Solved

Spyware

Posted on 2007-11-20
9
3,701 Views
Last Modified: 2011-09-20
one of my computers got an infection with spyware. I ran Hijackthis & here is the log file. I think it can probably be found in this. If not then will go from there.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:20 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
F:\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,ntsvc32.dll,C:\WINDOWS\system32\makehm.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll
O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll
O2 - BHO: (no name) - {AF8F343A-33F0-4FCE-B69C-FD0D46A49CE5} - C:\WINDOWS\system32\ati2cqa.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe
O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe
O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\RunOnce: [AVGW] C:\PROGRA~1\Grisoft\AVG6\avgw.exe /RUNONCE
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: w32tm.dll 
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 
--
End of file - 8583 bytes

Open in new window

0
Comment
Question by:mred
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 18

Expert Comment

by:Crash2100
ID: 20325597
Have you tried another spyware program, that cleans this stuff out?

     Ad-Aware
     http://www.download.com/3000-2144-10045910.html
     http://www.lavasoft.de/support/download/

     SpybotSD - Download Spybot - Search & Destroy by PepiMK Software
     http://www.safer-networking.org/en/download/index.html

     Spyware Doctor
     http://www.download.com/Spyware-Doctor/3000-8022-10361503.html
     http://www.pctools.com/spyware-doctor/download/

     SpywareBlaster
     http://www.download.com/SpywareBlaster/3000-8022_4-10196637.html
     http://www.javacoolsoftware.com/spywareblaster.html

     CA Spyware Information Center
     http://www3.ca.com/securityadvisor/pest/

     Windows® Defender (Beta 2) x86
     http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20325670
0
 
LVL 22

Accepted Solution

by:
orangutang earned 125 total points
ID: 20325689
These look suspicious:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,ntsvc32.dll,C:\WINDOWS\system32\makehm.exe,
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll
O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe
O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe
O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp
O20 - AppInit_DLLs: w32tm.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Expert Comment

by:Weddeh
ID: 20325709
This line are spywares, remove this line:

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll (file missing)
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll
O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll
O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe
O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe
O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'Default user')
0
 

Author Comment

by:mred
ID: 20411639
Problem fixed. I hadn't even been on the computer weeks now but  Orangutangs looks right. Thanks.
0
 

Author Closing Comment

by:mred
ID: 31410298
My screen is overlaping letters!!! and droping off some. May be the IE7 ? ?
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412664
Send us an updated HijackThis log.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412682
Oops, never mind about the last post.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question