Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Noticeboard
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » problems with keeping spyware ect out

[Fixed] Hijackthis! Logs - problems with keeping spyware ect out posted in the Security & Safety forums; Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:00:51 PM, on 9/13/2003 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 3 1 2 3 >
  #1  
Old 09-14-2007
Bronze Member
  
Join Date: Sep 2007
Posts: 13
night hiker - See this Members User comments on their Profile page
Default problems with keeping spyware ect out
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:51 PM, on 9/13/2003
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Movie Maker\hobyrafy22011.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.e xe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\COMMON~1\AOL\115904~1\EE\AOLHOS~1.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\AOL\115904~1\EE\AOLServiceHos t.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner.DANRILEY\Desktop\HiJackThis\HijackT his.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Facebook | Welcome to Facebook!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T6544
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...ys=DTP&M=T6544
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T6544
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {189CAF34-D647-4E05-5E9C-9D8BDFE824E4} - C:\Program Files\Windows Plus\lafuve.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - sipov.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\srmdyead.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1159040204\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [{95-5F-F3-3E-ZN}] C:\DOCUME~1\OWNER~1.DAN\LOCALS~1\Temp\thinksnet.ex e CHD003
O4 - HKLM\..\Run: [hobyrafy] C:\Program Files\Movie Maker\hobyrafy22011.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\tipkudgd.dll",forkonce
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Owner.DANRILEY\smss.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.e xe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.DANRILEY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: qwfnoy - {CC895F3F-6623-F595-A158-9FAEAFDAB271} - C:\WINDOWS\System32\za.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\dbfjrmyh.exe (file missing)
O23 - Service: MS Internet Countermeasures Framework (ICF) - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Plus\pronyka.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Windows Media Player\pronyka.html
--
End of file - 10173 bytes







---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:24:24 PM 9/13/2003
+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \\smgr -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\ucleaner_setup.exe -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\ip6fw.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP136\A0096545.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner.DANRILEY\Local Settings\Temporary Internet Files\Content.IE5\IPVFASOD\nsp[2] -> Downloader.Small.fkm : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner.DANRILEY\Local Settings\Temporary Internet Files\Content.IE5\ZB09HCXK\nsp[1].mov -> Not-A-Virus.Exploit.Multi.Qtp.b : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@cupolaventur es.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@entrepreneur .122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@heavycom.122 .2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@msnportal.11 2.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@networksolut ions.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@paypal.112.2 o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@reunioncom.1 12.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@adc.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@getmusicfree .aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@www.abcsearc h[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@3.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@ads.addynami x[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@roi.admarket place[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@www.burstbea con[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@adopt.eurocl ick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@ehg-traderpublishing.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@searchportal .information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@server.iad.l iveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@image.master stats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@perf.overtur e[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@ads.pointrol l[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@pro-market[1].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@questionmark et[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@adopt.specif icclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@specificclic k[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@statse.webtr endslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@ad.yieldmana ger[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Owner.DANRILEY\Cookies\owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP136\A0096546.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end


Last edited by night hiker; 09-14-2007 at 12:15 AM.
  #2  
Old 09-14-2007
ih8bills's Avatar
Tech Team Leader
My PC
 
Join Date: Feb 2006
Location: coastal Rhode Island
Posts: 4,456
PC Experience: More Stubborn than any PC
ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page
Default Re: problems with keeping spyware ect out
Hi-- Weclome to PCHF-- a member of our security team will fix you up.
One thing I don't see in that log... a firewall program.
After we get you cleaned out-- you will need to get one.


__________________


Without music, life would be a mistake
Friedrich Nietzsche
  #3  
Old 09-14-2007
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,734
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default Re: problems with keeping spyware ect out
Hello night hiker.


Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
  #4  
Old 09-14-2007
Bronze Member
  
Join Date: Sep 2007
Posts: 13
night hiker - See this Members User comments on their Profile page
Default Re: problems with keeping spyware ect out
ComboFix 07-09-14.2 - "Owner" 2007-09-14 13:27:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.519 [GMT -4:00]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\OWNER~1.DAN\Desktop\Find Spyware Remover.lnk
C:\Program Files\inetget2
C:\Program Files\Ultimate Cleaner
C:\Program Files\Windows Plus\lafuve.dll
C:\Program Files\Windows Plus\pronyka.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\IA
C:\WINDOWS\mgrs.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\tk58.exe
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\LEGACY_ICF
-------\LEGACY_RUNTIME
-------\DomainService
-------\ICF
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.
2007-09-14 13:30 135,168 --a------ C:\WINDOWS\tk58.exe
2007-09-13 03:55 21,504 --a------ C:\WINDOWS\system32\sipov.dll
2007-09-12 23:30 <DIR> d-------- C:\Program Files\iTunes
2007-09-12 23:29 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-11 20:42 <DIR> d-------- C:\Program Files\CCleaner
2007-09-09 01:37 <DIR> d-------- C:\Program Files\PCPitstop
2007-09-08 21:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-08 19:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-07 23:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-07 23:19 <DIR> d-------- C:\DOCUME~1\OWNER~1.DAN\APPLIC~1\SUPERAntiSpyware. com
2007-09-07 20:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-07 20:33 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-07 00:14 678 ---hs---- C:\WINDOWS\system32\vybeg.ini2
2007-09-06 12:59 <DIR> d-------- C:\DOCUME~1\OWNER~1.DAN\APPLIC~1\PC Tools
2007-09-06 12:35 22,528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2007-09-06 12:35 15,872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2007-09-06 12:35 15,872 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2007-09-06 12:35 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-09-06 12:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-09-06 12:03 1,989,302 --ahs---- C:\WINDOWS\system32\vybeg.bak2
2007-09-06 09:50 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\yahoo!
2007-09-06 00:49 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-09-06 00:11 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Yahoo!
2007-09-06 00:03 6,448 --ahs---- C:\WINDOWS\system32\vybeg.bak1
2007-09-05 23:58 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\NetMon
2007-09-05 23:57 <DIR> d-------- C:\WINDOWS\system32\drvr2
2007-09-05 23:57 <DIR> d-------- C:\WINDOWS\system32\cfig322
2007-09-05 23:57 <DIR> d-------- C:\WINDOWS\system32\capcom
2007-09-05 00:13 32 -ra------ C:\DOCUME~1\ALLUSE~1\hash.dat
2007-09-04 23:30 <DIR> d-------- C:\Program Files\Three Rings Design
2007-09-04 23:29 <DIR> d-------- C:\DOCUME~1\OWNER~1.DAN\APPLIC~1\yoclient
2007-09-04 19:03 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-09-03 00:36 <DIR> d-------- C:\Program Files\DivX
2007-08-27 20:24 <DIR> d-------- C:\DOCUME~1\OWNER~1.DAN\APPLIC~1\Google
2007-08-27 15:22 13,416,432 --a------ C:\Program Files\Google_Earth_BZXD.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-14 13:31 --------- d-------- C:\Program Files\Trillian
2007-09-14 13:28 --------- d-------- C:\Program Files\Windows Plus
2007-09-12 23:30 --------- d-------- C:\Program Files\QuickTime
2007-09-12 23:30 --------- d-------- C:\Program Files\iPod
2007-09-10 22:14 --------- d-------- C:\Program Files\Magic Workstation
2007-09-06 00:32 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WildTangent
2007-09-06 00:29 --------- d-------- C:\Program Files\Skype
2007-09-06 00:29 --------- d-------- C:\DOCUME~1\OWNER~1.DAN\APPLIC~1\Skype
2007-09-06 00:28 --------- d-------- C:\Program Files\BroadJump
2007-08-30 11:27 --------- d-------- C:\Program Files\Gateway Games
2007-08-27 20:24 --------- d-------- C:\Program Files\Google
2007-06-17 00:11 51200 --a------ C:\WINDOWS\NirCmd.exe
2003-09-13 03:56 76232 --a------ C:\Program Files\setup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971D5B7B-F7DF-43ee-B771-6B7FA09975C3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8CF62DB-2FCD-4343-7BB8-9DC8DD8E4D02}]
2007-09-14 13:30 70144 --a------ C:\Program Files\Windows Media Player\lafuve.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 21:44]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 11:32]
"nwiz"="nwiz.exe" [2005-09-18 11:32 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2005-09-18 11:32]
"CHotkey"="zHotkey.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1159040204\EE\AOLHostManager.exe" [2004-11-03 17:03]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOL SP Scheduler.exe" [2004-10-18 20:42]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"RTHDCPL"="RTHDCPL.EXE" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 19:16]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.ex e" [2006-07-21 17:19]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\Motive SB.exe" [2005-08-24 08:51]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 17:00]
"DNS7reminder"="C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe" [2006-06-28 05:11]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2005-02-16 17:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15]
"hobyrafy"="C:\Program Files\Movie Maker\hobyrafy22011.exe" [2007-08-07 16:30]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-05-17 11:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-09-09 00:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 15:24]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Power2GoExpress"="NA" []
"Yahoo! Pager"="1" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-04 18:18]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-12-28 19:54:02]
C:\DOCUME~1\OWNER~1.DAN\STARTM~1\Programs\Startup\
Dragon NaturallySpeaking.lnk - C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.e xe [2006-06-28 05:11:56]
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-07-19]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\R oyale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale. theme
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows Media Player\pronyka.html
FriendlyName=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"qwfnoy"= {CC895F3F-6623-F595-A158-9FAEAFDAB271} - C:\WINDOWS\system32\za.dll [2007-04-16 11:52 32768]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\gebyv

.
Contents of the 'Scheduled Tasks' folder
"2007-09-13 06:00:32 C:\WINDOWS\Tasks\alarm.job"
"2007-09-13 03:29:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 13:30:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-09-14 13:32:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-14 13:31
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:15 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Movie Maker\hobyrafy22011.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\COMMON~1\AOL\115904~1\EE\AOLHOS~1.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\AOL\115904~1\EE\AOLServiceHos t.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trillian\trillian.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\Owner.DANRILEY\Desktop\HiJackThis\HijackT his.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Facebook | Welcome to Facebook!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T6544
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...ys=DTP&M=T6544
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - sipov.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: 0 - {D8CF62DB-2FCD-4343-7BB8-9DC8DD8E4D02} - C:\Program Files\Windows Media Player\lafuve.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1159040204\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hobyrafy] C:\Program Files\Movie Maker\hobyrafy22011.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.e xe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.DANRILEY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: qwfnoy - {CC895F3F-6623-F595-A158-9FAEAFDAB271} - C:\WINDOWS\system32\za.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 8630 bytes
  #5  
Old 09-15-2007
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,734
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default Re: problems with keeping spyware ect out
Please run HijackThis and place a checkmark by the following entries:
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - sipov.dll (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.DANRILEY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O21 - SSODL: qwfnoy - {CC895F3F-6623-F595-A158-9FAEAFDAB271} - C:\WINDOWS\system32\za.dll

Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.


Download Avenger from here:
Swandog46’s Public Tools Page

Open the program. Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, paste this:
Files to delete:
C:\WINDOWS\system32\za.dll
and click 'Done'

Click the Traffic Light icon to start the program, and OK the prompts to reboot your PC.


Next please go to VirusTotal and upload the following files for analysis:
C:\Program Files\Windows Media Player\lafuve.dll
C:\Program Files\Movie Maker\hobyrafy22011.exe


Copy and paste the results from VirusTotal here in your next reply, along with a new HijackThis log and the Avenger output.txt, which you can find at C:\Avenger\.txt.

That's three things in total.


  #6  
Old 09-16-2007
Bronze Member
  
Join Date: Sep 2007
Posts: 13
night hiker - See this Members User comments on their Profile page
Default Re: problems with keeping spyware ect out
ogfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\xmuavecj
*******************
Script file located at: \??\C:\WINDOWS\system32\qkjlxerp.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\za.dll deleted successfully.
Completed script processing.
*******************
Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:44 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Movie Maker\hobyrafy22011.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.e xe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\AOL\115904~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\COMMON~1\AOL\115904~1\EE\AOLServiceHos t.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\Owner.DANRILEY\Desktop\HiJackThis\HijackT his.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Facebook | Welcome to Facebook!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T6544
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...ys=DTP&M=T6544
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {44781910-09C2-404E-0DB2-3DAD641A75D1} - C:\Program Files\Windows Media Player\lafuve966.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1159040204\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hobyrafy] C:\Program Files\Movie Maker\hobyrafy22011.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.e xe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: qwfnoy - {CC895F3F-6623-F595-A158-9FAEAFDAB271} - C:\WINDOWS\system32\za.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\pronyka.html
--
End of file - 8441 bytes


Could you tell me what the virustotal your talking about is?
  #7  
Old 09-16-2007
ih8bills's Avatar
Tech Team Leader
My PC
 
Join Date: Feb 2006
Location: coastal Rhode Island
Posts: 4,456
PC Experience: More Stubborn than any PC
ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page ih8bills - See this Members User comments on their Profile page
Default Re: problems with keeping spyware ect out
Next please go to VirusTotal and upload the following files for analysis:
C:\Program Files\Windows Media Player\lafuve.dll
C:\Program Files\Movie Maker\hobyrafy22011.exe
He is suspicious of the 2 files above-- and wants you to upload them to this website :

VirusTotal - Free Online Virus and Malware Scan

so they can be analyzed.


__________________


Without music, life would be a mistake
Friedrich Nietzsche