View Full Version : Malware, or spyware
npuffer7
2006-04-06, 21:36
Hi,
I really don't know which of these I have on my system, but I think I am being attacked by malware. Something to note: I tried running s&d on my system, but halfway through I got an error, and it won't go any further than that point! I also think I have been infected with spyware quake, so I ran roguescanfix. When I hit the run.bat button, it did make my desktop disapear, but, nothing happened after that, other than the brute force popping up.
So, here is my hijack this! log:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\NoAdware4\NoAdware4.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\Program Files\Zend\ZendStudioClient-4.0.2\bin\ZendIEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudioClient-4.0.2\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudioClient-4.0.2\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135004513078
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
pskelley
2006-04-07, 15:56
Hello and welcome to the forum. If you still need help, please follow these directions.
1) Make sure you have reviewed and completed these instructions, I suggest you read all Pinned instructions at the top of the page. You answer might be there.
http://forums.spybot.info/showthread.php?t=425
http://forums.spybot.info/showthread.php?t=288
2) I see ewido onboard, open the program and choose update, allow time for it to finish. Now click scanner then complete system scan. Allow ewido to remove anything it locates unless you know it is not bad. Save that scan report, I must see it.
3) You have not posted a complete HJT log, the top four lines are cut off and that information is impotant to us.
4) Restart the computer and post the ewido scan results and a new HijackThis log. Please include any comments that you think will help. I am interested in recent performance.
Thanks...pskelley
Safer Networking Forums
npuffer7
2006-04-07, 20:35
ok, I did what you said! My screen on my desktop is blue right now. I did have an html page on there, but I deleted it. It was located on C:/windows.
Also, the saved copy of hijackthis! log is different than what pops up when I view it from the actual program. The difference is, is that everything that has the c:\ in front of it, is not there. Does this make sense?
Here are the logs you requested:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 1:22:18 PM, 4/7/2006
+ Report-Checksum: CFA69521
+ Scan result:
:mozilla.15:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Nicholas Puffer\Application Data\Mozilla\Firefox\Profiles\a8ar2p5u.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 1:28:49 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\Program Files\Zend\ZendStudioClient-4.0.2\bin\ZendIEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudioClient-4.0.2\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudioClient-4.0.2\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135004513078
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
Thanks again for your time!
pskelley
2006-04-07, 21:15
Hi Nicholas, I am not quite sure what you mean by
My screen on my desktop is blue right now My screen on my Desktop is blue all of the time. If something is unusual, go into as much detail as possible. We may have to run the tool for spyware quake, and the Smitfraud trojan? Some of the infection may still be there? Let me look at your logs, starting with ewido first:
ewido anti-malware - Scan report Created on: 1:22:18 PM, 4/7/2006all cookies and no surprises, ewido cleaned everything it located. Here is some information to help you control those junk cookies if you wish:
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
Logfile of HijackThis v1.99.1 Scan saved at 1:28:49 PM, on 4/7/2006
I apologize, I should have caught it before, but I was looking at other issues. You are running MSConfig in Selective Startup. I need to see it in Normal Startup showing all. Click Start > Run type "msconfig" without the quotes, then OK. On the General tab, choose the top position in Startup Selection, then Apply and OK. Make a HJT log like that, and then you can return to SS with a reboot if you wish.
I don't know if the new information will help, but I see nothing bad in the log I am looking at now. I do notice you are still running Microsoft AntiSpyware so you may want to look at this information: http://russelltexas.com/malware/defender.htm Please do not update until we have finished.
To recap: Show me a HJT log with MSConfig running in Normal Mode
Please give me information about any issues you are preceiving
Thanks...Phil
npuffer7
2006-04-07, 21:56
I was able to add my own desktop backgrounds, or choose from the ones windows has. But, this is disabled! I cannot change it. Here is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 2:46:25 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\Program Files\Zend\ZendStudioClient-4.0.2\bin\ZendIEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudioClient-4.0.2\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudioClient-4.0.2\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135004513078
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
pskelley
2006-04-07, 22:20
SpywareQuake is part of an infection being called Smitfraud. Use this link: http://forums.spybot.info/showthread.php?t=3261 and run through the complete fix for SpywareQuake and smitRem. Skip over the parts like ewido and Panda, but do the rest. This trojan does mess up the Desktop settings so make sure you follow the directions in this fix to reset them.
Before you start on that, your Java program is out of date and that is a security issue. Use this information to update it.
http://forums.spybot.info/showthread.php?t=2559
No surprises in that most recent HJT log, once you finish all I need is the log that smitRem creates and your feedback.
Thanks...Phil
npuffer7
2006-04-08, 01:01
ok, on the roguescanfix, I hit the enter button when it prompts me, and it acts like it runs, but it never finds anything. When I went to safe mode and ran S&D, it made it about halfway through, then an error came up saying:
error during check!
mailbot [datai c:/windows/win.ini....
here is the log you requested. Again, thanks for your efforts! :
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 04/07/2006
The current time is: 17:13:18.00
Running from
C:\Documents and Settings\Nicholas Puffer\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Security Guide.url
Security Troubleshooting.url
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
oleext.dll
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 724 'explorer.exe'
Killing PID 724 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
oleext.dll
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
wininet.dll INFECTED!! :( Starting replacement procedure.
~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~
~~~~ dllcache\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~
~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~
~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~
~~~~ KB883939\SP2QFE\wininet.dll Present! ~~~~
~~~~ Checking KB883939\SP2QFE\wininet.dll for infection ~~~~
~~~~ KB883939\SP2QFE Clean! ~~~~
~~~ Replaced wininet.dll from KB883939\SP2QFE ~~~
~~~ Upon reboot ~~~
wininet.old present!
oleadm.dll not present!
oleext.dll present!
~~~ Upon completion ~~~
wininet.old not present!
oleadm.dll not present!
oleext.dll not present!
~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~
~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~
pskelley
2006-04-08, 02:05
Can you tell me what the results were? smitRem found your wininet.dll INFECTED!! Starting replacement procedure. and located and replaced it:
~~~ Replaced wininet.dll from KB883939\SP2QFE ~~~
~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~
Has this fixed the Desktop issues? Can you also tell me if there are any other problems besides that one, and what they are if so.
Thanks
npuffer7
2006-04-08, 02:33
I would love to tell you that it fixed the desktop problem, but it didn't. The only thing that smitrem found and fixed, was the one that you seen and mentioned. sorry!
pskelley
2006-04-08, 02:47
OK, but I also asked this:
Has this fixed the Desktop issues? Can you also tell me if there are any other problems besides that one, and what they are if so.If the Desktop is the only issue I can concentrate of it, don't know If I can fix it, but I can try.
Here are some things to try:
1) 1. Click Start, and then click Control Panel.
2. Double-click Display, click the Desktop tab, and then click Customize Desktop.
3. Select Restore Defaults
2) Right-click on the desktop
Click on the Properties item
When the Properties dialog comes up click on the Web tab
If Show Web content on my Active Desktop is checked then click on the page in the box below and click the Delete button
Uncheck the checkbox in front of Show Web content on my Active Desktop
Click the Apply button and then the Ok button
3) To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.
4) I have never tried this one, but they had success in this link:
http://www.msfn.org/board/lofiversion/index.php/t21581.html
Thanks
npuffer7
2006-04-08, 03:41
Hi,
Thanks for all of your help! I am sorry for not being as fluent as you would have liked, but I tried! My problem is fixed! apparently when I did the smitrem, it did fix the problem! and yes the desktop issue was the only problem I was still having. I appreciate all of your efforts. Can you point me to a donation page?
thanks again,
Nick
pskelley
2006-04-08, 04:09
No Problem Nick, you did fine, thanks for getting back to me with the information. Since you should be good to go, take this information with you.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Safe surfing:)
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.
Cheers. :bigthumb: