[ Done ] Help - Infested with Spyware!...HiJackThis Log Included

  • 21 Replies
  • 4930 Views
*

Offline Cognitarium

  • Bronze Member
  • 11
[ Done ] Help - Infested with Spyware!...HiJackThis Log Included
« on: December 22, 2008, 10:49:20 AM »
Help...Infested with Spyware!

Last night I noticed some issues with new browser pop ups and upon deleting various bugs with SpyWare Doctor and Spybot in both normal and safe mode, the nasties apparently keep coming back and though my recent scan doesn't show any bugs, the pop ups and related behavior continues...

Apart from downloading a dozen different types of spy related freeware, I have no idea what to do.

My HiJackThis Log is as follows:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.113.119.188:8080
O2 - BHO: (no name) - {97d94905-24c2-430c-82ba-330b3bf34044} - C:\WINDOWS\system32\goyukuyu.dll
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\SYSTEM32\TYSHB36RFJDF.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\DELLUS~1\LOCALS~1\Temp\winloggn.exe
O4 - HKLM\..\Run: [yezekilogo] Rundll32.exe "C:\WINDOWS\system32\rumepopo.dll",s
O4 - HKLM\..\Run: [849ad9a8] rundll32.exe "C:\WINDOWS\system32\vafubamu.dll",b
O4 - HKLM\..\Run: [CPM87a9ea34] Rundll32.exe "c:\windows\system32\bupudofa.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\DELLUS~1\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: dypxot.dll C:\WINDOWS\system32\nizedage.dll c:\windows\system32\bupudofa.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fccbccb - fccbccb.dll (file missing)
O20 - Winlogon Notify: khfFWnMg - khfFWnMg.dll (file missing)
O20 - Winlogon Notify: rqRLfFWp - rqRLfFWp.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - C:\WINDOWS\SYSTEM32\BUPUDOFA.DLL
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\SYSTEM32\TYSHB36RFJDF.DLL
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - C:\WINDOWS\SYSTEM32\BUPUDOFA.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 8266 bytes
« Last Edit: December 31, 2008, 07:43:41 AM by bamajim »

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: Help - Infested with Spyware!...HiJackThis Log Included
« Reply #1 on: December 23, 2008, 08:54:38 AM »
Cognitarium

The top section of your Hijackthis log is missing. Rerun Hijackthis and post a fresh Hijackthis log

2008-2010
Rights cannot exist without morals

*

Offline Cognitarium

  • Bronze Member
  • 11
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #2 on: December 23, 2008, 11:17:11 AM »
I appreciate the heads up, I hadn't noticed that.

Below is a fresh log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:58 PM, on 12/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.113.119.188:8080
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: dypxot.dll   
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: fccbccb - fccbccb.dll (file missing)
O20 - Winlogon Notify: khfFWnMg - khfFWnMg.dll (file missing)
O20 - Winlogon Notify: rqRLfFWp - rqRLfFWp.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6347 bytes

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #3 on: December 23, 2008, 11:55:28 AM »
Cognitarium

No problem.

Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

2008-2010
Rights cannot exist without morals

*

Offline Cognitarium

  • Bronze Member
  • 11
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #4 on: December 23, 2008, 12:58:08 PM »

ComboFix 08-12-23.01 - Dell User 2008-12-23 13:52:12.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.990.496 [GMT -5:00]
Running from: c:\documents and settings\Dell User\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dell User\Application Data\inst.exe
c:\program files\Helper
c:\windows\system32\dypxot.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\toqkovqu.dll
c:\windows\system32\x64

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER


(((((((((((((((((((((((((   Files Created from 2008-11-23 to 2008-12-23  )))))))))))))))))))))))))))))))
.

2008-12-23 11:45 . 2008-12-23 11:45   <DIR>   d--------   c:\program files\K-Lite Codec Pack
2008-12-23 11:45 . 2008-09-19 16:57   3,596,288   --a------   c:\windows\system32\qt-dx331.dll
2008-12-23 10:28 . 2008-12-23 10:28   <DIR>   d--------   c:\documents and settings\Dell User\Application Data\ESET
2008-12-23 10:27 . 2008-12-23 10:52   <DIR>   d--------   c:\documents and settings\All Users\Application Data\ESET
2008-12-23 00:49 . 2008-12-23 00:49   <DIR>   d--------   c:\program files\Foxit Software
2008-12-23 00:49 . 2008-12-23 00:49   <DIR>   d--------   c:\documents and settings\Dell User\Application Data\Foxit
2008-12-22 15:31 . 2008-12-22 15:31   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-22 15:06 . 2008-12-22 15:06   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-22 12:04 . 2008-12-22 12:04   <DIR>   d--------   c:\documents and settings\Dell User\Application Data\GlarySoft
2008-12-22 10:56 . 2008-12-22 12:37   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2008-12-22 10:56 . 2008-12-22 10:56   <DIR>   d--------   c:\documents and settings\Dell User\Application Data\SUPERAntiSpyware.com
2008-12-22 10:56 . 2008-12-22 10:56   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-22 10:53 . 2008-12-22 10:54   <DIR>   d--------   c:\program files\Spyware Terminator
2008-12-22 10:53 . 2008-12-22 12:40   <DIR>   d--------   c:\documents and settings\Dell User\Application Data\Spyware Terminator
2008-12-22 10:53 . 2008-12-22 12:40   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Spyware Terminator
2008-12-22 10:53 . 2008-12-22 10:53   141,312   --a------   c:\windows\system32\drivers\sp_rsdrv2.sys
2008-12-22 10:52 . 2008-12-22 10:53   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-22 10:52 . 2008-12-22 10:52   <DIR>   d--------   c:\documents and settings\Dell User\Application Data\Malwarebytes
2008-12-22 10:52 . 2008-12-22 10:52   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 10:52 . 2008-12-03 19:52   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 10:52 . 2008-12-03 19:52   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-22 10:51 . 2008-12-22 10:51   <DIR>   d--------   c:\program files\Glary Utilities
2008-12-22 10:51 . 2008-12-22 10:51   <DIR>   d--------   c:\program files\CCleaner
2008-12-22 10:49 . 2008-12-22 10:49   <DIR>   d--------   c:\program files\IObit
2008-12-22 10:48 . 2008-12-22 10:48   <DIR>   d--------   c:\program files\Lavasoft
2008-12-22 10:47 . 2008-12-22 10:56   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2008-12-22 09:23 . 2008-12-22 09:23   <DIR>   d----c---   C:\VundoFix Backups
2008-12-17 17:42 . 2008-12-17 17:42   <DIR>   d--------   c:\documents and settings\All Users\Application Data\WEBREG
2008-12-17 17:42 . 2008-12-17 17:42   <DIR>   d--------   c:\documents and settings\All Users\Application Data\HP
2008-12-17 17:31 . 2008-12-17 17:31   <DIR>   d--------   c:\program files\Common Files\HP
2008-12-17 17:29 . 2008-12-17 17:29   <DIR>   d--------   c:\program files\HP
2008-12-17 17:17 . 2008-12-17 17:17   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-17 17:17 . 2008-12-17 17:42   157,454   --a------   c:\windows\hphins27.dat
2008-12-17 17:17 . 2007-12-12 19:04   787   ---------   c:\windows\hphmdl27.dat
2008-12-17 17:16 . 2007-11-08 10:06   271,704   -ra------   c:\windows\system32\hpzids01.dll
2008-12-17 17:16 . 2007-10-20 18:25   117,760   --a------   c:\windows\system32\hpzll5mu.dll
2008-12-17 16:09 . 2008-04-13 14:47   25,856   --a------   c:\windows\system32\drivers\usbprint.sys
2008-12-17 16:09 . 2008-04-13 14:47   25,856   --a------   c:\windows\system32\dllcache\usbprint.sys
2008-12-17 11:24 . 2008-12-17 11:24   <DIR>   d--------   c:\program files\Apple Software Update
2008-12-17 11:24 . 2008-12-17 11:24   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple
2008-12-16 12:30 . 2008-12-16 12:30   <DIR>   d--------   c:\documents and settings\All Users\Application Data\vsosdk
2008-12-16 10:14 . 2008-12-16 10:14   <DIR>   d--------   c:\program files\VSO
2008-12-16 10:14 . 2006-05-20 16:16   1,184,984   --a------   c:\windows\system32\wvc1dmod.dll
2008-12-16 10:14 . 2006-05-11 19:21   626,688   --a------   c:\windows\system32\vp7vfw.dll
2008-12-16 10:14 . 2006-09-29 12:24   217,127   --a------   c:\windows\system32\drv43260.dll
2008-12-16 10:14 . 2006-09-29 12:25   208,935   --a------   c:\windows\system32\drv33260.dll
2008-12-16 10:14 . 2006-09-29 12:26   176,165   --a------   c:\windows\system32\drv23260.dll
2008-12-16 10:14 . 2002-12-10 02:20   102,439   --a------   c:\windows\system32\sipr3260.dll
2008-12-16 10:14 . 2007-03-18 20:37   65,602   --a------   c:\windows\system32\cook3260.dll
2008-12-14 21:19 . 2008-12-14 21:19   <DIR>   d--------   c:\program files\IrfanView
2008-12-14 21:03 . 2008-12-14 21:13   <DIR>   dr-------   C:\UDC Output Files
2008-12-14 18:38 . 2008-12-14 18:38   <DIR>   d--------   c:\documents and settings\Dell User\Application Data\AVS4YOU
2008-12-14 18:38 . 2008-12-14 18:38   <DIR>   d--------   c:\documents and settings\All Users\Application Data\AVS4YOU
2008-12-14 18:37 . 2008-12-14 18:42   <DIR>   d--------   c:\program files\Common Files\AVSMedia
2008-12-14 18:36 . 2007-02-27 18:36   974,848   --a------   c:\windows\system32\mfc70.dll
2008-12-14 18:36 . 2007-02-27 18:36   487,424   --a------   c:\windows\system32\msvcp70.dll
2008-12-14 18:36 . 2007-02-27 18:36   344,064   --a------   c:\windows\system32\msvcr70.dll
2008-12-14 18:36 . 2007-02-27 18:36   24,576   --a------   c:\windows\system32\msxml3a.dll
2008-12-10 17:58 . 2008-12-10 17:58   <DIR>   d--h-----   c:\windows\PIF
2008-12-10 16:23 . 2008-12-10 16:23   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Applications
2008-12-04 00:25 . 2008-12-04 00:25   <DIR>   d--hs----   c:\documents and settings\Dell User\PrivacIE

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 18:54   ---------   d-----w   c:\program files\cFosSpeed
2008-12-23 18:52   ---------   d-----w   c:\documents and settings\Dell User\Application Data\DMCache
2008-12-23 16:37   ---------   d-----w   c:\program files\Common Files\Real
2008-12-23 16:03   ---------   d-----w   c:\program files\ESET
2008-12-23 15:26   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2008-12-23 15:25   ---------   d-----w   c:\documents and settings\Dell User\Application Data\Thinstall
2008-12-23 15:18   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 01:14   ---------   d-----w   c:\program files\Common Files\Adobe
2008-12-22 15:48   ---------   d-----w   c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 20:03   ---------   d-----w   c:\documents and settings\Dell User\Application Data\Vso
2008-12-16 15:14   47,360   ----a-w   c:\windows\system32\drivers\pcouffin.sys
2008-12-16 15:14   47,360   ----a-w   c:\documents and settings\Dell User\Application Data\pcouffin.sys
2008-12-10 06:44   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-10 05:38   ---------   d-----w   c:\program files\Spybot - Search & Destroy
2008-11-15 03:40   ---------   d-----w   c:\program files\Sebran
2008-10-31 04:03   ---------   d-----w   c:\documents and settings\Dell User\Application Data\IDM
2008-10-27 14:59   ---------   d-----w   c:\program files\Winamp
2008-10-27 14:59   ---------   d-----w   c:\documents and settings\Dell User\Application Data\Winamp
2008-10-26 05:22   ---------   d-----w   c:\program files\VideoLAN
2008-10-24 20:53   34,824   ----a-w   c:\windows\system32\drivers\epfwtdir.sys
2008-10-24 20:46   53,256   ----a-w   c:\windows\system32\drivers\easdrv.sys
2008-10-24 20:45   39,944   ----a-w   c:\windows\system32\drivers\eamon.sys
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-03-09 19:11   87,608   ----a-w   c:\documents and settings\Dell User\Application Data\ezpinst.exe
2007-12-14 03:01   60,968   ----a-w   c:\documents and settings\Dell User\GoToAssistDownloadHelper.exe
2004-03-11 18:27   40,960   ----a-w   c:\program files\Uninstall_CDS.exe
2008-09-06 14:06   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2008-05-20 40960]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2007-12-21 931760]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-05-08 1015808]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"cFosSpeed"="c:\program files\cFosSpeed\cFosSpeed.exe" [2007-08-22 854992]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-24 1451264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:37 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atchk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChangeTPMAuth
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmbassySecurityCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureUpgrade

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2007-07-26 19:03 178712 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-12-21 07:08 931760 c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"IAANTMON"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Spyware Terminator\\sp_rsser.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-10-24 34824]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 133968]
R2 BCMNTIO;BCMNTIO;\??\c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2008-06-10 3744]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 MAPMEM;MAPMEM;\??\c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2008-06-10 3904]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66da3067-2a62-11dd-be0f-001aa077959f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-23 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-09-17 16:35]

2008-12-23 c:\windows\Tasks\pgwsgbwe.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

Notify-fccbccb - fccbccb.dll
Notify-khfFWnMg - khfFWnMg.dll
Notify-rqRLfFWp - rqRLfFWp.dll
MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
MSConfigStartUp-Acrobat Speed Launch - c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0071211
uInternet Settings,ProxyServer = 65.113.119.188:8080
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
FF - ProfilePath - c:\documents and settings\Dell User\Application Data\Mozilla\Firefox\Profiles\1ddaq4zs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\Dell User\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 13:54:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\ati2sgag.exe
c:\program files\cFosSpeed\spd.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Spyware Terminator\sp_rsser.exe
.
**************************************************************************
.
Completion time: 2008-12-23 13:55:21 - machine was rebooted
ComboFix-quarantined-files.txt  2008-12-23 18:55:19

Pre-Run: 116,190,236,672 bytes free
Post-Run: 116,864,958,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

264   --- E O F ---   2008-12-19 07:11:34

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #5 on: December 23, 2008, 02:49:19 PM »
Cognitarium

Good work. Rerun Hiajckthis and post a fresh Hijackthis log.

And in your reply give me an update on how your PC is running now?

2008-2010
Rights cannot exist without morals

*

Offline Cognitarium

  • Bronze Member
  • 11
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #6 on: December 23, 2008, 02:50:31 PM »
Here you go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:56 PM, on 12/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.113.119.188:8080
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5920 bytes

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #7 on: December 23, 2008, 03:07:59 PM »
Cognitarium

How your PC is running now?

2008-2010
Rights cannot exist without morals

*

Offline Cognitarium

  • Bronze Member
  • 11
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #8 on: December 23, 2008, 04:05:09 PM »
Things are much better than they were even this morning, however I just got hit with another pop up.
« Last Edit: December 23, 2008, 04:11:37 PM by Cognitarium »

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #9 on: December 23, 2008, 04:58:33 PM »
Do you use a proxy server?

2008-2010
Rights cannot exist without morals

*

Offline Cognitarium

  • Bronze Member
  • 11
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #10 on: December 23, 2008, 11:39:48 PM »
No I don't.

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #11 on: December 24, 2008, 08:43:50 AM »
Cognitarium

1. Rerun Hijackthis (scan only) and place checks beside the following entries

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.113.119.188:8080

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

2008-2010
Rights cannot exist without morals

*

Offline Cognitarium

  • Bronze Member
  • 11
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #12 on: December 24, 2008, 09:47:26 AM »
That's interesting, I wasn't aware of a proxy server.

I've done as instructed with the fresh log as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:34 AM, on 12/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5487 bytes

*

Offline bamajim

  • Administrator
  • Platinum Member
  • 3116
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #13 on: December 24, 2008, 10:19:23 AM »
Cognitarium

Excellent.

One more check and we should be there.

Please perform an Ewido Online Malware Scan
  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
  • Click on Start Scan.
  • after the scan completes it will produce a log for you, copy and paste the results of that scan as a reply to this thread
  • If any infections are found, (After you save the logfile), Click on Remove Infections.

2008-2010
Rights cannot exist without morals

*

Offline Cognitarium

  • Bronze Member
  • 11
Re: [ In Progress ] Help - Infested with Spyware!...HiJackThis Log Included
« Reply #14 on: December 24, 2008, 11:41:17 AM »
__________________________________________________
ewido anti-spyware online scanner
   http://www.ewido.net
__________________________________________________


Name: TrackingCookie.2o7
Path: C:\Documents and Settings\Dell User\Cookies\dell_user@msnportal.112.2o7[1].txt
Risk: Medium

Name: Trojan.Agent.dx
Path: C:\Documents and Settings\Dell User\Desktop\Tweak-XP Pro\Tweak-XP_Pro_v4.07_www.cw-network.info_FOT9.rar/Tweak-XP Pro v4.07\Patch\tweak-xp.pro.4.07.retail-patch.exe
Risk: High

Name: Trojan.Ankit
Path: C:\Documents and Settings\Dell User\My Documents\Over 2000 Short Tutorials\Great_Tuts.zip/Great Tuts/Tutorials - blacksun.box.sk/coding/Batch File Programming.txt
Risk: High

Name: Trojan.Inject.jt
Path: C:\SDFix\catchme.exe
Risk: High