Help analize my HJT log pls, spyware attacks me

[abonthio]

Please help,
Every time I startup my computer, my computer try to connect to internet by showing up DUN. And some windows come with warning about spyware.
Please somebody analyze my HJT log file

========================
Logfile of HijackThis v1.98.2
Scan saved at 9:26:18 PM, on 2/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\abon\Application Data\Mozilla\Profiles\default\e8ab8tjd.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Name - {E476FC5E-2AD3-4D8E-892D-1879050C8E4C} - C:\WINDOWS\System32\msuxd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\acu.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [kTplo66] C:\WINDOWS\sxhqt.exe
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{32381E06-7106-40DC-BC8B-E51F11F31723}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

======================

[MicroBell]

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.


Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Name - {E476FC5E-2AD3-4D8E-892D-1879050C8E4C} - C:\WINDOWS\System32\msuxd.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [kTplo66] C:\WINDOWS\sxhqt.exe
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab

Fix these entrys below as well if they are not related to your ISP or company network.. (I'm guessing Not as the latter IP (195.225.176.37) is in Amsterdam)

O17 - HKLM\System\CCS\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{32381E06-7106-40DC-BC8B-E51F11F31723}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{12F0101D-12C1-41BA-9F21-D34EDE8DBFCF}: NameServer = 69.50.176.196,195.225.176.37

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

C:\WINDOWS\System32\msuxd.dll
C:\WINDOWS\System32\iecustom32.dll
C:\WINDOWS\sxhqt.exe
syslog32.exe
sysobj.exe <--locate and delete these 2.

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not

[abonthio]

I just upgrade to the newer Hijackthis, and this is the last log I made.
How is it now?

==========================
Logfile of HijackThis v1.99.1
Scan saved at 2:44:47 PM, on 2/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Atheros\acu.exe
C:\WINDOWS\System32\EZSP_PX.EXE
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Outlook Express\msimn.exe
C:\hjt\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Martin\Application Data\Mozilla\Profiles\default\e8ab8tjd.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll (file missing)
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\acu.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB7D5D30-110A-4EEC-8C98-BBAD6A6BA875}: NameServer = 69.50.176.196 195.225.176.37
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\abon\LOCALS~1\Temp\hpdj.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

[greyknight17]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Don't run it yet.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O17 - HKLM\System\CCS\Services\Tcpip\..\{DB7D5D30-110A-4EEC-8C98-BBAD6A6BA875}: NameServer = 69.50.176.196 195.225.176.37
O23 - Service: hpdj - HP - C:\DOCUME~1\abon\LOCALS~1\Temp\hpdj.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

[abonthio]

<quote>
O17 -
HKLM\System\CCS\Services\Tcpip\..\{DB7D5D30-110A-4EEC-8C98-BBAD6A6BA875}:
NameServer = 69.50.176.196 195.225.176.37
</quote>

I can't find that 017, it doesn't exist anylonger.

Another strange thing, in my favorit (Iexplorer) there always appear addresses like kill spyware ... strip poker ... adult gambling ... etc. I have tried to delete them but they come again.

And here is my last result.txt

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:52:53 PM, on 2/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Atheros\acu.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\abon\Application Data\Mozilla\Profiles\default\e8ab8tjd.slt\prefs.js)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll (file missing)
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\acu.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE


End of KRC HijackThis Analyzer Log.
====================================================================

[greyknight17]

Try running Ad-aware and Spybot again. Then give us this log:

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

[abonthio]

Adaware detect my computer as clean :)
Spybot detect DSO Exploit. I have tried to clean them but they still exist.
(please see attachment dso_exploit1.jpg)

And here is my startdreck.log
======================

StartDreck (build 2.1.7 public stable) - 2005-03-01 @ 13:31:01 (GMT +07:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as abon at ABON-UUDPKRU2

»Registry
»Run Keys
»Current User
»Run
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*Yahoo! Pager=C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
*Mozilla Quick Launch="C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*PmProxy=C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
*Apoint=C:\Program Files\Apoint2K\Apoint.exe
*ACU=C:\Program Files\Atheros\acu.exe
*ezShieldProtector for Px=C:\WINDOWS\System32\EZSP_PX.EXE
*Drag'n Drop CD+DVD=C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
*00THotkey=C:\WINDOWS\System32\00THotkey.exe
*000StTHK=000StTHK.exe
*LtMoh=C:\Program Files\ltmoh\Ltmoh.exe
*TFncKy=TFncKy.exe /Type 28
*WinFaxAppPortStarter=wfxsnt40.exe
*WinampAgent="C:\Program Files\Winamp\Winampa.exe"
*SSBkgdUpdate="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
*WorkFlowTray="C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
*Opware14="C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
*OpScheduler="C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
*Share-to-Web Namespace Daemon=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
*HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
*DeviceDiscovery=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
*HP Software Update="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
*HP Component Manager="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
*SunJavaUpdateSched=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.0/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Internet Explorer Access/{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
*StubPath=rundll32 iesetup.dll,IEAccessUserInst
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Start Page=about:blank
+SearchUrl
»Default User
*Search Bar=http://aflashcounter.com/?a=2&b=zxy
*Search Page=http://aflashcounter.com/?a=2&b=zxy
*SearchAssistant=http://aflashcounter.com/?a=2&b=zxy
+SearchUrl
*SearchUrl=http://aflashcounter.com/?a=2&b=zxy
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
+SearchUrl
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\abon\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Controller.LNK
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\hh.exe
*C:\WINDOWS\hh.exe
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+492=\SystemRoot\System32\smss.exe
+548=\??\C:\WINDOWS\system32\csrss.exe
+576=\??\C:\WINDOWS\system32\winlogon.exe
+620=C:\WINDOWS\system32\services.exe
+632=C:\WINDOWS\system32\lsass.exe
+800=C:\WINDOWS\system32\svchost.exe
+824=C:\WINDOWS\System32\svchost.exe
+896=C:\WINDOWS\System32\svchost.exe
+912=C:\WINDOWS\System32\svchost.exe
+1124=C:\WINDOWS\system32\spoolsv.exe
+1240=C:\WINDOWS\System32\alg.exe
+1264=C:\WINDOWS\System32\DVDRAMSV.exe
+1336=C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
+1368=C:\WINDOWS\System32\svchost.exe
+1396=C:\WINDOWS\System32\WFXSVC.EXE
+1420=C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
+1992=C:\WINDOWS\Explorer.EXE
+196=C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
+204=C:\Program Files\Apoint2K\Apoint.exe
+192=C:\Program Files\Atheros\acu.exe
+212=C:\WINDOWS\System32\EZSP_PX.EXE
+224=C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
+240=C:\WINDOWS\System32\00THotkey.exe
+284=C:\Program Files\ltmoh\Ltmoh.exe
+340=C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
+348=C:\WINDOWS\System32\wfxsnt40.exe
+360=C:\Program Files\Winamp\Winampa.exe
+380=C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
+388=C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
+396=C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
+408=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
+416=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
+428=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
+444=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
+452=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
+460=C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
+468=C:\Program Files\Messenger\msmsgs.exe
+332=C:\WINDOWS\System32\ctfmon.exe
+512=C:\Program Files\Netscape\Netscape\Netscp.exe
+516=C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
+740=C:\Program Files\Apoint2K\Apntex.exe
+792=C:\WINDOWS\system32\RAMASST.exe
+1288=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
+3644=C:\Program Files\Outlook Express\msimn.exe
+1612=C:\hjt\startdreck\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

[CTSNKY]

If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Run another scan, it will find them, then delete them and never to be seen again.

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

[abonthio]

Really difficult to download "Spybot DSO Exploit Fix" but finally I did it.
My system clean now.
Thankyou very much :)

Cheers,
Abon