View Full Version : SpyBotSD14 Wont Load or run
Hi all,
I downloaded SpybotSD14 and when i clicked on the .exe, it went to the language screen and then disappeared. It does this everytime. i then started in safe mode, and installed it, however i could not run it because of some updates i had to do. So i restarted in regular mode, and somehow got the updates for it, and then restarted in safe mode, and proceeded to run a scan. i fixed all the red (26 of them) and went back into regular mode. Tried to run Spybot, and it would say "loading Spybot" and then disappear. So i followed your threads and went to HJT, and downloaded it and ran a scan and saved it. It is below. Any help you guys can give me would be great. because i would really hate to have to format this thing. Thanks B.
Logfile of HijackThis v1.99.1
Scan saved at 3:30:49 PM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\NetMeeting\DAO\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HighJack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\NetMeeting\DAO\svchost.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
pskelley
2007-04-17, 15:11
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.
You may hold that antivirus scan while we look at the information we have. I need to know about this item:
C:\Program Files\NetMeeting\DAO\svchost.exe
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\NetMeeting\DAO\svchost.exe
It is very likely this is a trojan and a bad one. I can find no information on my end, but I can show you this:
http://www.neuber.com/taskmanager/process/lsass.exe.html
Note: The lsass.exe file is located in the folder C:\Windows\System32\, in other cases, lsass.exe is a virus, spyware, trojan or worm! Since this is using a valid program, svchost.exe to run from C:\Program Files\, we need to find out what it is. Are you using NetMeeting? Navigate to that program and give me any information that is there, then use one or more of these free online scanners to scan the file. Make sure you scan that C:\Program Files\NetMeeting\DAO\svchost.exe and not a valid one running from C:\Windows\System32\
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Post those results
Thanks
I can find nothing about that file. I am not using Netmeeting, never have and probably never will. The following are my scans...From http://virusscan.jotti.org/
can taken on 18 Apr 2007 00:40:22 (GMT)
AntiVir Found SPR/007SpySoft.308.13
ArcaVir Found nothing
Avast Found Win32:007SpySoft
AVG Antivirus Found Logger.ARX
BitDefender Found Spyware.007spysoft.308
ClamAV Found nothing
Dr.Web Found Trojan.KeyLogger.669
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:Monitor.Win32.007SpySoft.308 (6, 2, 604)
Fortinet Found Keylog/007SpySoft
Kaspersky Anti-Virus Found not-a-virus:Monitor.Win32.007SpySoft.308
NOD32 Found a variant of Win32/Spy.007 Spy application
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
From http://www.kaspersky.com/scanforvirus
Scanned file: svchost.exe - Infected
svchost.exe - infected by not-a-virus:Monitor.Win32.007SpySoft.308
Statistics:
Known viruses: 298716 Updated: 18-04-2007
File size (Kb): 284 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0
From http://www.virustotal.com
Complete scanning result of "svchost.exe", received in VirusTotal at 04.18.2007, 02:41:01 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.4.18.0 04.17.2007 no virus found
AntiVir 7.3.1.53 04.17.2007 no virus found
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.17.2007 Win32:007SpySoft
AVG 7.5.0.447 04.17.2007 Potentially harmful program Logger.ARX
BitDefender 7.2 04.18.2007 Spyware.007spysoft.308
CAT-QuickHeal 9.00 04.17.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 04.18.2007 no virus found
DrWeb 4.33 04.17.2007 Trojan.KeyLogger.669
eSafe 7.0.15.0 04.17.2007 no virus found
eTrust-Vet 30.7.3574 04.17.2007 no virus found
Ewido 4.0 04.17.2007 Not-A-Virus.Monitor.Win32.007SpySoft.308
FileAdvisor 1 04.18.2007 no virus found
Fortinet 2.85.0.0 04.17.2007 Keylog/007SpySoft
F-Prot 4.3.2.48 04.17.2007 no virus found
F-Secure 6.70.13030.0 04.18.2007 no virus found
Ikarus T3.1.1.5 04.17.2007 not-a-virus:Monitor.Win32.007SpySoft.308
Kaspersky 4.0.2.24 04.18.2007 not-a-virus:Monitor.Win32.007SpySoft.308
McAfee 5011 04.17.2007 no virus found
Microsoft 1.2405 04.18.2007 MonitoringTool:Win32/007Spy
NOD32v2 2199 04.17.2007 a variant of Win32/Spy.007 Spy
Norman 5.80.02 04.17.2007 no virus found
Panda 9.0.0.4 04.18.2007 Suspicious file
Prevx1 V2 04.18.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.14.2007 007Spy.Keylogger
Symantec 10 04.18.2007 Spyware.007Spy
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.17.2007 no virus found
VirusBuster 4.3.7:9 04.17.2007 no virus found
Webwasher-Gateway 6.0.1 04.17.2007 Riskware.007SpySoft.308.13
Aditional Information
File size: 290304 bytes
MD5: 859c5fab9937ccc06cadec5aa86f65ff
SHA1: f25d31221b25ffbe503021d20d26672ec8915679
packers: ACProtect
packers: ACProtect
Sunbelt info: 007Spy.Keylogger is a commercial keylogger that captures keystrokes typed, websites visited, takes screenshots, and logs other system activity.
Hope this helps
pskelley
2007-04-18, 11:55
Looks like some kind of keylooger, if you did not put it there, let's get rid of it and clean good to see what happens.
1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Start > Control Panel > Add Remove Programs and uninstall Netmeeting.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\NetMeeting\DAO\svchost.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\NetMeeting\ <<< delete that folder if there
7) Follow the instruction in this link. DO NOT confuse this with your anti-virus program, it is another program that will search and remove malware. Make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the uninstall list, the scan report from AVG Anti-Spyware, a new HJT log and any comments you think will help.
Thanks
Uninstall List:
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Ahead InCD
Ahead InCD EasyWrite Reader
ATI Display Driver
AVG 7.5
Dell Digital Jukebox Driver
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Lexmark Z600 Series
LimeWire 4.10.9
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0 (Beta2)
Mozilla Firefox (2.0.0.3)
Nero - Burning Rom
Panda ActiveScan
QuickTime
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Sound Blaster Live!
Spybot - Search & Destroy 1.4
Startup Cop
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
VuePrint
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinZip
Scan Report AVG Anti-Spyware:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:32:08 PM 4/18/2007
+ Scan result:
C:\Documents and Settings\Brandon&Nicole\Desktop\Nicole's Stuff\wal pics CD\ssdata\System32\svchost.exe -> Not-A-Virus.Monitor.Win32.007SpySoft.306 : Cleaned.
F:\Nicole's Stuff\wal pics CD\ssdata\System32\svchost.exe -> Not-A-Virus.Monitor.Win32.007SpySoft.306 : Cleaned.
C:\RECYCLER\S-1-5-21-1644491937-1004336348-839522115-1004\Dc118\svchost.exe -> Not-A-Virus.Monitor.Win32.007SpySoft.308 : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Application Data\Business Logic\UWC\Backup\J39166.5462102083.WCU/C:/WINDOWS/Temp/Cookies/brandon&nicole@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.51:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.15:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.16:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.17:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@ads.cnn[1].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@com[1].txt -> TrackingCookie.Com : Cleaned.
:mozilla.50:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@www.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.37:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@e-2dj6walysjajokq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@e-2dj6whk4cidzsdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@e-2dj6wjkyolcjoaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.49:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.38:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.39:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.40:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.41:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.42:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.43:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.30:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.31:C:\Documents and Settings\Brandon&Nicole\Application Data\Mozilla\Firefox\Profiles\mya20c3h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Brandon&Nicole\Cookies\brandon&nicole@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
::Report end
HJT Log (new):
Logfile of HijackThis v1.99.1
Scan saved at 12:41:30 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HighJack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
When i went to remove C:\Program Files\NetMeeting, under windows explorer, it would not let me saying that it was in use my another person or program. I know for a fact that it wasnt being used by another person. So i restarted in safe mode and logged in as administrator and deleted it that way. Also Netmeeting was not on my uninstall list. However Spybot Works now.
Also Adaware SE and other spyware removal programs work now. Thank You for all your help. I really appreciate it.
pskelley
2007-04-18, 20:33
Thanks for the feedback, that item was no doubt a trojan, you may want to change all passwords and keep an eye on any accounts you had information for on the computer for a short while. Just to be safe, here is some basic information: http://www.dslreports.com/faq/10451
Uninstall list:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
See this information: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Download the newest version which should be 1.6.1 then uninstall all old version in Add Remove programs.
LimeWire 4.10.9
http://www3.ca.com/securityadvisor/pest/Pest.aspx?id=453088059 and see this:
http://www.spywareinfo.com/articles/p2p/
Good job with the Spyware scan:bigthumb:
Logfile of HijackThis v1.99.1 Scan saved at 12:41:30 PM, on 4/18/2007
You HJT log appears clean of malware, let's do this: System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
If there is more I can do, post to let me know, if all is well, then I wish you safe surfing...Phil
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
pskelley
2007-04-23, 13:17
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks