Solved

Spyware

Posted on 2007-11-20
9
3,694 Views
Last Modified: 2011-09-20
one of my computers got an infection with spyware. I ran Hijackthis & here is the log file. I think it can probably be found in this. If not then will go from there.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:20 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
F:\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,ntsvc32.dll,C:\WINDOWS\system32\makehm.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll
O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll
O2 - BHO: (no name) - {AF8F343A-33F0-4FCE-B69C-FD0D46A49CE5} - C:\WINDOWS\system32\ati2cqa.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe
O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe
O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\RunOnce: [AVGW] C:\PROGRA~1\Grisoft\AVG6\avgw.exe /RUNONCE
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: w32tm.dll 
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
 
--
End of file - 8583 bytes

Open in new window

0
Comment
Question by:mred
9 Comments
 
LVL 18

Expert Comment

by:Crash2100
ID: 20325597
Have you tried another spyware program, that cleans this stuff out?

     Ad-Aware
     http://www.download.com/3000-2144-10045910.html
     http://www.lavasoft.de/support/download/

     SpybotSD - Download Spybot - Search & Destroy by PepiMK Software
     http://www.safer-networking.org/en/download/index.html

     Spyware Doctor
     http://www.download.com/Spyware-Doctor/3000-8022-10361503.html
     http://www.pctools.com/spyware-doctor/download/

     SpywareBlaster
     http://www.download.com/SpywareBlaster/3000-8022_4-10196637.html
     http://www.javacoolsoftware.com/spywareblaster.html

     CA Spyware Information Center
     http://www3.ca.com/securityadvisor/pest/

     Windows® Defender (Beta 2) x86
     http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20325670
0
 
LVL 22

Accepted Solution

by:
orangutang earned 125 total points
ID: 20325689
These look suspicious:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,ntsvc32.dll,C:\WINDOWS\system32\makehm.exe,
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll
O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe
O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe
O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp
O20 - AppInit_DLLs: w32tm.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Expert Comment

by:Weddeh
ID: 20325709
This line are spywares, remove this line:

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll (file missing)
O2 - BHO: (no name) - {262eb796-1dd2-11b2-b08b-8139c4904fa7} - C:\WINDOWS\xsfqvwze.dll
O2 - BHO: (no name) - {A21B0D3F-296F-4E1F-A99C-D8C5A0DBDDD0} - C:\Program Files\WindowsUpdate\tecoho4444.dll
O2 - BHO: (no name) - {AECB591D-95D9-4D3C-AABD-4F7644384DB5} - C:\Program Files\WindowsUpdate\tecoho83122.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O4 - HKLM\..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe
O4 - HKLM\..\Run: [teke] C:\Program Files\MSN Gaming Zone\teke77798.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [C1C4BEC8C2C9C4C8] 575A545E585F5A.exe
O4 - HKLM\..\Run: [WinPerfMon] C:\DOCUME~1\Owner\LOCALS~1\Temp\ndsbhe.exe
O4 - HKLM\..\Run: [uvuhwxkb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uvuhwxkb.dll"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\HCExtOutput.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [Microsoft Antispyware] C:\DOCUME~1\Owner\LOCALS~1\Temp\150.tmp
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{2CE9EDE2-04ED-1033-1231-020801200001}] "C:\Program Files\Common Files\{2CE9EDE2-04ED-1033-1231-020801200001}\Update.exe" mc-110-12-0000140 (User 'Default user')
0
 

Author Comment

by:mred
ID: 20411639
Problem fixed. I hadn't even been on the computer weeks now but  Orangutangs looks right. Thanks.
0
 

Author Closing Comment

by:mred
ID: 31410298
My screen is overlaping letters!!! and droping off some. May be the IE7 ? ?
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412664
Send us an updated HijackThis log.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412678
0
 
LVL 22

Expert Comment

by:orangutang
ID: 20412682
Oops, never mind about the last post.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question