mytob : Cleaned with backup
C:\WINDOWS\system32\winsvc32.exe -> Backdoor.SdBot : Cleaned with backup
C:\wingmt32.exe -> Worm.Mytob : Cleaned with backup
D:\My Documents\Programs\TMPGEnc.DVD.Author.v1.6.26.73.I ncl.Keygen-PARADOX.zip/pdx-td16.exe -> TrojanDropper.Delf.fl : Error during cleaning
D:\My Documents\Confirmation_Sheet.pif/wingmt32.exe -> Worm.Mytob : Error during cleaning

In case you need it here is the HJT log too.

Logfile of HijackThis v1.99.1
Scan saved at 1:54:38 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\chemistry 11l programs\quicktime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\OpenAFS\Client\Program\afscreds.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HiJackThis(BrowserHijacking)\Hija ckThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\Updater\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBa ttLog
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\chemistry 11l programs\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: AFS Credentials.lnk = C:\Program Files\OpenAFS\Client\Program\afscreds.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126276944468
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InstallProcessing - Unknown owner - C:\WINDOWS\system32\InstallProcessing.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: IBM AFS Client (TransarcAFSDaemon) - Unknown owner - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe

Thanks

ladygreenwitch · 09-22-2005

:-D Hey Tigereye,

Boy, your title sure says it all!! I would recommend printing these instructions because you are going to be in Safe Mode for a good deal of them.

You are going to need to do these in order.

First I need you to download some programs. Hoster, Nailfix,Spybot: Search And Destroy, Ad-Aware SE, and RegSupremePro.

Install but do not run RegSupremePro. Install and update Spybot and Adaware. Unzip Nailfix to your desktop but don't do anything with it yet. Leave Hoster until later.

Disable system restore to prevent re-infection.
(you can turn it back on when youre pc is clean).
How to disable system restore: WinXP.

Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Then run this online virus scanner Housecalls
Let it fix everyting that it finds.

Then boot into Safe Mode and stay there until the fixes are complete or you could reinfect your system.

Once in Safe Mode run CCleaner, make sure that all options to scan are checked, including Advanced. Answer Yes to any warnings. Let it clean everything that it finds.

Spybot: Search And Destroy:
Close ALL windows except Spybot SD.
Click the "Check for Problems" button.
Click 'Fix Selected Problems' and fix only the RED items.

Ad-Aware SE by Lavasoft:
Close ALL windows except Ad-Aware SE.
Click on 'Start' and choose 'full scan' for a full scan.
Quarantine anything that it finds and SAVE the log file and exit out of Adaware.

Run CCleaner again.

Then click Start>Run and type in: services.msc
Click OK
In the Services window find each of the following and follow the next set of instructions for each:

InstallProcessing
System Startup Service

Select, and right click the entry, choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Open HJT and click config > misc tools > ?delete an NT service?
Copy and past:

InstallProcessing
SvcProc

Click OK.

Now run the Nailfix.

Then, still in safemode, fix these with HJT:

C:\WINDOWS\System32\TPHDEXLG.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Internet Explorer Web Content Catcher ?- {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - Global Startup: Digital Line Detect.lnk = ?

O23 - Service: System Startup Service ?(SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

O23 - Service: InstallProcessing - Unknown owner - C:\WINDOWS\system32\InstallProcessing.exe

Then run Ccleaner AGAIN, and then Nailfix. After that manually delete the files in bold in the fix list above.

Then run Hoster to restore your Hosts files as a precaution.

Now run ewido and allow it to fix anything that it finds.
Save the log and reboot into Normal Mode.

Once in Normal Mode, run RegSupremePro. Select Registry Cleaner, it will want to make a back up of your registry, let it. It may take a bit. Once it is finished choose Aggressive in the dialog box and let it run. When it is finished, click on Select, and choose All. Then click on Fix.

Finally, run HJT once more and Attache the new log.

I know this is a lot. But you have a lot of stuff on there. We'll be looking for your reply,

TTFN

T

joe5 · 09-23-2005

Also have a look in youre C:\WINDOWS\system32 folder , and see if there are two different rundll32.exe's in there. Upload these files one by one here:

http://virusscan.jotti.org/

and report back the results please.

C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe

Make sure hidden and system files are set to show.

1.On the Tools menu in Windows Explorer, click Folder Options.
2.Click the View tab.
3.Under Hidden files and folders, click Show hidden files and folders.
And also select to show protected operating system files.
4.If you see a warning message, click Yes.
5.Click Apply.
6.Click OK.

09-22-2005	#2
Hengis PCHF Founder & Owner Join Date: Jan 2004 Location: The PCHF Bunker Posts: 13,971 PC Experience: Microsoft Certified Professional	Re: Library of Spyware and Adware on my PC Welcome to the forum Tigereye1786 Before you send that PC off to be forensically tested and stored in the X-Files (Spyware Dept.) bunker, I would like to say that we have some excellent Spyware minds that work tirelessly on this site and they will be more than happy to vanquish those nasties from your PC. I am sure one of them will be along soon to cast their eyes over your logs __________________ Pre-Work / System File Checker / Promote PCHF!

09-22-2005	#3
Tigereye1786 Bronze Member Join Date: Sep 2005 Posts: 25	Re: Library of Spyware and Adware on my PC Boy, do I hope so! :-o Thanks.

09-22-2005	#4
ladygreenwitch Elite Member Join Date: Jul 2005 Location: Bay Area California Posts: 6,625 PC Experience: Very Experienced	Re: Library of Spyware and Adware on my PC :-D Hey Tigereye, Can you do me a favor please. Post the ewido log by copying and pasting into your post. they don't convert well to text, (They actually turn into Chinese :lol In the mean time I'll take a look at your HJT log. Also, when you ran ewido, did you allow it to fix the items it found? TTFN T __________________ PreWork/ AfterWork/ CCleaner/Spybot S&D/ Spyware Blaster/ Adaware SE/ Memtest86/ Shoot the Messenger/ Housecall/ Belarc/ Registry Cleaner/ Bootdisk.com/ XP Install/PCHF Protect Your PC

09-22-2005	#5
Tigereye1786 Bronze Member Join Date: Sep 2005 Posts: 25	Re: Library of Spyware and Adware on my PC Here is the ewido log file. Yes I did let it correct the infected files. + Created on: 12:48:40 AM, 9/22/2005 + Report-Checksum: 62599C72 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup HKLM\SOFTWARE\ISTsvc -> Spyware.ISTBar : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\ISTsvc -> Spyware.ISTBar : Cleaned with backup HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs\ZepMon -> Spyware.BetterInternet : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\IST -> Spyware.ISTBar : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Settings\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D} -> Spyware.Begin2Search : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{00000000-F09C-02B4-6EC2-AD0300000000} -> Spyware.Transponder : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D} -> Spyware.Begin2Search : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0} -> Spyware.Webhancer : Cleaned with backup HKU\S-1-5-21-2491644285-426764551-501881172-1017\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup [892] C:\WINDOWS\system32\qrstlkr.exe -> Trojan.Agent.cp : Cleaned with backup :mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup :mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup :mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup :mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup :mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jfmx7r35.default\coo kies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup :mozilla.6:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Com : Cleaned with backup :mozilla.7:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Com : Cleaned with backup :mozilla.8:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup :mozilla.10:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup :mozilla.11:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.12:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.17:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup :mozilla.18:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup :mozilla.28:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup :mozilla.29:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup :mozilla.34:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.51:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup :mozilla.52:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.53:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.54:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.55:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.56:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.57:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.64:C:\Documents and Settings\nikhilp\Application Data\Mozilla\Firefox\Profiles\mqz3cb62.Nikhil\cook ies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup C:\Program Files\Common Files\services.exe -> Spyware.Maxifiles : Cleaned with backup C:\Program Files\Common Files\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup C:\Program Files\DNS\gui.exe -> TrojanDownloader.Agent.rv : Cleaned with backup C:\Program Files\DVD Author\TMPGEnc.DVD.Author.v1.6.26.73.Incl.Keygen-PARADOX\pdx-td16.exe -> TrojanDropper.Delf.fl : Cleaned with backup C:\Program Files\DVD Author\TMPGEnc.DVD.Author.v1.6.26.73.Incl.Keygen-PARADOX.zip/pdx-td16.exe -> TrojanDropper.Delf.fl : Error during cleaning C:\Program Files\ISTsvc -> Spyware.ISTBar : Cleaned with backup C:\Program Files\ISTsvc\istsvc.exe -> Spyware.ISTBar : Cleaned with backup C:\Program Files\Tesosoft\Cache\00004e45_432c1466_0005b89e -> TrojanDownloader.IstBar.j : Cleaned with backup C:\Program Files\Tesosoft\Cache\000056ae_432c14c4_000de61e -> TrojanDownloader.IstBar.j : Cleaned with backup C:\WINDOWS\imgnwqo.exe -> TrojanDownloader.IstBar.ij : Cleaned with backup C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup C:\WINDOWS\system32\wingmt32.exe -> Worm.Mytob : Cleaned with backup C:\WINDOWS\system32\winsvc32.exe -> Backdoor.SdBot : Cleaned with backup C:\wingmt32.exe -> Worm.Mytob : Cleaned with backup D:\My Documents\Programs\TMPGEnc.DVD.Author.v1.6.26.73.I ncl.Keygen-PARADOX.zip/pdx-td16.exe -> TrojanDropper.Delf.fl : Error during cleaning D:\My Documents\Confirmation_Sheet.pif/wingmt32.exe -> Worm.Mytob : Error during cleaning In case you need it here is the HJT log too. Logfile of HijackThis v1.99.1 Scan saved at 1:54:38 PM, on 9/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\QCONSVC.EXE C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\TPHDEXLG.EXE C:\WINDOWS\system32\TpKmpSVC.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\System32\TpScrLk.exe C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe C:\IBMTOOLS\UTILS\ibmprc.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Lexmark 5200 series\lxbtbmon.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe C:\Program Files\iTunes\iTunesHelper.exe C:\program files\chemistry 11l programs\quicktime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe C:\Program Files\OpenAFS\Client\Program\afscreds.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HiJackThis(BrowserHijacking)\Hija ckThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local., R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing) O4 - HKLM\..\Run: [UC_Start] C:\Program Files\Updater\ucstartup.exe O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe" O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtim e.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAuto nomicMonitor O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBa ttLog O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\chemistry 11l programs\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe O4 - Global Startup: AFS Credentials.lnk = C:\Program Files\OpenAFS\Client\Program\afscreds.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126276944468 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InstallProcessing - Unknown owner - C:\WINDOWS\system32\InstallProcessing.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe O23 - Service: IBM AFS Client (TransarcAFSDaemon) - Unknown owner - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe Thanks

09-22-2005	#6
ladygreenwitch Elite Member Join Date: Jul 2005 Location: Bay Area California Posts: 6,625 PC Experience: Very Experienced	Re: Library of Spyware and Adware on my PC :-D Hey Tigereye, Boy, your title sure says it all!! I would recommend printing these instructions because you are going to be in Safe Mode for a good deal of them. You are going to need to do these in order. First I need you to download some programs. Hoster, Nailfix,Spybot: Search And Destroy, Ad-Aware SE, and RegSupremePro. Install but do not run RegSupremePro. Install and update Spybot and Adaware. Unzip Nailfix to your desktop but don't do anything with it yet. Leave Hoster until later. Disable system restore to prevent re-infection. (you can turn it back on when youre pc is clean). How to disable system restore: WinXP. Right-click My Computer, and then click Properties. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives. Then run this online virus scanner Housecalls Let it fix everyting that it finds. Then boot into Safe Mode and stay there until the fixes are complete or you could reinfect your system. Once in Safe Mode run CCleaner, make sure that all options to scan are checked, including Advanced. Answer Yes to any warnings. Let it clean everything that it finds. Spybot: Search And Destroy: Close ALL windows except Spybot SD. Click the "Check for Problems" button. Click 'Fix Selected Problems' and fix only the RED items. Ad-Aware SE by Lavasoft: Close ALL windows except Ad-Aware SE. Click on 'Start' and choose 'full scan' for a full scan. Quarantine anything that it finds and SAVE the log file and exit out of Adaware. Run CCleaner again. Then click Start>Run and type in: services.msc Click OK In the Services window find each of the following and follow the next set of instructions for each: InstallProcessing System Startup Service Select, and right click the entry, choose: Properties On the General tab, under Service Status click the Stop button Beside: Startup Type, in the drop menu, select: Disabled Click Apply, then OK Open HJT and click config > misc tools > ?delete an NT service? Copy and past: InstallProcessing SvcProc Click OK. Now run the Nailfix. Then, still in safemode, fix these with HJT: C:\WINDOWS\System32\TPHDEXLG.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local., R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: Internet Explorer Web Content Catcher ?- {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing) O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - Global Startup: Digital Line Detect.lnk = ? O23 - Service: System Startup Service ?(SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) O23 - Service: InstallProcessing - Unknown owner - C:\WINDOWS\system32\InstallProcessing.exe Then run Ccleaner AGAIN, and then Nailfix. After that manually delete the files in bold in the fix list above. Then run Hoster to restore your Hosts files as a precaution. Now run ewido and allow it to fix anything that it finds. Save the log and reboot into Normal Mode. Once in Normal Mode, run RegSupremePro. Select Registry Cleaner, it will want to make a back up of your registry, let it. It may take a bit. Once it is finished choose Aggressive in the dialog box and let it run. When it is finished, click on Select, and choose All. Then click on Fix. Finally, run HJT once more and Attache the new log. I know this is a lot. But you have a lot of stuff on there. We'll be looking for your reply, TTFN T __________________ PreWork/ AfterWork/ CCleaner/Spybot S&D/ Spyware Blaster/ Adaware SE/ Memtest86/ Shoot the Messenger/ Housecall/ Belarc/ Registry Cleaner/ Bootdisk.com/ XP Install/PCHF Protect Your PC

09-23-2005	#7
joe5 Elite Member Join Date: Jun 2005 Location: Netherlands Posts: 9,025	Re: Library of Spyware and Adware on my PC Also have a look in youre C:\WINDOWS\system32 folder , and see if there are two different rundll32.exe's in there. Upload these files one by one here: http://virusscan.jotti.org/ and report back the results please. C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe Make sure hidden and system files are set to show. 1.On the Tools menu in Windows Explorer, click Folder Options. 2.Click the View tab. 3.Under Hidden files and folders, click Show hidden files and folders. And also select to show protected operating system files. 4.If you see a warning message, click Yes. 5.Click Apply. 6.Click OK. __________________ - PCHF Team. - (NL) - Mal-ware Eradicator! - - Online AV Scans - HijackThis! - Bootdisk.com - ATF-Cleaner - Stinger - 'Prework' - 'Afterwork' - PCHF Rules - Donate to PCHF. And get>

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode