pop up infection by spyware

  • 2 Replies
  • 1373 Views
*

Offline rensz001

  • Bronze Member
  • 2
pop up infection by spyware
« on: January 30, 2009, 01:19:43 AM »
First of all, thank you very much for the help.
My computer got infected for a while. It get worse by day and the computer ran very
slowly now. I have the MaFee installed but seems no much help. The spywares even
disabled my "task manager".
Your help is greatly appreciated.  Thanks a lot.
The following is the Hijakethis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:48 PM, on 1/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3

(6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Microsoft SQL

Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event

Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\WinAntiSpyware 2007

Free\uwasdc.exe
C:\Program Files\Common Files\WinAntiSpyware 2007

Free\uwasers.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search

Protection\SearchProtection.exe
C:\Program Files\System Guard 2009

\systemguard.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\winscenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ycomp/defaults/s

p/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://red.clientapps.yahoo.com/customize/ie/defa

ults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customize/ie/defa

ults/sb/sbcydsl/*http://www.yahoo.com/search/ie.h

tml
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://red.clientapps.yahoo.com/customize/ie/defa

ults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://resultsmaster.com/SmartOffers/Services/res

ultsmaster/ResultsMasterHomeLeftPane.htm
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ycomp/defaults/s

u/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Windows Internet

Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-

4682-BF72-8AB8210D6D75} - C:\Program

Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-

C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini:

UserInit=C:\WINDOWS\system32

\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-

46c4-B683-905236F6F655} - c:\progra~1

\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-

11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program

Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program

Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program

Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32

\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1

\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1

\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1

\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1

\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1

\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!

\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program

Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32

\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32

\igfxpers.exe
O4 - HKLM\..\Run: [DC6_Check] "C:\Program

Files\Common Files\WinAntiSpyware 2007

Free\uwasdc.exe"
O4 - HKLM\..\Run: [ERS_Check] "C:\Program

Files\Common Files\WinAntiSpyware 2007

Free\uwasers.exe"
O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common

Files\SystemDoctor\DNSE.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program

Files\Common Files\SystemDoctor\dcpasmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program

Files\Common Files\Real\Update_OB\realsched.exe" 

-osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program

Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program

Files\Dell Support

Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched]

"C:\Program Files\Java\jre1.6.0_03

\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program

Files\Yahoo!\Search

Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [systemguard] C:\Program

Files\System Guard 2009\systemguard.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program

Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1

\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Documents

and Settings\renshan\Local Settings\Temp\exec.exe

regrun
O4 - HKCU\..\Run: [updateMgr] "C:\Program

Files\Adobe\Acrobat 7.0

\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -

reboot 1
O4 - HKCU\..\Run: [Search Protection] C:\Program

Files\Yahoo!\Search

Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program

Files\Yahoo!\Search

Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator]

Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator]

Narrator.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Shortcut to Internet.lnk = ?
O4 - Global Startup: Adobe Reader Speed

Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3

Environment Check 2.lnk = C:\WINDOWS\SYSTEM32

\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft Office\Office10

\OSA.EXE
O8 - Extra context menu item: &Search -

http://edits.mywebsearch.com/toolbaredits/menusea

rch.jhtml?p=ZC
O8 - Extra context menu item: Display All Images

with Full Quality - res://C:\Program

Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with

Full Quality - res://C:\Program

Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to

Microsoft Excel - res://C:\PROGRA~1\MICROS~4

\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-

11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-

11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32

\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-

4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001

- {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-

11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF:

START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(Installation Support) - C:\Program Files\Yahoo!

\Common\Yinsthelper200711281.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A}

(Walt Disney Internet Group Hardware Control) -

https://disneyblast.go.com/v3/setup/activex/DIGHa

rdwareControl.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D}

(Toontown Installer ActiveX Control) -

http://a.download.toontown.com/sv1.0.19.9/ttinst.

cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105}

(CGameManagerCtrl Object) -

https://disney.go.com/games/downloads/gamemanager

/DIGGameManager.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E}

(PhotosCtrl Class) -

http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - AppInit_DLLs: jkunwl.dll
O21 - SSODL: ieModule - {FC5A764A-29FD-427D-AF29

-CB1DB3690E1F} - C:\Documents and Settings\All

Users\Application

Data\Microsoft\Network\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {E5A91BBB-A8D1

-41B8-8809-94B55E2082F9} - C:\Documents and

Settings\All Users\Application

Data\Microsoft\Network\DLLs\banlvjtutc.dll
O21 - SSODL: lzeyUOppoTrL - {FD41D4E8-66A8-4F5A-

B179-ABB344C3629C} - svglwmmdykxj.dll (file

missing)
O23 - Service: DSBrokerService - Unknown owner -

C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EPSON Printer Status Agent2

(EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee WSC Integration

(McDetect.exe) - McAfee, Inc - c:\program

files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) -

Unknown owner - c:\PROGRA~1

\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler

(McTskshd.exe) - McAfee, Inc - c:\PROGRA~1

\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update

Manager (mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online

Realtime Engine (MCVSRte) - Networks Associates

Technology, Inc - c:\PROGRA~1

\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service

(MpfService) - McAfee Corporation - C:\PROGRA~1

\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) -

Intel(R) Corporation - C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O24 - Desktop Component 0: (no name) -

http://ec1.images-

amazon.com/images/G/01/detail/graduated-

blue._V46898420_.gif

--
End of file - 11641 bytes

*

Offline docholoway

  • Bronze Member
  • 32
Re: pop up infection by spyware
« Reply #1 on: January 30, 2009, 10:14:51 AM »
Hello rensz001,

Welcome to the SpywareHammer Forums,

My name is docholoway and I will be helping you deal with the issues raised in your log.

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you are using any cracked software, please remove it.
Definition of cracked software:
http://en.wikipedia.org/wiki/Software_cracking

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.  The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state.
A list of P2P's is listed Here

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log. (please remove the checkmark next to word wrap menu located at menubar->Format->Word Wrap)

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.

Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.

** We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.


Note: these instructions are strictly for rensz001, If you are not rensz001 and are in need of assistance please see the following link Hijackthis Guidelines Read Before Posting

Please be patient while I arrange how to deal with this.

Thanks.

docholoway


*

Offline rensz001

  • Bronze Member
  • 2
Re: pop up infection by spyware
« Reply #2 on: January 30, 2009, 12:09:43 PM »
docholoway,

Thank you very much for your time. You guys are great. I appreciate it very much all the people here for your willingness to help people. Wish I had the ability to do the similar things.

After read this forum, I just followed the instructions from HOOV, who helped another person,
and download the software. Now my computer is very clean.

Thanks again for your help.

Ren