• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Turtle

Need help with spy/adware

13 posts in this topic

I first started noticing I had some type of spyware about a week ago when links to commercial sites appeared on my desktop/IE favorites list. A toolbar also appeared at the bottom of my screen (not on my IE, but on my desktop). I forgot exactly what it was called, because I immediately went into my add/remove list in control panel and saw at the bottom an item (sorry, forgot exactly what it was called as well) that had something about IE in it. The title didnt make it look professional, and I didnt need any more confirmation that it was some type of spyware when I clicked to uninstall and it gave me the whole 'Are you sure you would like to uninstall? You will miss all the great deals we have to offer' This removed the toolbar on my screen, but I knew that wasn't the end. I get pop-ups a lot more than I should, and they appear on websites that I know aren't affiliated with them, and sometimes even when a browser isn't open. I started noticing in websites I browsed in IE that some common words such as 'computer' 'plane' 'house' appeared as links formatted in the way all other links on the website are, except these, when clicked on, lead to external pop-ups and commercial websites that have nothing to do with the site I was at. After this, I downloaded Ad-aware and Spybot. I ran them both, and they got rid of quite a few items. However, many items reappear in Spybot after awhile even after delted, such as a group called 'DSO Exploit' (5 entries), and one called 'Turbo Download' (3 entries). Also, there is a group called 'People on Page' (3 entries) that isn't checked by default by Spybot. Since it wasn't defaulted, I am hesitant to delete it. The group contains one file and two registry keys. Ad-aware has a similar situation, except with about 40 items that go unchecked by default. Most of these are also in the 'People on Page' and 'Turbo Download' vendors, but also many under 'Tracking Cookie'. The ad-aware items are mostly files and regkeys, with a few folders and regvalues, and one process (PeopleOnPage). I also ran CWShredder which found and apparently corrected one item. I did a little manual research, and here are some strange things I have found throughout my computer that I think is worthy of noting:

 

In my tools section of IE, there is an option called MaxSpeed (which appears between Windows Update and Internet Options). When clicked on, it brings up a small, cheesy window entitled 'Download Acceleration' with a picture of a wrench by the title. There is a box to choose between dial-up and broadband, and a bar that lets your choose your 'acceleration speed' and a button to apply the settings. (I've never messed with it since I'm assuming it is somehow related to my problem.) As far as I know, I haven't downloaded anything with this MaxSpeed, and I've only noticed it recently. There is a directory in my Program Files called MaxSpeed, but the only things in it are three internet shortcuts entitled Privacy Info, Terms and Conditions, and Uninstall Instructions. They bring me to http://www.consumersoftwarelabs.com/ (whichever link I clicked on).html, but unfortunately none of them work. After just looking at consumersoftwarelabs.com, it appears they created 'Turbo Speed' (found by Spybot/Adaware) as well as this MaxSpeed thing. They also created something called 'text highlighter' which might explain how links are being created to random sites/popups on websites I look at. (explained earlier). When I clear what Spybot finds, these highlights will cease for a bit, but eventually reappear as the spyware finds its way back on my computer. Here are some other questionable items I have found in my Program Files: Altnet-contains folders called My Altnet Shares and Bullguard Protection (which contains plugins.cab, a winRAR archive), AWS-contains WeatherBug (I've heard this can be spyware, but I have no idea how I got it), ClearSearch-empty, ClockSynch-empty, ComPlus Applications-empty, MSMXL 4.0-empty, MyWay-contains myBar (I'm thinking this is what the toolbar was that I mentioned in the beginning of post), PerfectNav-contains BHO (marked as spyware by SWI BHO list), SysAI-empty, Tracker-empty, WhenUSearch-empty. In my Add/Remove Programs list, there are some similarly strange items: IE Host-no information, Internet Explorer Q831167-no information, MaxSpeed- 0.01mb, MSMXL 4.0 SP2 Parser and SDK- 1.28mb, Secure Delivery-no information, Text Highlight-no information, Viewpoint Manager-0.21mb, Viewpoint Media Player- 4.16mb, WexTech AnswerWorks- 0.87mb. I'm not saying all of these are spyware, (sorry if some of these have nothing to do with spyware) just that I don't know exactly what they are or where I got them. On a slightly different note, I'm not sure if this is worth mentioning, but it may have something to do with my problem: I used to have Google Toolbar, but right around when this problem started, it seemed to disappear. I can't remember exactly when it left, but I'm thinking either spybot or ad-aware detected it as spyware. The GoogleToolbar1.dll is still on my comp, but IE doesn't seem to recognize it anymore.

 

Also, I have AVG and it keeps informing me through a pop-up message that it detects 'Trojan Horse Backdoor VB.11.BC'. However, when I run a complete scan with AVG, it finds nothing at all. I don't know how much this ties in to the rest of my problem, but it is getting just as annoying.

 

Since the initial spyware/ad-aware sweep, no toolbars or internet shortcuts have shown up on my computer, and the pop-ups have decreased, but some aspects of the spyware return no matter how much I keep checking/fixing my computer, such as the formatting of common words in websites into links. I know this has been a long post, and sorry if some of the details I mentioned went a little too deep, but I wanted to be specific as possible. And finally, here is my most recent HijackThis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 5:25:38 PM, on 5/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\documents and settings\comproom\local settings\temp\vGTWwE3.exe

C:\WINDOWS\System32\IEHost.exe

C:\WINDOWS\System32\sdpsvc.exe

C:\WINDOWS\System32\sdpsvc.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\mIRC\mirc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\CompRoom\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [vGTWwE3] C:\documents and settings\comproom\local settings\temp\vGTWwE3.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Ryeo85km.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [AutoLoader0Fvq1YcgOWaL] "C:\WINDOWS\System32\sdpsvc.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [0s4W3sh] sdpsvc.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iEDriver] C:\WINDOWS\System32\IEDriver\IExplore.exe /U

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/accoun...bles/ie/IDA.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7987.6293287037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

 

I also have a startup list if you would like me to post it, and thanks for any help in advance.

Share this post


Link to post
Share on other sites

No need to bump it more than once a day. :huh:

 

You are infected with the peper trojan.

 

Download Peper Uninstaller from here - http://www.downloads.subratam.org/uninst.exe.

Then Run this uninstaller (you must be online for the uninstall to be successful, make sure you allow it access through any firewall you have).

 

Run it twice, just to make sure.

 

Then reboot and please post a new log.

Share this post


Link to post
Share on other sites

First, thanks for the help. I ran a lot of removal software (just to get one quick sweep), restarted in safe mode, and ran the uninstaller (many times). I then manually removed C:\WINDOWS\System32\sdpsvc.exe (I was instructed to do this in another forum, and I noticed that some of the strange regkeys where peper.A is located pointed to this file) Here is my lates HijackThis log (which is now located in its own folder):

 

Logfile of HijackThis v1.97.7

Scan saved at 2:15:17 PM, on 5/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\documents and settings\comproom\local settings\temp\vGTWwE3.exe

C:\WINDOWS\System32\IEHost.exe

C:\Program Files\AutoUpdate\AutoUpdate.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [vGTWwE3] C:\documents and settings\comproom\local settings\temp\vGTWwE3.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [AutoLoader0Fvq1YcgOWaL] "C:\WINDOWS\System32\sdpsvc.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [0s4W3sh] sdpsvc.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iEDriver] C:\WINDOWS\System32\IEDriver\IExplore.exe /U

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/accoun...bles/ie/IDA.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7987.6293287037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

Share this post


Link to post
Share on other sites

Good work. Looking better already. :)

 

In the following list, please use Control Panel Add/Remove to uninstall the related programs, if possible.

 

Then

Tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.

 

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [iEDriver] C:\WINDOWS\System32\IEDriver\IExplore.exe /U

O4 - HKLM\..\Run: [vGTWwE3] C:\documents and settings\comproom\local settings\temp\vGTWwE3.exe

O4 - HKLM\..\Run: [AutoLoader0Fvq1YcgOWaL] "C:\WINDOWS\System32\sdpsvc.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [0s4W3sh] sdpsvc.exe

 

After fix and reboot, move all these to your Recycle Bin:

 

Whole folders

C:\Program Files\Viewpoint\

C:\Program Files\ClockSync\

C:\Program Files\AutoUpdate\

C:\WINDOWS\System32\IEDriver\

C:\documents and settings\comproom\local settings\temp\

 

and these files:

C:\WINDOWS\System32\IEHost.exe

C:\WINDOWS\System32\dp-him.exe

C:\WINDOWS\System32\sdpsvc.exe

Share this post


Link to post
Share on other sites

Ok, I removed all the programs that seemed to have something to do with the Hijackthis items, fixed the items on HijackThis, and manually removed all the items that you listed, except for the ones I couldnt find. I didnt see a IEDriver folder, or dp-him.exe (maybe these were somehow already removed..?), and I couldnt find a temp folder in my documents and settings (though there is one located on C:). I'm hoping all this is good news. Heres a Hijack log after completing all the steps that I could:

 

Logfile of HijackThis v1.97.7

Scan saved at 3:36:04 PM, on 5/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7987.6293287037

Share this post


Link to post
Share on other sites

Excellent! :D

 

Some of those files might have been hidden -

Make sure you are set to show hidden files and folders:

Show Hidden Files and Folders

 

If PC is running ok and all your programs work, then you can empty Recycle Bin in a day or so.

Share this post


Link to post
Share on other sites

Well I just turned on hidden files/folders, and I still can't find IEDriver folder or dp-him.exe, but I did find my temp folder. I just want to make sure I'm supposed to delete my entire temp folder. I'm guessing Windows will create a new one? Also, this may be off topic, but could I do the same for my Temporary Internet Files (just to clean up a little)?

Share this post


Link to post
Share on other sites

Sure -

 

And temp folders in C:\Documents and Settings\ would usually just have throwaway stuff used in installations or other such one-time things.

 

Sensible to take a look inside before deleting, though.

Share this post


Link to post
Share on other sites

Well, looks like I spoke too soon. :weep: AVG keeps informing me I have 'Trojan Horse Backdoor VB.11.BC' (I first mentioned this in the first post) It is finding it in C:\System Volume Information, and I wanted to take a look around, but Windows won't let me enter the folder. Also, after removing the trojan (at least after I thought I did), I did one last sweep with my spyware software, and it still found many items relating to 'PeopleOnPage' (also mentioned in first post). So far, none of the annoying symptoms of the spyware have returned (such as pop-ups and word highlighting) but it seems the trojan is still on my computer. Does anyone have any more ideas on how to get rid of this spyware/trojan? :wtf: Just to look at, here's my latest HijackThis, but I dont think theres anything new on it or anything:

 

Logfile of HijackThis v1.97.7

Scan saved at 1:36:40 PM, on 5/31/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\mIRC\mirc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7987.6293287037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0