Jump to content


Photo

Too much spyware


  • Please log in to reply
2 replies to this topic

#1 maddalen

maddalen

    Member

  • New Member
  • Pip
  • 2 posts

Posted 12 July 2004 - 10:28 AM

Friends,

I am in desparate need of help. I have so much spyware infestation I don't know where to begin. Your help would be greatly appreciated.

Thank you.

Logfile of HijackThis v1.98.0

Scan saved at 9:47:43 AM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

c:\Program Files\INSIGHT\TOOLS\AICLIENT.EXE

C:\SQLLIB\bin\db2jds.exe

C:\SQLLIB\bin\db2sec.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

c:\winnt\software\wcomagent\collectionagent.exe

c:\_integra\bin\ccmagent.exe

C:\WINNT\system32\rundll32.exe

c:\_integra\bin\shstart.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\hkcmd.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\THATPL~1\Plus phone.exe

C:\WINNT\System32\ksvidis.exe

C:\WINNT\System32\LzioMediaUpdater.exe

C:\PROGRA~1\INTERN~2\inetmgr.exe

C:\WINNT\System32\hpdllhost.exe

C:\Program Files\Common Files\WinTools\WToolsA.exe

C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe

C:\PROGRA~1\INTERN~2\inetsvc.exe

C:\IBM\IMNNQ\imnsvdem.exe

C:\IBM\IMNNQ\HTTPDL.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\WinTools\WSup.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\lourdes.ahmed\Local Settings\Temporary Internet Files\Content.IE5\ED3SSSF5\HijackThis[1].exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50140

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MCI

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe

O2 - BHO: Browser - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINNT\System32\readdb40.dll

O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINNT\System32\li01f948.dll

O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: bitsgrey - {7ED980F3-1A72-4E05-4517-F22143FED8DC} - C:\PROGRA~1\SHOWMA~1\Boneidol.dll

O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [warn error] C:\PROGRA~1\THATPL~1\Plus phone.exe

O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe

O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\ksvidis.exe

O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\System32\LzioMediaUpdater.exe

O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe

O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32

O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32

O4 - HKLM\..\Run: [000hpdllhost] C:\WINNT\System32\hpdllhost.exe

O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINNT\System32\readdb40.dll,EnableRunDLL32

O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINNT\System32\li01f948.dll,EnableRunDLL32

O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\System32\iel2cde8.dll,EnableRunDLL32

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\LOURDE~1.AHM\LOCALS~1\Temp\tb_setup.exe /dcheck

O4 - HKCU\..\Run: [MSMSGS] "c:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Centra Launcher] C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe /startup

O4 - Global Startup: Start HTML Search Server.lnk = C:\SQLLIB\bin\db2nq.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: c:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll

O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab

O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab

O16 - DPF: {25C54745-34D4-11D5-AFF5-005004211DB3} (BCFileControlX Control) - http://bctoolsweb.mc...FileControl.cab

O16 - DPF: {77349B07-BCEA-11D4-AFAE-005004211DB3} (BCMigrateX Control) - http://bctoolsweb.mc...e/BCMigrate.cab

O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://199.249.19.12...aDownloader.cab

O16 - DPF: {BAD35106-FF85-11D4-AFD7-005004211DB3} (BCInstallerX Control) - http://bctoolsweb.mc...BCInstaller.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

O16 - DPF: {E2824BC5-4AA0-11D4-AF78-005004211DB3} (BCCopyX Control) - http://bctoolsweb.mc...Copy/BCCopy.cab

O16 - DPF: {EF639156-4C6F-11D5-B012-005004211DB3} (BCDellInfoX Control) - http://bctoolsweb.mc.../BCDellInfo.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dsmain.com

O17 - HKLM\Software\..\Telephony: DomainName = mcilink.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dsmain.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.dsmain.com

Edited by maddalen, 12 July 2004 - 10:30 AM.


#2 Is Blonde

Is Blonde

    Member

  • New Member
  • Pip
  • 2 posts

Posted 12 July 2004 - 11:01 AM

Hi Maddalen

For starters... instal these 2 anti-spyware prog.

spybot : http://www.beam.to/spybotsd

Ad-aware : http://www.lavasoft.de/

#3 maddalen

maddalen

    Member

  • New Member
  • Pip
  • 2 posts

Posted 12 July 2004 - 02:08 PM

Thank you Blonde. I did as you suggested and ran lavasoft and search and destroy. Here are the new log files:

Logfile of HijackThis v1.98.0

Scan saved at 3:03:17 PM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

c:\Program Files\INSIGHT\TOOLS\AICLIENT.EXE

C:\SQLLIB\bin\db2jds.exe

C:\SQLLIB\bin\db2sec.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

c:\winnt\software\wcomagent\collectionagent.exe

c:\_integra\bin\ccmagent.exe

c:\_integra\bin\shstart.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\hkcmd.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\THATPL~1\Plus phone.exe

C:\WINNT\System32\ksvidis.exe

C:\WINNT\System32\LzioMediaUpdater.exe

C:\PROGRA~1\INTERN~2\inetmgr.exe

C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe

C:\PROGRA~1\INTERN~2\inetsvc.exe

C:\IBM\IMNNQ\imnsvdem.exe

C:\IBM\IMNNQ\HTTPDL.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\WinTools\WSup.exe

c:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\WinTools\WToolsA.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\WINNT\System32\taskmgr.exe

C:\Hijack-This\HijackThis.exe



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MCI

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,c:\_integra\bin\shstart.exe

O2 - BHO: Browser - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: bitsgrey - {7ED980F3-1A72-4E05-4517-F22143FED8DC} - C:\PROGRA~1\SHOWMA~1\Boneidol.dll

O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [warn error] C:\PROGRA~1\THATPL~1\Plus phone.exe

O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe

O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\ksvidis.exe

O4 - HKLM\..\Run: [LzioMediaUpdater] C:\WINNT\System32\LzioMediaUpdater.exe

O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe

O4 - HKLM\..\Run: [he3bbcff] rundll32.exe C:\WINNT\System32\he3bbcff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [wmcbaaca] rundll32.exe C:\WINNT\System32\wmcbaaca.dll,EnableRunDLL32

O4 - HKLM\..\Run: [icddefff] rundll32.exe C:\WINNT\System32\icddefff.dll,EnableRunDLL32

O4 - HKLM\..\Run: [ielcaabe] rundll32.exe C:\WINNT\System32\ielcaabe.dll,EnableRunDLL32

O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINNT\System32\readdb40.dll,EnableRunDLL32

O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINNT\System32\li01f948.dll,EnableRunDLL32

O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\System32\iel2cde8.dll,EnableRunDLL32

O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\LOURDE~1.AHM\LOCALS~1\Temp\tb_setup.exe /dcheck

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [MSMSGS] "c:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Centra Launcher] C:\PROGRA~1\CENTRA~1\bin\centraSystray.exe /startup

O4 - Global Startup: Start HTML Search Server.lnk = C:\SQLLIB\bin\db2nq.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: c:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll

O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/...lesilent610.cab

O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab

O16 - DPF: {25C54745-34D4-11D5-AFF5-005004211DB3} (BCFileControlX Control) - http://bctoolsweb.mc...FileControl.cab

O16 - DPF: {77349B07-BCEA-11D4-AFAE-005004211DB3} (BCMigrateX Control) - http://bctoolsweb.mc...e/BCMigrate.cab

O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://199.249.19.12...aDownloader.cab

O16 - DPF: {BAD35106-FF85-11D4-AFD7-005004211DB3} (BCInstallerX Control) - http://bctoolsweb.mc...BCInstaller.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

O16 - DPF: {E2824BC5-4AA0-11D4-AF78-005004211DB3} (BCCopyX Control) - http://bctoolsweb.mc...Copy/BCCopy.cab

O16 - DPF: {EF639156-4C6F-11D5-B012-005004211DB3} (BCDellInfoX Control) - http://bctoolsweb.mc.../BCDellInfo.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.dsmain.com

O17 - HKLM\Software\..\Telephony: DomainName = mcilink.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.dsmain.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.dsmain.com


Thanks for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button