PDA

View Full Version : SpyBot S&D Found Several Items HJT posted also


pastorwilliambarhorst
2007-03-06, 04:00
Items found with SpyBot S&D:

CAS-Client
MediaPlex
MyWay.MyWebSearch
Network Monitor
RealDownloadExpress
Trek Blue Error Nuker
Zlod.Downloader

I do not know which I need or which to remove and how to do it. If I get instructions I can do it. My Yahoo messenger was hacked and someone instant messaged everyone on my messenger as if I sent it, The IM said Who Is in the pic with you with a file that was a jpg So I clicked it and thats when he hacked into my messenger and sent that same im to everyone on my friend list which he can do to everyones messenger now. I unplugged my PC Cable stopping internet connection. Then I got back my messenger logged in and changed my password, then I messsaged everyone on my messenger not to click that file. Many responded back saying thank you for the warning.
But I believe thats how I got these other downloaders and viruses on my pc. I ran the following antiviurs progs:
BugDoctor, PC PitStop Optimize, PC Registry Cleaner. I am now running XoftSpy. I have Winzip, but the trial is expired so cant use it. Any suggestions for a free unzipping prog? Any and all help is very much appreciated,
Thank You, Pastor William Barhorst.

Logfile of HijackThis v1.99.1
Scan saved at 3:12:01 PM, on 3/4/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\szserver.exe
c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\psimsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\apvxdwin.exe
E:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
c:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
E:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\William Barhorst\Local Settings\Temp\Temporary Directory 2 for

hijackthis.zip\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ykvuqhf.exe
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program

Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program

Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program

Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus + Firewall

2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] E:\Program Files\Optimize virus

scan\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\RunServices: [TPSRV9x] "C:\Program Files\Panda Software\Panda Antivirus + Firewall

2007\TPSrv.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file

missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://software-dl.real.com/07ee1337ad0d7a05a916/netzip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) -

http://webcam04.deg.net/activex/AMC.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) -

https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) -

http://87.245.83.189/activex/AMC.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4846/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad

Blocker\SABWINLO.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5

Shared\Service\Licence Manager ESD.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program

Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program

Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program

Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program

files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda

Software\Panda Antivirus + Firewall 2007\psimsvc.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program

Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common

Files\STOPzilla!\szserver.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda

Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
pskelley
2007-03-06, 16:35
Welcome to the forum, I would like to help but we have major obstacles.

1) Update Your Windows XP.
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log please, using the Post Reply button.

2) it appears you have missed some important instructions our administrator has posted
at the top of the forum, especially this:
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.

Thanks
tashi
2007-03-19, 01:31
Due to lack of a response to helper this topic has been archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.
tashi
2007-03-20, 00:18
Re-opened upon request. :)
pastorwilliambarhorst
2007-03-22, 15:41
NOD32 is my Anti-Virus program
Incident Status Location

Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\William Barhorst\Cookies\william barhorst@server.iad.liveperson[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\William Barhorst\Cookies\william barhorst@2o7[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\William Barhorst\Cookies\william barhorst@adultfriendfinder[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\William Barhorst\Cookies\william barhorst@tribalfusion[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\William Barhorst\Cookies\william barhorst@serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\William Barhorst\Cookies\william barhorst@bs.serving-sys[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\William Barhorst\Cookies\william barhorst@trafficmp[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\William Barhorst\Cookies\william barhorst@questionmarket[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.2o7.net/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.ads.addynamix.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.ads.pointroll.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.atwola.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.revenue.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[.tribalfusion.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[citi.bridgetrack.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[server.iad.liveperson.net/hc/66772983]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[server.iad.liveperson.net/hc/89451406]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\COOKIES.TXT[www.burstbeacon.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-1.txt[.casalemedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-1.txt[.trafficmp.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-1.txt[.casalemedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-1.txt[.trafficmp.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-1.txt[.atdmt.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-1.txt[statse.webtrendslive.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-1.txt[.2o7.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-2.txt[.casalemedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-2.txt[.trafficmp.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-2.txt[.atdmt.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-2.txt[statse.webtrendslive.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-2.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-3.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-3.txt[.casalemedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-3.txt[.trafficmp.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-3.txt[statse.webtrendslive.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\William Barhorst\Application Data\Mozilla\Firefox\Profiles\x1bhscrs.default\cookies-3.txt[.2o7.net/]
Potentially unwanted tool:Application/SpywareStormer Not disinfected E:\WINDOWS\Downloaded Program Files\Install.dll
Spyware:Spyware/PeoplePC Not disinfected E:\Documents and Settings\William Barhorst\Local Settings\Temp\PeoplePC Online\DLL\RAS.DLL
pastorwilliambarhorst
2007-03-22, 15:44
Logfile of HijackThis v1.99.1
Scan saved at 2:46:30 AM, on 3/22/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinRAR\WinRAR.exe
E:\Bills Installs\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/07ee1337ad0d7a05a916/netzip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://webcam04.deg.net/activex/AMC.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://87.245.83.189/activex/AMC.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4846/mcfscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: AntiWGA - C:\WINDOWS\SYSTEM32\AntiWGA.dll
O20 - Winlogon Notify: SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
pskelley
2007-03-22, 16:43
I am going to take the time and space to repeat these instructions to you:

Welcome to the forum, I would like to help but we have major obstacles.

1) Update Your Windows XP.
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/d...1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log please, using the Post Reply button.

2) it appears you have missed some important instructions our administrator has posted
at the top of the forum, especially this:
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.Thanks
tashi
2007-04-01, 02:21
This topic has been archived.