Tech Support Forum - View Single Post - Help analize my HJT log pls, spyware attacks me

abonthio · 03-01-2005, 06:47 PM

Adaware detect my computer as clean :)
Spybot detect DSO Exploit. I have tried to clean them but they still exist.
(please see attachment dso_exploit1.jpg)

And here is my startdreck.log
======================

StartDreck (build 2.1.7 public stable) - 2005-03-01 @ 13:31:01 (GMT +07:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as abon at ABON-UUDPKRU2

»Registry
»Run Keys
»Current User
»Run
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*Yahoo! Pager=C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
*Mozilla Quick Launch="C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*PmProxy=C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
*Apoint=C:\Program Files\Apoint2K\Apoint.exe
*ACU=C:\Program Files\Atheros\acu.exe
*ezShieldProtector for Px=C:\WINDOWS\System32\EZSP_PX.EXE
*Drag'n Drop CD+DVD=C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
*00THotkey=C:\WINDOWS\System32\00THotkey.exe
*000StTHK=000StTHK.exe
*LtMoh=C:\Program Files\ltmoh\Ltmoh.exe
*TFncKy=TFncKy.exe /Type 28
*WinFaxAppPortStarter=wfxsnt40.exe
*WinampAgent="C:\Program Files\Winamp\Winampa.exe"
*SSBkgdUpdate="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
*WorkFlowTray="C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
*Opware14="C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
*OpScheduler="C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
*Share-to-Web Namespace Daemon=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
*HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
*DeviceDiscovery=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
*HP Software Update="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
*HP Component Manager="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
*SunJavaUpdateSched=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.0/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Internet Explorer Access/{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
*StubPath=rundll32 iesetup.dll,IEAccessUserInst
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Start Page=about:blank
+SearchUrl
»Default User
*Search Bar=http://aflashcounter.com/?a=2&b=zxy
*Search Page=http://aflashcounter.com/?a=2&b=zxy
*SearchAssistant=http://aflashcounter.com/?a=2&b=zxy
+SearchUrl
*SearchUrl=http://aflashcounter.com/?a=2&b=zxy
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
+SearchUrl
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\abon\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Controller.LNK
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\hh.exe
*C:\WINDOWS\hh.exe
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+492=\SystemRoot\System32\smss.exe
+548=\??\C:\WINDOWS\system32\csrss.exe
+576=\??\C:\WINDOWS\system32\winlogon.exe
+620=C:\WINDOWS\system32\services.exe
+632=C:\WINDOWS\system32\lsass.exe
+800=C:\WINDOWS\system32\svchost.exe
+824=C:\WINDOWS\System32\svchost.exe
+896=C:\WINDOWS\System32\svchost.exe
+912=C:\WINDOWS\System32\svchost.exe
+1124=C:\WINDOWS\system32\spoolsv.exe
+1240=C:\WINDOWS\System32\alg.exe
+1264=C:\WINDOWS\System32\DVDRAMSV.exe
+1336=C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
+1368=C:\WINDOWS\System32\svchost.exe
+1396=C:\WINDOWS\System32\WFXSVC.EXE
+1420=C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
+1992=C:\WINDOWS\Explorer.EXE
+196=C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
+204=C:\Program Files\Apoint2K\Apoint.exe
+192=C:\Program Files\Atheros\acu.exe
+212=C:\WINDOWS\System32\EZSP_PX.EXE
+224=C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
+240=C:\WINDOWS\System32\00THotkey.exe
+284=C:\Program Files\ltmoh\Ltmoh.exe
+340=C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
+348=C:\WINDOWS\System32\wfxsnt40.exe
+360=C:\Program Files\Winamp\Winampa.exe
+380=C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
+388=C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
+396=C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
+408=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
+416=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
+428=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
+444=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
+452=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
+460=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
+468=C:\Program Files\Messenger\msmsgs.exe
+332=C:\WINDOWS\System32\ctfmon.exe
+512=C:\Program Files\Netscape\Netscape\Netscp.exe
+516=C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
+740=C:\Program Files\Apoint2K\Apntex.exe
+792=C:\WINDOWS\system32\RAMASST.exe
+1288=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
+3644=C:\Program Files\Outlook Express\msimn.exe
+1612=C:\hjt\startdreck\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User