Jump to content


Photo

Need help with spy/adware


  • Please log in to reply
12 replies to this topic

#1 Turtle

Turtle

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 May 2004 - 05:31 PM

I first started noticing I had some type of spyware about a week ago when links to commercial sites appeared on my desktop/IE favorites list. A toolbar also appeared at the bottom of my screen (not on my IE, but on my desktop). I forgot exactly what it was called, because I immediately went into my add/remove list in control panel and saw at the bottom an item (sorry, forgot exactly what it was called as well) that had something about IE in it. The title didnt make it look professional, and I didnt need any more confirmation that it was some type of spyware when I clicked to uninstall and it gave me the whole 'Are you sure you would like to uninstall? You will miss all the great deals we have to offer' This removed the toolbar on my screen, but I knew that wasn't the end. I get pop-ups a lot more than I should, and they appear on websites that I know aren't affiliated with them, and sometimes even when a browser isn't open. I started noticing in websites I browsed in IE that some common words such as 'computer' 'plane' 'house' appeared as links formatted in the way all other links on the website are, except these, when clicked on, lead to external pop-ups and commercial websites that have nothing to do with the site I was at. After this, I downloaded Ad-aware and Spybot. I ran them both, and they got rid of quite a few items. However, many items reappear in Spybot after awhile even after delted, such as a group called 'DSO Exploit' (5 entries), and one called 'Turbo Download' (3 entries). Also, there is a group called 'People on Page' (3 entries) that isn't checked by default by Spybot. Since it wasn't defaulted, I am hesitant to delete it. The group contains one file and two registry keys. Ad-aware has a similar situation, except with about 40 items that go unchecked by default. Most of these are also in the 'People on Page' and 'Turbo Download' vendors, but also many under 'Tracking Cookie'. The ad-aware items are mostly files and regkeys, with a few folders and regvalues, and one process (PeopleOnPage). I also ran CWShredder which found and apparently corrected one item. I did a little manual research, and here are some strange things I have found throughout my computer that I think is worthy of noting:

In my tools section of IE, there is an option called MaxSpeed (which appears between Windows Update and Internet Options). When clicked on, it brings up a small, cheesy window entitled 'Download Acceleration' with a picture of a wrench by the title. There is a box to choose between dial-up and broadband, and a bar that lets your choose your 'acceleration speed' and a button to apply the settings. (I've never messed with it since I'm assuming it is somehow related to my problem.) As far as I know, I haven't downloaded anything with this MaxSpeed, and I've only noticed it recently. There is a directory in my Program Files called MaxSpeed, but the only things in it are three internet shortcuts entitled Privacy Info, Terms and Conditions, and Uninstall Instructions. They bring me to http://www.consumersoftwarelabs.com/ (whichever link I clicked on).html, but unfortunately none of them work. After just looking at consumersoftwarelabs.com, it appears they created 'Turbo Speed' (found by Spybot/Adaware) as well as this MaxSpeed thing. They also created something called 'text highlighter' which might explain how links are being created to random sites/popups on websites I look at. (explained earlier). When I clear what Spybot finds, these highlights will cease for a bit, but eventually reappear as the spyware finds its way back on my computer. Here are some other questionable items I have found in my Program Files: Altnet-contains folders called My Altnet Shares and Bullguard Protection (which contains plugins.cab, a winRAR archive), AWS-contains WeatherBug (I've heard this can be spyware, but I have no idea how I got it), ClearSearch-empty, ClockSynch-empty, ComPlus Applications-empty, MSMXL 4.0-empty, MyWay-contains myBar (I'm thinking this is what the toolbar was that I mentioned in the beginning of post), PerfectNav-contains BHO (marked as spyware by SWI BHO list), SysAI-empty, Tracker-empty, WhenUSearch-empty. In my Add/Remove Programs list, there are some similarly strange items: IE Host-no information, Internet Explorer Q831167-no information, MaxSpeed- 0.01mb, MSMXL 4.0 SP2 Parser and SDK- 1.28mb, Secure Delivery-no information, Text Highlight-no information, Viewpoint Manager-0.21mb, Viewpoint Media Player- 4.16mb, WexTech AnswerWorks- 0.87mb. I'm not saying all of these are spyware, (sorry if some of these have nothing to do with spyware) just that I don't know exactly what they are or where I got them. On a slightly different note, I'm not sure if this is worth mentioning, but it may have something to do with my problem: I used to have Google Toolbar, but right around when this problem started, it seemed to disappear. I can't remember exactly when it left, but I'm thinking either spybot or ad-aware detected it as spyware. The GoogleToolbar1.dll is still on my comp, but IE doesn't seem to recognize it anymore.

Also, I have AVG and it keeps informing me through a pop-up message that it detects 'Trojan Horse Backdoor VB.11.BC'. However, when I run a complete scan with AVG, it finds nothing at all. I don't know how much this ties in to the rest of my problem, but it is getting just as annoying.

Since the initial spyware/ad-aware sweep, no toolbars or internet shortcuts have shown up on my computer, and the pop-ups have decreased, but some aspects of the spyware return no matter how much I keep checking/fixing my computer, such as the formatting of common words in websites into links. I know this has been a long post, and sorry if some of the details I mentioned went a little too deep, but I wanted to be specific as possible. And finally, here is my most recent HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 5:25:38 PM, on 5/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\documents and settings\comproom\local settings\temp\vGTWwE3.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\sdpsvc.exe
C:\WINDOWS\System32\sdpsvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CompRoom\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vGTWwE3] C:\documents and settings\comproom\local settings\temp\vGTWwE3.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Ryeo85km.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AutoLoader0Fvq1YcgOWaL] "C:\WINDOWS\System32\sdpsvc.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [0s4W3sh] sdpsvc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IExplore.exe /U
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intu...bles/ie/IDA.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7987.6293287037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

I also have a startup list if you would like me to post it, and thanks for any help in advance.

#2 Turtle

Turtle

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 May 2004 - 07:46 PM

buh

Edited by Turtle, 30 May 2004 - 01:25 AM.


#3 Turtle

Turtle

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 May 2004 - 01:27 AM

Just a friendly bump :)

#4 Turtle

Turtle

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 May 2004 - 12:44 PM

I know this is long but could someone please take a whack at it when you get a chance?

#5 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 30 May 2004 - 01:14 PM

No need to bump it more than once a day. :huh:

You are infected with the peper trojan.

Download Peper Uninstaller from here - http://www.downloads....org/uninst.exe.
Then Run this uninstaller (you must be online for the uninstall to be successful, make sure you allow it access through any firewall you have).

Run it twice, just to make sure.

Then reboot and please post a new log.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#6 Turtle

Turtle

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 May 2004 - 02:21 PM

First, thanks for the help. I ran a lot of removal software (just to get one quick sweep), restarted in safe mode, and ran the uninstaller (many times). I then manually removed C:\WINDOWS\System32\sdpsvc.exe (I was instructed to do this in another forum, and I noticed that some of the strange regkeys where peper.A is located pointed to this file) Here is my lates HijackThis log (which is now located in its own folder):

Logfile of HijackThis v1.97.7
Scan saved at 2:15:17 PM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\documents and settings\comproom\local settings\temp\vGTWwE3.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vGTWwE3] C:\documents and settings\comproom\local settings\temp\vGTWwE3.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [AutoLoader0Fvq1YcgOWaL] "C:\WINDOWS\System32\sdpsvc.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [0s4W3sh] sdpsvc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IExplore.exe /U
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intu...bles/ie/IDA.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7987.6293287037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

#7 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 30 May 2004 - 02:55 PM

Good work. Looking better already. :)

In the following list, please use Control Panel Add/Remove to uninstall the related programs, if possible.

Then
Tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IExplore.exe /U
O4 - HKLM\..\Run: [vGTWwE3] C:\documents and settings\comproom\local settings\temp\vGTWwE3.exe
O4 - HKLM\..\Run: [AutoLoader0Fvq1YcgOWaL] "C:\WINDOWS\System32\sdpsvc.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [0s4W3sh] sdpsvc.exe

After fix and reboot, move all these to your Recycle Bin:

Whole folders
C:\Program Files\Viewpoint\
C:\Program Files\ClockSync\
C:\Program Files\AutoUpdate\
C:\WINDOWS\System32\IEDriver\
C:\documents and settings\comproom\local settings\temp\

and these files:
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\sdpsvc.exe

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#8 Turtle

Turtle

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 May 2004 - 03:37 PM

Ok, I removed all the programs that seemed to have something to do with the Hijackthis items, fixed the items on HijackThis, and manually removed all the items that you listed, except for the ones I couldnt find. I didnt see a IEDriver folder, or dp-him.exe (maybe these were somehow already removed..?), and I couldnt find a temp folder in my documents and settings (though there is one located on C:). I'm hoping all this is good news. Heres a Hijack log after completing all the steps that I could:

Logfile of HijackThis v1.97.7
Scan saved at 3:36:04 PM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7987.6293287037

#9 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 30 May 2004 - 03:45 PM

Excellent! :D

Some of those files might have been hidden -
Make sure you are set to show hidden files and folders:
Show Hidden Files and Folders

If PC is running ok and all your programs work, then you can empty Recycle Bin in a day or so.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#10 Turtle

Turtle

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 May 2004 - 04:01 PM

Well I just turned on hidden files/folders, and I still can't find IEDriver folder or dp-him.exe, but I did find my temp folder. I just want to make sure I'm supposed to delete my entire temp folder. I'm guessing Windows will create a new one? Also, this may be off topic, but could I do the same for my Temporary Internet Files (just to clean up a little)?

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 30 May 2004 - 04:26 PM

Sure -

And temp folders in C:\Documents and Settings\ would usually just have throwaway stuff used in installations or other such one-time things.

Sensible to take a look inside before deleting, though.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#12 Turtle

Turtle

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 31 May 2004 - 01:41 PM

Well, looks like I spoke too soon. :weep: AVG keeps informing me I have 'Trojan Horse Backdoor VB.11.BC' (I first mentioned this in the first post) It is finding it in C:\System Volume Information, and I wanted to take a look around, but Windows won't let me enter the folder. Also, after removing the trojan (at least after I thought I did), I did one last sweep with my spyware software, and it still found many items relating to 'PeopleOnPage' (also mentioned in first post). So far, none of the annoying symptoms of the spyware have returned (such as pop-ups and word highlighting) but it seems the trojan is still on my computer. Does anyone have any more ideas on how to get rid of this spyware/trojan? :wtf: Just to look at, here's my latest HijackThis, but I dont think theres anything new on it or anything:

Logfile of HijackThis v1.97.7
Scan saved at 1:36:40 PM, on 5/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mchsi.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7987.6293287037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#13 Turtle

Turtle

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 31 May 2004 - 07:07 PM

Nevermind, I think I'm clear! ;D

Edited by Turtle, 01 June 2004 - 09:50 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button