Tech Support Forum banner
Cancel

Massive spyware invasion!

1477 Views 0 Replies 1 Participant Last post by  Maxximiliann
M
Hi! I just removed 600+ pieces of spyware. Did I get them all? Anything else I should be worried about? Thanks in advance for all your help!


Deckard's System Scanner v20071014.68
Run by admin on 2008-05-26 21:48:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2008-05-27 01:48:50 UTC - RP618 - Deckard's System Scanner Restore Point
11: 2008-05-26 23:31:18 UTC - RP617 - ComboFix created restore point
10: 2008-05-26 15:10:32 UTC - RP616 - System Checkpoint
9: 2008-05-24 18:02:15 UTC - RP615 - System Checkpoint
8: 2008-05-23 13:11:00 UTC - RP614 - System Checkpoint


-- First Restore Point --
1: 2008-05-13 02:04:32 UTC - RP607 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:02 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Documents and Settings\admin\Desktop\Hardware Tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/games/chess
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/games/chess
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [M2WNotifierService] C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: FreePOPs (3).lnk = C:\Program Files\FreePOPs\freepopsd.exe
O4 - Global Startup: Mozilla Firefox Primary Profile (3).lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Global Startup: Mozilla Thunderbird (2).lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Global Startup: Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Today.doc
O4 - Global Startup: Watchtower Library 2007 - Español.lnk = C:\Program Files\Watchtower\Watchtower Library 2007\S\wtlibrary.exe
O4 - Global Startup: ~$Today.doc
O4 - Global Startup: ~WRL0001.tmp
O4 - Global Startup: ~WRL0536.tmp
O4 - Global Startup: ~WRL1339.tmp
O4 - Global Startup: ~WRL1782.tmp
O4 - Global Startup: ~WRL2439.tmp
O4 - Global Startup: ~WRL4051.tmp
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {1D95A7C7-3282-4DB7-9A48-7C39CE152A19} (TeamOn Import Object) - https://bis.na.blackberry.com/html/web/clie...ls/TOImport.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121033866146
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/heavy_w...aploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6253 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080128-111257-554 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20080128-111257-775 O4 - HKCU\..\Policies\Explorer\Run: [System Patcher] BTCPatcher.exe
backup-20080128-111257-857 O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe
backup-20080128-111258-593 O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) -
backup-20080128-111258-690 O21 - SSODL: ULBrEIuBH - {4C0D169B-E6A7-BC31-EEBB-C1266F9C8E1F} - (no file)
backup-20080128-111258-781 O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
backup-20080128-111258-806 O20 - Winlogon Notify: qomkife - qomkife.dll (file missing)
backup-20080128-111258-916 O20 - Winlogon Notify: khfddde - khfddde.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 cmpci (Turtle Beach Riviera) - c:\windows\system32\drivers\cmaudio.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 SBAPIFS - c:\windows\system32\drivers\sbapifs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-24 13:27:43 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 21:11:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 21:11:24 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 21:11:22 0 d-------- C:\WINDOWS\LastGood
2008-05-26 21:03:55 0 dr-h---c- C:\Documents and Settings\admin\Recent
2008-05-26 19:30:50 68096 --a------ C:\WINDOWS\zip.exe
2008-05-26 19:30:50 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-26 19:30:50 80412 --a------ C:\WINDOWS\grep.exe
2008-05-26 19:30:49 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-26 19:30:49 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-26 19:30:49 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-26 19:30:49 98816 --a------ C:\WINDOWS\sed.exe
2008-05-26 19:30:49 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-06 11:54:01 0 d------c- C:\temp
2008-05-05 11:49:05 0 d-------- C:\Program Files\Ringo
2008-04-28 17:00:03 0 d------c- C:\Documents and Settings\admin\Application Data\Axosoft
2008-04-28 16:59:18 0 d-------- C:\Program Files\TBFDropZone


-- Find3M Report ---------------------------------------------------------------

2008-05-26 21:16:32 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-26 20:07:09 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 16:23:18 0 d------c- C:\Documents and Settings\admin\Application Data\gtk-2.0
2008-05-18 18:48:50 0 d-------- C:\Documents and Settings\admin\Application Data\uTorrent
2008-05-17 11:22:15 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-11 14:32:09 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-07 09:33:44 0 d-------- C:\Program Files\AIM6
2008-05-04 12:33:19 0 d------c- C:\Documents and Settings\admin\Application Data\Real
2008-04-16 18:25:00 8135 --a----c- C:\WINDOWS\mozver.dat
2008-04-09 12:51:49 0 d-------- C:\Program Files\Investintech.com Inc
2008-04-09 12:46:13 0 d-------- C:\Program Files\PDF Editor 2
2008-03-30 11:38:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-30 11:35:28 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-30 11:14:04 0 d-------- C:\Program Files\M2W Notifier Service
2008-03-30 11:13:24 0 d-------- C:\Program Files\AIM
2008-03-30 11:12:56 0 d------c- C:\Documents and Settings\admin\Application Data\Aim
2008-03-28 16:45:40 0 d------c- C:\Documents and Settings\admin\Application Data\acccore
2008-03-28 16:44:52 0 d-------- C:\Program Files\Viewpoint
2008-03-28 16:44:16 0 d-------- C:\Program Files\Common Files\AOL
2008-03-28 15:14:55 0 d-------- C:\Program Files\AOD


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [06/08/2004 12:31 PM C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"M2WNotifierService"="C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe" [12/27/2001 01:17 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe" [10/01/2006 02:03 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/06/2008 04:50 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/26/2008 08:07 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FreePOPs (3).lnk - C:\Program Files\FreePOPs\freepopsd.exe [11/17/2007 11:25:16 AM]
Mozilla Firefox Primary Profile (3).lnk - C:\Program Files\Mozilla Firefox\firefox.exe [9/13/2005 10:46:19 AM]
Mozilla Thunderbird (2).lnk - C:\Program Files\Mozilla Thunderbird\thunderbird.exe [10/16/2007 10:24:02 PM]
Outlook.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [7/14/2003 10:45:18 PM]
Today.doc [5/25/2008 3:05:51 PM]
Watchtower Library 2007 - Espa¤ol.lnk - C:\Program Files\Watchtower\Watchtower Library 2007\S\wtlibrary.exe [10/25/2007 9:35:38 AM]
~$Today.doc [2/5/2008 9:07:50 AM]
~WRL0001.tmp [3/29/2008 2:35:07 PM]
~WRL0536.tmp [5/19/2008 12:20:11 AM]
~WRL1339.tmp [2/19/2008 1:22:57 PM]
~WRL1782.tmp [2/19/2008 1:23:42 PM]
~WRL2439.tmp [2/18/2008 8:55:12 PM]
~WRL4051.tmp [2/4/2008 10:08:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/26/2008 08:07 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]

12210 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-26 21:52:02 ------------
See less See more
Save
Like
Status
Not open for further replies.
1 - 1 of 1 Posts
1 - 1 of 1 Posts
Status
Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top