aej1973
asked on
Spyware problem!!
I seem to have a bad spyware problem on my computer. It is running very slowly and I am getting a lot of pop ups. Can you help me get rid of this. I have posted my log file below:
Logfile of HijackThis v1.99.1
Scan saved at 8:31:08 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin \jusched.e xe
C:\WINDOWS\System32\rundll 32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PowerPanel\Program\P cfMgr.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\WINDOWS\System32\wltrys vc.exe
C:\WINDOWS\System32\bcmwlt ry.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\wuaucl t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuaucl t.exe
C:\Documents and Settings\Marsha\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackTh is.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\DOCUME~1\Marsha\L OCALS~1\Te mp\se.dll/ spage.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\DOCUME~1\Marsha\L OCALS~1\Te mp\se.dll/ spage.html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C 2D500688DA 2} - C:\PROGRAM FILES\TV MEDIA\TvmBho.dll
O2 - BHO: (no name) - {9C9E9A27-C910-4441-8680-2 DFE85E5BFA D} - C:\WINDOWS\System32\ffmn.d ll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin \jusched.e xe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Marsha\LOCALS~ 1\Temp\se. dll,DllIns tall
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\P cfMgr.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: ZIPscript.lnk = C:\NavPress\ZIPscrpt.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1 \OFFICE10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_02\bin \npjpi150_ 02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_02\bin \npjpi150_ 02.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINDOWS\SYSTEM32\MAXSPE ED.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINDOWS\SYSTEM32\MAXSPE ED.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {8517FE74-CC6B-48BF-B2DC-1 EA8C5E175B 0} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8517FE74-CC6B-48BF-B2DC-1 EA8C5E175B 0} - (no file) (HKCU)
O16 - DPF: Win32 Classes -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8 DC6B52AB35 B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0 050DA18DE7 1} (RdxIE Class) - http://207.188.7.150/311b66313cc20d518405/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5 D2C442ADFD E} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101448940864
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0 C1DD2306FC 3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-1 5F98C42E04 C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-2 8BB9EB2281 E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Filter: text/html - {FC4F1150-54BA-44E0-8A63-1 DF7132B276 5} - C:\WINDOWS\System32\ffmn.d ll
O18 - Filter: text/plain - {FC4F1150-54BA-44E0-8A63-1 DF7132B276 5} - C:\WINDOWS\System32\ffmn.d ll
O23 - Service: PRTG 4 Service - Paessler Router Traffic Grapher (PRTG4Service) - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrys vc.exe
Thank you.
A
Logfile of HijackThis v1.99.1
Scan saved at 8:31:08 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin
C:\WINDOWS\System32\rundll
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PowerPanel\Program\P
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\WINDOWS\System32\wltrys
C:\WINDOWS\System32\bcmwlt
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuaucl
C:\Documents and Settings\Marsha\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackTh
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C
O2 - BHO: (no name) - {9C9E9A27-C910-4441-8680-2
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Marsha\LOCALS~
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\P
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: ZIPscript.lnk = C:\NavPress\ZIPscrpt.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra button: Microsoft AntiSpyware helper - {8517FE74-CC6B-48BF-B2DC-1
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8517FE74-CC6B-48BF-B2DC-1
O16 - DPF: Win32 Classes -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {62475759-9E84-458E-A1AB-5
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0
O16 - DPF: {CA034DCC-A580-4333-B52F-1
O16 - DPF: {D18F962A-3722-4B59-B08D-2
O18 - Filter: text/html - {FC4F1150-54BA-44E0-8A63-1
O18 - Filter: text/plain - {FC4F1150-54BA-44E0-8A63-1
O23 - Service: PRTG 4 Service - Paessler Router Traffic Grapher (PRTG4Service) - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrys
Thank you.
A
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is it listed in desktop -> properties ->desktop ->background?
-> Search Button.
Or you simply download it again from the internet.
Tolomir
-> Search Button.
Or you simply download it again from the internet.
Tolomir
Or reactivate the active desktop :)
Righclick the background and set it there.
Lastly:
C:\WINDOWS\System32\rundll 32.exe could be executed to run a malicious .dll file.
COULD.
The file itsself is 100% windows safe.
Also do NOT run hijackthis from a temp directory,
Create a nice dir for it to run from.
Righclick the background and set it there.
Lastly:
C:\WINDOWS\System32\rundll
COULD.
The file itsself is 100% windows safe.
Also do NOT run hijackthis from a temp directory,
Create a nice dir for it to run from.
ASKER
Hello: I am sorry for the delay in getting back. I was on the road for a few days.
When I get to the desktop properties it gives me a option only to change the screen saver and there is no desktop option.Also when I turn on the computer I get the following message;
c:/document ~/admin/local~?temp/se.dll
Module cannot be found
What is to be done, it takes a lot of time before the system starts up. The spyware problem seems to have been taken care of. Thank you for the help.
A
When I get to the desktop properties it gives me a option only to change the screen saver and there is no desktop option.Also when I turn on the computer I get the following message;
c:/document ~/admin/local~?temp/se.dll
Module cannot be found
What is to be done, it takes a lot of time before the system starts up. The spyware problem seems to have been taken care of. Thank you for the help.
A
Hi!
This is probably a "reach" but -
Run "Regedit" and navigate to this key:
HKEY_CURRENT_USER\Software \Microsoft \Windows\C urrentVers ion\Polici es
What is showing in the right-hand pane?
RF
This is probably a "reach" but -
Run "Regedit" and navigate to this key:
HKEY_CURRENT_USER\Software
What is showing in the right-hand pane?
RF
ASKER
Name: default
Type:REG_SZ
Data: Value not set
This is what is there on the right hand side. Thanks.
Type:REG_SZ
Data: Value not set
This is what is there on the right hand side. Thanks.
Download and run adaware and microsoft anti-spyware. These two together do a great job for me and they're free!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had a back ground picture before my system got infected with the spyware but now as a back ground picture I only have a black screen on my desktop. How do I get my original picture back? Thanks a ton again for all the help.
A