Solved

Spyware

Posted on 2007-11-20
9
3,693 Views
Last Modified: 2011-09-20
one of my computers got an infection with spyware. I ran Hijackthis & here is the log file. I think it can probably be found in this. If not then will go from there.
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:37:20 PM, on 11/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

F:\HiJackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,ntsvc32.dll,C:\WINDOWS\system32\makehm.exe,

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll

O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll

O2 - BHO: (no name) - {AF8F343A-33F0-4FCE-B69C-FD0D46A49CE5} - C:\WINDOWS\system32\ati2cqa.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll

O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe

O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe

O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe

O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe

O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe

O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"

O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"

O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe

O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe

O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe

O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe

O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe

O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\RunOnce: [AVGW] C:\PROGRA~1\Grisoft\AVG6\avgw.exe /RUNONCE

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: w32tm.dll 

O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll

O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 

--

End of file - 8583 bytes

Open in new window

0
Comment
Question by:mred
9 Comments
 
LVL 18

Expert Comment

by:Crash2100
ID: 20325597
Have you tried another spyware program, that cleans this stuff out?

     Ad-Aware
     http://www.download.com/3000-2144-10045910.html
     http://www.lavasoft.de/support/download/

     SpybotSD - Download Spybot - Search & Destroy by PepiMK Software
     http://www.safer-networking.org/en/download/index.html

     Spyware Doctor
     http://www.download.com/Spyware-Doctor/3000-8022-10361503.html
     http://www.pctools.com/spyware-doctor/download/

     SpywareBlaster
     http://www.download.com/SpywareBlaster/3000-8022_4-10196637.html
     http://www.javacoolsoftware.com/spywareblaster.html

     CA Spyware Information Center
     http://www3.ca.com/securityadvisor/pest/

     Windows® Defender (Beta 2) x86
     http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20325670
0
 
LVL 22

Accepted Solution

by:
orangutang earned 125 total points
ID: 20325689
These look suspicious:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,ntsvc32.dll,C:\WINDOWS\system32\makehm.exe,
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll
O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe
O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe
O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp
O20 - AppInit_DLLs: w32tm.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll
0
 

Expert Comment

by:Weddeh
ID: 20325709
This line are spywares, remove this line:

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll (file missing)
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll
O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll
O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe
O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe
O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'Default user')
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:mred
ID: 20411639
Problem fixed. I hadn't even been on the computer weeks now but  Orangutangs looks right. Thanks.
0
 

Author Closing Comment

by:mred
ID: 31410298
My screen is overlaping letters!!! and droping off some. May be the IE7 ? ?
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412664
Send us an updated HijackThis log.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412678
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412682
Oops, never mind about the last post.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
windows 10 install 6 101
Windows XP and blocking external Internet only 6 204
Installing Windows XP from USB 10 100
Event ID: 5719 / Source: NETLOGON 9 105
Most of the time we are in fix when all of sudden our systems behave weirdly.  Such problems cost time and effort... so it's best to take some preventive actions so that we can avoid such issues or overcome such problems more easily. Preventive M…
Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now