My uncleanable spyware

Mickcontsr · 03-01-2005, 06:28 AM

I run all the cleaners A'2, SE, HouseCall, Shredder, and still when I restart my computer its back. Hopefully HJT can get it. Here is the Log, please help.

Logfile of HijackThis v1.97.7
Scan saved at 8:16:31 AM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\DOCUME~1\TJ\LOCALS~1\Temp\Rar$EX00.000\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.techadvanced.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...974.6188078704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/ao...S.9.1.6.18.cab

bry623 · 03-01-2005, 06:50 AM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

bry623 · 03-01-2005, 08:48 AM

You have an older version of HJT.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Mickcontsr · 03-02-2005, 07:51 AM

I have used the analyzer as you said and here is the result.txt file

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:21:18 AM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\All Users\Documents\HijakThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.techadvanced.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/ao...S.9.1.6.18.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

End of KRC HijackThis Analyzer Log.
====================================================================

bry623 · 03-02-2005, 10:04 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

[/b]Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Let us know how it works out!

Mickcontsr · 03-03-2005, 07:36 AM

I went through the fixes in order with no browsers open and it is still there, I wondered about the 09- BHO no name entry and if I should fix that but I didnt since you didnt say to fix that part. here is the new result.txt after i have fixed what you said. If I run house call it comes up with the spy ware program, and when i turn off the computer and run HJT again the log is back to how it was before I fixed what you said. By the way I do appreciate all your help thank you very much.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:29:25 AM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.techadvanced.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/ao...S.9.1.6.18.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

End of KRC HijackThis Analyzer Log.
====================================================================

CTSNKY · 03-03-2005, 07:54 AM

I'm a little unclear what the specific complaint is here.

If it's just those R0 entries, I wouldn't worry too much about them.

You can try this:

Right click on this link and choose Save As. Save it to your desktop and double click on it. Choose Yes to merge it. You may delete it afterwards.

bry623 · 03-03-2005, 07:55 AM

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Mickcontsr · 03-03-2005, 11:03 AM

Here is the log after doing both what you and CTSNKY said. I ran house call again and it still says i have a spyware program called something like websearch or something like that

StartDreck (build 2.1.7 public stable) - 2005-03-03 @ 12:58:11 (GMT -06:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as TJ at PLANROOM

»Registry
»Run Keys
»Current User
»Run
*MSMSGS="C:\Program Files\Messenger\MSMSGS.EXE" /background
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*SoundMAXPnP=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
*SoundMAX="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
*IgfxTray=C:\WINDOWS\System32\igfxtray.exe
*HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe
*IntelliType="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
*NeroCheck=C:\WINDOWS\system32\NeroCheck.exe
*CARPService=carpserv.exe
*HP Software Update="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
*HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
*DeviceDiscovery=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*jsfile=C:\Corel\Suite8\Programs\CCWin\Cscape.exe
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.google.com/
+SearchUrl
*provider=
*=http://home.microsoft.com/access/autosearch.asp?p=%s
* =+
*&=%26
*+=%2B
*#=%23
*?=%3F
*==%3D
»Default User
*Search Bar=http://search.msn.com/spbasic.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.techadvanced.com
»Local Machine
*Default_Page_URL=http://www.msn.com/
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.msn.com/
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\TJ\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\system32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\system32\notepad.exe
*C:\WINDOWS\notepad.exe
+C:\WINDOWS\system32\slrundll.exe
*C:\WINDOWS\slrundll.exe
+C:\WINDOWS\system32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\system32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+588=\SystemRoot\System32\smss.exe
+636=\??\C:\WINDOWS\system32\csrss.exe
+660=\??\C:\WINDOWS\system32\winlogon.exe
+704=C:\WINDOWS\system32\services.exe
+716=C:\WINDOWS\system32\lsass.exe
+892=C:\WINDOWS\system32\svchost.exe
+960=C:\WINDOWS\system32\svchost.exe
+1056=C:\WINDOWS\System32\svchost.exe
+1148=C:\WINDOWS\System32\svchost.exe
+1252=C:\WINDOWS\System32\svchost.exe
+1448=C:\WINDOWS\system32\spoolsv.exe
+1688=C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
+1716=C:\WINDOWS\System32\svchost.exe
+1828=C:\WINDOWS\system32\fxssvc.exe
+416=C:\WINDOWS\System32\alg.exe
+1376=C:\WINDOWS\Explorer.EXE
+1360=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
+1840=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
+1888=C:\WINDOWS\System32\igfxtray.exe
+1896=C:\WINDOWS\System32\hkcmd.exe
+1904=C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
+2008=C:\WINDOWS\system32\carpserv.exe
+1872=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
+212=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
+132=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
+372=C:\Program Files\Messenger\MSMSGS.EXE
+2664=C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
+2864=C:\stardeck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

greyknight17 · 03-03-2005, 01:04 PM

OK, click here to download FxWebsch. Run that.

Restart and see if websearch is still being detected. Also post a new HijackThis log.

Mickcontsr · 03-04-2005, 07:19 AM

Unfortunately Yes it is still being detected. Here is the new HJT log, i didnt run the KRC anylizer because you didnt say to. Thanks again guys I know this is probably getting annoying by now.

Logfile of HijackThis v1.99.1
Scan saved at 9:01:38 AM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.techadvanced.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/ao...S.9.1.6.18.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

greyknight17 · 03-04-2005, 08:57 AM

OK, check and fix these in HijackThis:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

For the TrendMicro scan, does it allow you to fix/clean it after you did the scan?

Mickcontsr · 03-04-2005, 01:12 PM

I fixed as you said with no browsers running, then I restart the computer , run trendmico it still finds it it says it fixes it, but when i restart the computer again it finds it again and the HJT log has the things I fixed back on it again.

CTSNKY · 03-04-2005, 02:06 PM

Can you identify the name/location of the file that TrendMicro finds/deletes?

===========

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

Mickcontsr · 03-07-2005, 07:17 AM

As for the TrendMicro file it says the name is SPYW_WEBSEARCH.A however it does not show the location of it, and now when I click on the remove button it says removing spyware program, and then when it says it is done it says the resulting action was that it did not remove the spyware program.

==========================================================

As for the TDS-3 log here it is

08:33:35 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
08:33:35 [Init] Started 07-03-05 08:33:35 Central Standard Time (UTC: 6), Internet Time @648.32
08:33:35 [Init] Loading TDS-3 Systems ...
08:33:35 [Init] Token successfully adjusted.
08:33:35 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
08:33:35 [Init] • Plugins : OK. Loaded 13
08:33:35 [Init] • Exec Protection : Not Installed
08:33:35 [Init] WARNING: Your Radius.TD3 database needs to be updated!
08:33:35 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
08:33:35 [Init] Licensed users can use the Update facility from the TDS menu
08:33:35 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
08:33:41 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
08:33:41 [Init] • Systems Initialised [48581 references - 24105 primaries/12292 traces/12184 variants/other]
08:33:41 [Init] Radius Systems loaded. <Databases updated 07-03-2005>
08:33:41 [Init] TDS-3 Ready. <Tj@70.183.231.171, 127.0.0.1 - United States>
08:33:41 [Tip Of The Day] Did you know? - You can use DiamondCS Port Explorer to see which ports are being used by which processes, and even packet-sniff processes and sockets! See http://www.diamondcs.com.au/portexplorer/
08:33:41 [TDS] Good morning Tj.
08:33:44 [Mutex Memory Scan] Started...
08:33:45 [Mutex Memory Scan] Finished (no trojan mutexes found).
08:33:45 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
08:34:21 [CRC32] Started - verifying 29 files ...
08:34:22 [CRC32] File doesn't exist: C:\WINDOWS\System32\shell.dll
08:34:24 [CRC32] Test finished.
08:35:21 [Memory Scan] Memory scan started, please wait a moment ...
08:35:21 [Memory Scan] Memory scan complete.
08:35:21 [Mutex Memory Scan] Started...
08:35:23 [Mutex Memory Scan] Finished (no trojan mutexes found).
08:35:23 [Trace Scan] Started...
08:35:29 [Trace Scan] Finished.
08:35:29 [ServiceScan] Scanning for services and drivers ...
08:35:31 [ServiceScan] Scanned 304 services and drivers.
08:35:31 [File Scan] Scanning in A:\ ...
08:35:32 [File Scan] Scanned 0 files: 0 alarms in 1.078125 seconds (Avg 1. files/sec)
08:35:32 [File Scan] Scanning in C:\ ...
08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\accwiz.exe for read access, file is locked
08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\hh.exe for read access, file is locked
08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\locator.exe for read access, file is locked
08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\magnify.exe for read access, file is locked
08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\migwiz.exe for read access, file is locked
08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\narrator.exe for read access, file is locked
08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntkrnlpa.exe for read access, file is locked
08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntoskrnl.exe for read access, file is locked
08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\osk.exe for read access, file is locked
08:53:15 [File Scan] Scanned 37351 files: 2 alarms in 1063.016 seconds (Avg 36.14 files/sec)
08:53:15 [File Scan] Scanning in D:\ ...
08:53:15 [File Scan] Scanned 0 files: 2 alarms in 0.015625 seconds (Avg 1. files/sec)
08:53:15 [Scan] Finished.

the two alarm files in the alarm window under the log were
name File
Adware.Pugi Dropper C:\documents and settings\tj\application data\winks\submit2.exe

Adware.Pugi Dropper C:\windows\submit2.exe

~~Lobos~~ · 03-07-2005, 07:58 AM

hello Mickcontsr

please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

delete

C:\documents and settings\tj\application data\winks << This folder
C:\windows\submit2.exe << This file

reboot and check if they left and post a new log please

Mickcontsr · 03-07-2005, 11:46 AM

Here you go just as you requested

12:49:30 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
12:49:30 [Init] Started 07-03-05 12:49:30 Central Standard Time (UTC: 6), Internet Time @826.04
12:49:30 [Init] Loading TDS-3 Systems ...
12:49:30 [Init] Token successfully adjusted.
12:49:30 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
12:49:30 [Init] • Plugins : OK. Loaded 13
12:49:30 [Init] • Exec Protection : Not Installed
12:49:30 [Init] WARNING: Your Radius.TD3 database needs to be updated!
12:49:30 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
12:49:30 [Init] Licensed users can use the Update facility from the TDS menu
12:49:30 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
12:49:37 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
12:49:37 [Init] • Systems Initialised [48581 references - 24105 primaries/12292 traces/12184 variants/other]
12:49:37 [Init] Radius Systems loaded. <Databases updated 07-03-2005>
12:49:37 [Init] TDS-3 Ready. <Tj@70.183.231.171, 127.0.0.1 - United States>
12:49:37 [Tip Of The Day] Update weekly or even daily for maximum protection against new-release trojans and worms. It's as easy as clicking TDS-3 | Update TDS Databases Now!
12:49:37 [TDS] Good afternoon Tj. Mmm... lunch
12:49:41 [Mutex Memory Scan] Started...
12:49:43 [Mutex Memory Scan] Finished (no trojan mutexes found).
12:49:43 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
12:49:49 [CRC32] Started - verifying 29 files ...
12:49:50 [CRC32] File doesn't exist: C:\WINDOWS\System32\shell.dll
12:49:52 [CRC32] Test finished.
12:50:48 [Memory Scan] Memory scan started, please wait a moment ...
12:50:48 [Memory Scan] Memory scan complete.
12:50:48 [Mutex Memory Scan] Started...
12:50:50 [Mutex Memory Scan] Finished (no trojan mutexes found).
12:50:50 [Trace Scan] Started...
12:50:56 [Trace Scan] Finished.
12:50:56 [ServiceScan] Scanning for services and drivers ...
12:50:58 [ServiceScan] Scanned 304 services and drivers.
12:50:58 [File Scan] Scanning in A:\ ...
12:50:59 [File Scan] Scanned 0 files: 0 alarms in 1.078125 seconds (Avg 1. files/sec)
12:50:59 [File Scan] Scanning in C:\ ...
12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\accwiz.exe for read access, file is locked
12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\hh.exe for read access, file is locked
12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\locator.exe for read access, file is locked
12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\magnify.exe for read access, file is locked
12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\migwiz.exe for read access, file is locked
12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\narrator.exe for read access, file is locked
12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntkrnlpa.exe for read access, file is locked
12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntoskrnl.exe for read access, file is locked
12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\osk.exe for read access, file is locked
13:09:16 [File Scan] Scanned 38147 files: 0 alarms in 1096.813 seconds (Avg 35.78 files/sec)
13:09:16 [File Scan] Scanning in D:\ ...
13:09:16 [File Scan] Scanned 0 files: 0 alarms in 0.015625 seconds (Avg 1. files/sec)
13:09:16 [Scan] Finished.

~~Lobos~~ · 03-07-2005, 09:56 PM

Your TDS log is clean how is your computer running

If your still having trouble post another Hijack this log and let me know how your computer is running

Lobos

Mickcontsr · 03-08-2005, 11:49 AM

The TDS3 log is clear but i still have the spyware show up on trendmicro and my HJT log shows the things you guys have me fix each time, if i fix it once i reboot my computer they show back up on the log here is the new result log after running the KRC analyzer on the HJT log maybe we can get this time it seems to be a doozy but i appreciate everything guys

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:40:51 PM, on 3/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.techadvanced.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/ao...S.9.1.6.18.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

End of KRC HijackThis Analyzer Log.
====================================================================

greyknight17 · 03-10-2005, 04:50 PM

This is really not showing us anything. Those entries could stay - they are not always harmful.

Where does TrendMicro say these spyware files are located? Give us the filenames and path.

03-01-2005, 06:28 AM	#1 (permalink)
Mickcontsr Registered User Join Date: Feb 2005 Posts: 11 OS: XP	My uncleanable spyware I run all the cleaners A'2, SE, HouseCall, Shredder, and still when I restart my computer its back. Hopefully HJT can get it. Here is the Log, please help. Logfile of HijackThis v1.97.7 Scan saved at 8:16:31 AM, on 3/1/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Messenger\MSMSGS.EXE C:\DOCUME~1\TJ\LOCALS~1\Temp\Rar$EX00.000\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Research (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.techadvanced.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...974.6188078704 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/ao...S.9.1.6.18.cab

03-01-2005, 06:50 AM	#2 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 11,143 OS: winxp pro sp2	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. __________________ No one can make you feel inferior without your consent.- Eleanor Roosevelt

03-01-2005, 08:48 AM	#3 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 11,143 OS: winxp pro sp2	You have an older version of HJT. Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. __________________ No one can make you feel inferior without your consent.- Eleanor Roosevelt

03-02-2005, 07:51 AM	#4 (permalink)
Mickcontsr Registered User Join Date: Feb 2005 Posts: 11 OS: XP	result.txt as requested I have used the analyzer as you said and here is the result.txt file ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:21:18 AM, on 3/2/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Documents and Settings\All Users\Documents\HijakThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O14 - IERESET.INF: START_PAGE_URL=http://www.techadvanced.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/ao...S.9.1.6.18.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe End of KRC HijackThis Analyzer Log. ====================================================================

03-02-2005, 10:04 AM	#5 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 11,143 OS: winxp pro sp2	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. [/b]Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. Let us know how it works out! __________________ No one can make you feel inferior without your consent.- Eleanor Roosevelt

03-03-2005, 07:36 AM	#6 (permalink)
Mickcontsr Registered User Join Date: Feb 2005 Posts: 11 OS: XP	Still There I went through the fixes in order with no browsers open and it is still there, I wondered about the 09- BHO no name entry and if I should fix that but I didnt since you didnt say to fix that part. here is the new result.txt after i have fixed what you said. If I run house call it comes up with the spy ware program, and when i turn off the computer and run HJT again the log is back to how it was before I fixed what you said. By the way I do appreciate all your help thank you very much. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:29:25 AM, on 3/3/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O14 - IERESET.INF: START_PAGE_URL=http://www.techadvanced.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/ao...S.9.1.6.18.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe End of KRC HijackThis Analyzer Log. ====================================================================

03-03-2005, 07:54 AM	#7 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	I'm a little unclear what the specific complaint is here. If it's just those R0 entries, I wouldn't worry too much about them. You can try this: Right click on this link and choose Save As. Save it to your desktop and double click on it. Choose Yes to merge it. You may delete it afterwards. __________________ GO BIG BLUE!!

03-03-2005, 07:55 AM	#8 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 11,143 OS: winxp pro sp2	Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. __________________ No one can make you feel inferior without your consent.- Eleanor Roosevelt

03-03-2005, 11:03 AM	#9 (permalink)
Mickcontsr Registered User Join Date: Feb 2005 Posts: 11 OS: XP	here is the log Here is the log after doing both what you and CTSNKY said. I ran house call again and it still says i have a spyware program called something like websearch or something like that StartDreck (build 2.1.7 public stable) - 2005-03-03 @ 12:58:11 (GMT -06:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as TJ at PLANROOM »Registry »Run Keys »Current User »Run MSMSGS="C:\Program Files\Messenger\MSMSGS.EXE" /background »RunOnce »Default User »Run »RunOnce »Local Machine »Run SoundMAXPnP=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe SoundMAX="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray IgfxTray=C:\WINDOWS\System32\igfxtray.exe HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe IntelliType="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" NeroCheck=C:\WINDOWS\system32\NeroCheck.exe CARPService=carpserv.exe HP Software Update="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe DeviceDiscovery=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe +OptionalComponents +MSFS Installed=1 +MAPI Installed=1 NoChange=1 +MAPI Installed=1 NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat batfile="%1" % +.com comfile="%1" % +.exe exefile="%1" % +.hta htafile=C:\WINDOWS\System32\mshta.exe "%1" % +.htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js jsfile=C:\Corel\Suite8\Programs\CCWin\Cscape.exe +.jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.pif piffile="%1" % +.reg regfile=regedit.exe "%1" +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" % +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278} StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe +Fax/{8b15971b-5355-4c82-8c07-7e181ea07608} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser »Browser Helper Objects (LM) AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} `InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx »Internet Explorer »Current User Local Page=C:\WINDOWS\system32\blank.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.google.com/ +SearchUrl provider= =http://home.microsoft.com/access/autosearch.asp?p=%s =+ &=%26 +=%2B #=%23 ?=%3F ==%3D »Default User Search Bar=http://search.msn.com/spbasic.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.techadvanced.com »Local Machine Default_Page_URL=http://www.msn.com/ Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Local Page=%SystemRoot%\system32\blank.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.msn.com/ »ShellServiceObjectDelayLoad (LM) PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User Load= Run= Programs=com exe bat pif cmd SHELL= »Default User Load= Run= Programs=com exe bat pif cmd SHELL= »Local Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User C:\Documents and Settings\TJ\Start Menu\Programs\Startup\desktop.ini »Default User C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn C:\msdos.sys C:\config.sys C:\WINDOWS\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\autoexec.bat C:\WINDOWS\system32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 »Program Files C:\ntldr C:\ntdetect.com C:\io.sys C:\WINDOWS\system32\win.com C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\WINDOWS\system32\notepad.exe C:\WINDOWS\notepad.exe +C:\WINDOWS\system32\slrundll.exe C:\WINDOWS\slrundll.exe +C:\WINDOWS\system32\taskman.exe C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\system32\winhlp32.exe *C:\WINDOWS\winhlp32.exe »System/Drivers »Running Processes +0=<idle> +4=<system> +588=\SystemRoot\System32\smss.exe +636=\??\C:\WINDOWS\system32\csrss.exe +660=\??\C:\WINDOWS\system32\winlogon.exe +704=C:\WINDOWS\system32\services.exe +716=C:\WINDOWS\system32\lsass.exe +892=C:\WINDOWS\system32\svchost.exe +960=C:\WINDOWS\system32\svchost.exe +1056=C:\WINDOWS\System32\svchost.exe +1148=C:\WINDOWS\System32\svchost.exe +1252=C:\WINDOWS\System32\svchost.exe +1448=C:\WINDOWS\system32\spoolsv.exe +1688=C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe +1716=C:\WINDOWS\System32\svchost.exe +1828=C:\WINDOWS\system32\fxssvc.exe +416=C:\WINDOWS\System32\alg.exe +1376=C:\WINDOWS\Explorer.EXE +1360=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe +1840=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe +1888=C:\WINDOWS\System32\igfxtray.exe +1896=C:\WINDOWS\System32\hkcmd.exe +1904=C:\Program Files\Microsoft Hardware\Keyboard\type32.exe +2008=C:\WINDOWS\system32\carpserv.exe +1872=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe +212=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe +132=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe +372=C:\Program Files\Messenger\MSMSGS.EXE +2664=C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE +2864=C:\stardeck\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User

03-03-2005, 01:04 PM	#10 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	OK, click here to download FxWebsch. Run that. Restart and see if websearch is still being detected. Also post a new HijackThis log. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-04-2005, 07:19 AM	#11 (permalink)
Mickcontsr Registered User Join Date: Feb 2005 Posts: 11 OS: XP	Unfortunately Yes Unfortunately Yes it is still being detected. Here is the new HJT log, i didnt run the KRC anylizer because you didnt say to. Thanks again guys I know this is probably getting annoying by now. Logfile of HijackThis v1.99.1 Scan saved at 9:01:38 AM, on 3/4/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Messenger\MSMSGS.EXE C:\HJT\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.techadvanced.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/ao...S.9.1.6.18.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

03-04-2005, 08:57 AM	#12 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	OK, check and fix these in HijackThis: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = For the TrendMicro scan, does it allow you to fix/clean it after you did the scan? __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-04-2005, 01:12 PM	#13 (permalink)
Mickcontsr Registered User Join Date: Feb 2005 Posts: 11 OS: XP	Nope still no luck I fixed as you said with no browsers running, then I restart the computer , run trendmico it still finds it it says it fixes it, but when i restart the computer again it finds it again and the HJT log has the things I fixed back on it again.

03-04-2005, 02:06 PM	#14 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Can you identify the name/location of the file that TrendMicro finds/deletes? =========== Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. __________________ GO BIG BLUE!!

03-07-2005, 07:17 AM	#15 (permalink)
Mickcontsr Registered User Join Date: Feb 2005 Posts: 11 OS: XP	TDS-3 Log As for the TrendMicro file it says the name is SPYW_WEBSEARCH.A however it does not show the location of it, and now when I click on the remove button it says removing spyware program, and then when it says it is done it says the resulting action was that it did not remove the spyware program. ========================================================== As for the TDS-3 log here it is 08:33:35 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 08:33:35 [Init] Started 07-03-05 08:33:35 Central Standard Time (UTC: 6), Internet Time @648.32 08:33:35 [Init] Loading TDS-3 Systems ... 08:33:35 [Init] Token successfully adjusted. 08:33:35 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 08:33:35 [Init] • Plugins : OK. Loaded 13 08:33:35 [Init] • Exec Protection : Not Installed 08:33:35 [Init] WARNING: Your Radius.TD3 database needs to be updated! 08:33:35 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 08:33:35 [Init] Licensed users can use the Update facility from the TDS menu 08:33:35 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 08:33:41 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 08:33:41 [Init] • Systems Initialised [48581 references - 24105 primaries/12292 traces/12184 variants/other] 08:33:41 [Init] Radius Systems loaded. <Databases updated 07-03-2005> 08:33:41 [Init] TDS-3 Ready. <Tj@70.183.231.171, 127.0.0.1 - United States> 08:33:41 [Tip Of The Day] Did you know? - You can use DiamondCS Port Explorer to see which ports are being used by which processes, and even packet-sniff processes and sockets! See http://www.diamondcs.com.au/portexplorer/ 08:33:41 [TDS] Good morning Tj. 08:33:44 [Mutex Memory Scan] Started... 08:33:45 [Mutex Memory Scan] Finished (no trojan mutexes found). 08:33:45 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 08:34:21 [CRC32] Started - verifying 29 files ... 08:34:22 [CRC32] File doesn't exist: C:\WINDOWS\System32\shell.dll 08:34:24 [CRC32] Test finished. 08:35:21 [Memory Scan] Memory scan started, please wait a moment ... 08:35:21 [Memory Scan] Memory scan complete. 08:35:21 [Mutex Memory Scan] Started... 08:35:23 [Mutex Memory Scan] Finished (no trojan mutexes found). 08:35:23 [Trace Scan] Started... 08:35:29 [Trace Scan] Finished. 08:35:29 [ServiceScan] Scanning for services and drivers ... 08:35:31 [ServiceScan] Scanned 304 services and drivers. 08:35:31 [File Scan] Scanning in A:\ ... 08:35:32 [File Scan] Scanned 0 files: 0 alarms in 1.078125 seconds (Avg 1. files/sec) 08:35:32 [File Scan] Scanning in C:\ ... 08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\accwiz.exe for read access, file is locked 08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\hh.exe for read access, file is locked 08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\locator.exe for read access, file is locked 08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\magnify.exe for read access, file is locked 08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\migwiz.exe for read access, file is locked 08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\narrator.exe for read access, file is locked 08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntkrnlpa.exe for read access, file is locked 08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntoskrnl.exe for read access, file is locked 08:43:29 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\osk.exe for read access, file is locked 08:53:15 [File Scan] Scanned 37351 files: 2 alarms in 1063.016 seconds (Avg 36.14 files/sec) 08:53:15 [File Scan] Scanning in D:\ ... 08:53:15 [File Scan] Scanned 0 files: 2 alarms in 0.015625 seconds (Avg 1. files/sec) 08:53:15 [Scan] Finished. the two alarm files in the alarm window under the log were name File Adware.Pugi Dropper C:\documents and settings\tj\application data\winks\submit2.exe Adware.Pugi Dropper C:\windows\submit2.exe

03-07-2005, 07:58 AM	#16 (permalink)
~~Lobos~~ Troubled Join Date: Apr 2004 Location: California Posts: 943 OS: Windows XP	hello Mickcontsr please double click on the My Computer icon on the desktop. Go to Tools \| Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK. delete C:\documents and settings\tj\application data\winks << This folder C:\windows\submit2.exe << This file reboot and check if they left and post a new log please

03-07-2005, 11:46 AM	#17 (permalink)
Mickcontsr Registered User Join Date: Feb 2005 Posts: 11 OS: XP	Here you go Here you go just as you requested 12:49:30 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 12:49:30 [Init] Started 07-03-05 12:49:30 Central Standard Time (UTC: 6), Internet Time @826.04 12:49:30 [Init] Loading TDS-3 Systems ... 12:49:30 [Init] Token successfully adjusted. 12:49:30 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 12:49:30 [Init] • Plugins : OK. Loaded 13 12:49:30 [Init] • Exec Protection : Not Installed 12:49:30 [Init] WARNING: Your Radius.TD3 database needs to be updated! 12:49:30 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 12:49:30 [Init] Licensed users can use the Update facility from the TDS menu 12:49:30 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 12:49:37 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 12:49:37 [Init] • Systems Initialised [48581 references - 24105 primaries/12292 traces/12184 variants/other] 12:49:37 [Init] Radius Systems loaded. <Databases updated 07-03-2005> 12:49:37 [Init] TDS-3 Ready. <Tj@70.183.231.171, 127.0.0.1 - United States> 12:49:37 [Tip Of The Day] Update weekly or even daily for maximum protection against new-release trojans and worms. It's as easy as clicking TDS-3 \| Update TDS Databases Now! 12:49:37 [TDS] Good afternoon Tj. Mmm... lunch 12:49:41 [Mutex Memory Scan] Started... 12:49:43 [Mutex Memory Scan] Finished (no trojan mutexes found). 12:49:43 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 12:49:49 [CRC32] Started - verifying 29 files ... 12:49:50 [CRC32] File doesn't exist: C:\WINDOWS\System32\shell.dll 12:49:52 [CRC32] Test finished. 12:50:48 [Memory Scan] Memory scan started, please wait a moment ... 12:50:48 [Memory Scan] Memory scan complete. 12:50:48 [Mutex Memory Scan] Started... 12:50:50 [Mutex Memory Scan] Finished (no trojan mutexes found). 12:50:50 [Trace Scan] Started... 12:50:56 [Trace Scan] Finished. 12:50:56 [ServiceScan] Scanning for services and drivers ... 12:50:58 [ServiceScan] Scanned 304 services and drivers. 12:50:58 [File Scan] Scanning in A:\ ... 12:50:59 [File Scan] Scanned 0 files: 0 alarms in 1.078125 seconds (Avg 1. files/sec) 12:50:59 [File Scan] Scanning in C:\ ... 12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\accwiz.exe for read access, file is locked 12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\hh.exe for read access, file is locked 12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\locator.exe for read access, file is locked 12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\magnify.exe for read access, file is locked 12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\migwiz.exe for read access, file is locked 12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\narrator.exe for read access, file is locked 12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntkrnlpa.exe for read access, file is locked 12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\ntoskrnl.exe for read access, file is locked 12:59:19 [Locked File] Couldn't open c:\windows\$ntuninstallkb826939$\osk.exe for read access, file is locked 13:09:16 [File Scan] Scanned 38147 files: 0 alarms in 1096.813 seconds (Avg 35.78 files/sec) 13:09:16 [File Scan] Scanning in D:\ ... 13:09:16 [File Scan] Scanned 0 files: 0 alarms in 0.015625 seconds (Avg 1. files/sec) 13:09:16 [Scan] Finished.

03-07-2005, 09:56 PM	#18 (permalink)
~~Lobos~~ Troubled Join Date: Apr 2004 Location: California Posts: 943 OS: Windows XP	Your TDS log is clean how is your computer running If your still having trouble post another Hijack this log and let me know how your computer is running Lobos

03-08-2005, 11:49 AM	#19 (permalink)
Mickcontsr Registered User Join Date: Feb 2005 Posts: 11 OS: XP	there again The TDS3 log is clear but i still have the spyware show up on trendmicro and my HJT log shows the things you guys have me fix each time, if i fix it once i reboot my computer they show back up on the log here is the new result log after running the KRC analyzer on the HJT log maybe we can get this time it seems to be a doozy but i appreciate everything guys ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 1:40:51 PM, on 3/8/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O1 - Hosts: 64.91.255.87 www.dcsresearch.com O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll O14 - IERESET.INF: START_PAGE_URL=http://www.techadvanced.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/ao...S.9.1.6.18.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe End of KRC HijackThis Analyzer Log. ====================================================================

03-10-2005, 04:50 PM	#20 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	This is really not showing us anything. Those entries could stay - they are not always harmful. Where does TrendMicro say these spyware files are located? Give us the filenames and path. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools