Jump to content

Help with Spyware!

ccarbo

By ccarbo
in Resolved Malware Removal Logs

 Share

Recommended Posts

ccarbo

ccarbo

Posted
Posted

Can someone analyze my Hijackthis.log also is the Panda scan log.

I ran Spybot, SuperAntispyware, Adaware, CCleaner, and now HiJack. I am not sure if I got everything.

Please Advise....

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:24:35 PM, on 10/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\PC Defender\Common\FSMA32.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\PC Defender\Common\FSMB32.EXE

C:\Program Files\Visual IP InSight\TDS\ARMon32a.exe

C:\Program Files\PC Defender\Common\FCH32.EXE

C:\Program Files\PC Defender\Anti-Virus\fsqh.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe

C:\Program Files\TDS Accelerator\slipcore.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell AIO Printer A940\dlbabmon.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\TDS Accelerator\slipgui.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.tds.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.tds.net/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\TDS Accelerator\PBHelper.dll

O2 - BHO: (no name) - {48482399-5F12-4506-9EFF-46FE7A3E2C30} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: TDS Accelerator - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\TDS Accelerator\Toolband.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [slipStream] "C:\Program Files\TDS Accelerator\slipcore.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O4 - Global Startup: TDS Accelerator.lnk = C:\Program Files\TDS Accelerator\slipgui.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm325

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: SmartShopper - Compare product prices - {679B2A8D-B2FF-41ed-B3ED-C5CFB8564CB0} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: SmartShopper - Compare travel rates - {9E4DF170-217F-4658-A11F-590664542B73} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102014643531

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: byxyvvw - byxyvvw.dll (file missing)

O20 - Winlogon Notify: psgjgzal - psgjgzal.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\mcaskhgi.exe (file missing)

O23 - Service: Visual IP InSight Client (TDS) (InverseLaunchIPI_TDS) - Visual Networks - C:\Program Files\Visual IP InSight\TDS\LaunchIPI.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--

End of file - 9674 bytes

************************************** PANDA SCAN ****************************

Incident Status Location

Adware:adware/popmonster Not disinfected C:\Documents and Settings\Carol Dettmering\Favorites\shopping\Ebay.url

Adware:adware/favoriteman Not disinfected c:\windows\downloaded program files\ATPartners.inf

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.8-2.inf

Adware:adware/comet Not disinfected c:\windows\inf\dm.inf

Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Carol Dettmering\Application Data\tvmuknwrd.dll

Adware:adware program Not disinfected c:\windows\ss3unstl.exe

Adware:adware/searchrelevancy Not disinfected c:\program files\SearchRelevant

Adware:adware/wupd Not disinfected c:\program files\Windows TaskAd

Potentially unwanted tool:application/mywebsearch Not disinfected hkey_local_machine\software\microsoft\office\word\addins\MyWebSearch.OutlookAddin

Adware:adware/oemji Not disinfected Windows Registry

Adware:adware/exact.bargainbuddy Not disinfected Windows Registry

Potentially unwanted tool:application/errorguard Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{205ff73b-ca67-11d5-99dd-444553540006}

Adware:adware/block-checker Not disinfected Windows Registry

Adware:adware/whenusearch Not disinfected Windows Registry

Adware:adware/dyfuca Not disinfected Windows Registry

Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@64.62.232[2].txt

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@888[1].txt

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@888[2].txt

Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@ccbill[1].txt

Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@cgi-bin[5].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@go[2].txt

Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@rn11[2].txt

Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@spywarestormer[1].txt

Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@target[1].txt

Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@www.affiliatefuel[1].txt

Spyware:Cookie/TopRebates.com Not disinfected C:\Documents and Settings\Kayla Couillard\Cookies\kayla couillard@www.toprebates[2].txt

Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\uninstall.exe

Virus:Trj/Agent.DPE Disinfected C:\WINDOWS\eMusicSetup.exe

Activescan.txt

Activescan.txt

Link to post
Share on other sites
Gimpguy2000

Gimpguy2000

Posted
Posted

Howdy, by your reply, you already did a scan and clean attempt, correct? Did you do this in safe mode? Best way to go.

I would remove these....

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm325

O9 - Extra button: SmartShopper - Compare product prices - {679B2A8D-B2FF-41ed-B3ED-C5CFB8564CB0} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: SmartShopper - Compare travel rates - {9E4DF170-217F-4658-A11F-590664542B73} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\System32\shdocvw.dll

O20 - Winlogon Notify: byxyvvw - byxyvvw.dll (file missing)

O20 - Winlogon Notify: psgjgzal - psgjgzal.dll (file missing) **note, )020 and 020 , were these trojans you removed? ***

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\mcaskhgi.exe (file missing)

After, run another scan with known good antivirus, etc.... and Hijack this too..

Paul

Link to post
Share on other sites
ccarbo

ccarbo

Posted
  • Author
Posted

Thanks Paul, got er clean. Yeh I cleaned alot of stuff but just wanted to post to have the "pros" take a look. I am getting better at this after dealing with a few machines that were WAY messed up.

Hey thanks for your help!

Clint

Howdy, by your reply, you already did a scan and clean attempt, correct? Did you do this in safe mode? Best way to go.

I would remove these....

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm325

O9 - Extra button: SmartShopper - Compare product prices - {679B2A8D-B2FF-41ed-B3ED-C5CFB8564CB0} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: SmartShopper - Compare travel rates - {9E4DF170-217F-4658-A11F-590664542B73} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\System32\shdocvw.dll

O20 - Winlogon Notify: byxyvvw - byxyvvw.dll (file missing)

O20 - Winlogon Notify: psgjgzal - psgjgzal.dll (file missing) **note, )020 and 020 , were these trojans you removed? ***

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\mcaskhgi.exe (file missing)

After, run another scan with known good antivirus, etc.... and Hijack this too..

Paul

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

ccarbo your Panda scan shows several items not disinfected.

Adware:adware/popmonster Not disinfected C:\Documents and Settings\Carol Dettmering\Favorites\shopping\Ebay.url

Adware:adware/favoriteman Not disinfected c:\windows\downloaded program files\ATPartners.inf

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.8-2.inf

Adware:adware/comet Not disinfected c:\windows\inf\dm.inf

Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Carol Dettmering\Application Data\tvmuknwrd.dll

Adware:adware program Not disinfected c:\windows\ss3unstl.exe

Adware:adware/searchrelevancy Not disinfected c:\program files\SearchRelevant

Adware:adware/wupd Not disinfected c:\program files\Windows TaskAd

Potentially unwanted tool:application/mywebsearch Not disinfected hkey_local_machine\software\microsoft\office\word\addins\MyWebSearch.OutlookAddin

Adware:adware/oemji Not disinfected Windows Registry

Adware:adware/exact.bargainbuddy Not disinfected Windows Registry

Potentially unwanted tool:application/errorguard Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{205ff73b-ca67-11d5-99dd-444553540006}

Adware:adware/block-checker Not disinfected Windows Registry

Adware:adware/whenusearch Not disinfected Windows Registry

Adware:adware/dyfuca Not disinfected Windows Registry

Also from your other posts, it appears you are cleaning machines in your shop and charging, but using our free help to do so. If this is the case, it is not acceptable. We give help for free and not for others to use and charge.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.