Solved

Spyware

Posted on 2007-11-20
9
3,691 Views
Last Modified: 2011-09-20
one of my computers got an infection with spyware. I ran Hijackthis & here is the log file. I think it can probably be found in this. If not then will go from there.
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:37:20 PM, on 11/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

F:\HiJackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,ntsvc32.dll,C:\WINDOWS\system32\makehm.exe,

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll

O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll

O2 - BHO: (no name) - {AF8F343A-33F0-4FCE-B69C-FD0D46A49CE5} - C:\WINDOWS\system32\ati2cqa.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll

O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe

O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe

O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe

O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe

O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe

O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"

O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"

O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe

O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe

O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe

O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe

O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe

O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\RunOnce: [AVGW] C:\PROGRA~1\Grisoft\AVG6\avgw.exe /RUNONCE

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: w32tm.dll 

O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll

O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 

--

End of file - 8583 bytes

Open in new window

0
Comment
Question by:mred
9 Comments
 
LVL 18

Expert Comment

by:Crash2100
ID: 20325597
Have you tried another spyware program, that cleans this stuff out?

     Ad-Aware
     http://www.download.com/3000-2144-10045910.html
     http://www.lavasoft.de/support/download/

     SpybotSD - Download Spybot - Search & Destroy by PepiMK Software
     http://www.safer-networking.org/en/download/index.html

     Spyware Doctor
     http://www.download.com/Spyware-Doctor/3000-8022-10361503.html
     http://www.pctools.com/spyware-doctor/download/

     SpywareBlaster
     http://www.download.com/SpywareBlaster/3000-8022_4-10196637.html
     http://www.javacoolsoftware.com/spywareblaster.html

     CA Spyware Information Center
     http://www3.ca.com/securityadvisor/pest/

     Windows® Defender (Beta 2) x86
     http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20325670
0
 
LVL 22

Accepted Solution

by:
orangutang earned 125 total points
ID: 20325689
These look suspicious:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,ntsvc32.dll,C:\WINDOWS\system32\makehm.exe,
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll
O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe
O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe
O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp
O20 - AppInit_DLLs: w32tm.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll
0
 

Expert Comment

by:Weddeh
ID: 20325709
This line are spywares, remove this line:

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll (file missing)
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll
O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll
O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe
O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe
O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'Default user')
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:mred
ID: 20411639
Problem fixed. I hadn't even been on the computer weeks now but  Orangutangs looks right. Thanks.
0
 

Author Closing Comment

by:mred
ID: 31410298
My screen is overlaping letters!!! and droping off some. May be the IE7 ? ?
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412664
Send us an updated HijackThis log.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412678
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412682
Oops, never mind about the last post.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Most of the time we are in fix when all of sudden our systems behave weirdly.  Such problems cost time and effort... so it's best to take some preventive actions so that we can avoid such issues or overcome such problems more easily. Preventive M…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now