PDA

View Full Version : Spyware will not delete



toobad22
2009-01-20, 02:36
Everytime I use the Spybot program, it say my machine is clean. But when I scan my system32 folder by right clicing on it and scanning it comes up with these and no way to clean them. Tried deleting them and they just come back.
Thanks, any help would be nice.


gdiplus.dll NiceSpy.Keylogger

npptools.dll Protexis.RecOnServer

regsvr32.exe AdDestination

rundll32.exe Win32.Delf.rtk

SpOrder.dll webHancer


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:00 PM, on 1/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229286056250
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks for any help,
Nick

ken545
2009-01-24, 08:28
Hello Nick,

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Sorry for the delay but the forums are extremely busy.

Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

toobad22
2009-01-24, 21:20
Hi,
It did not find anything out of the ordinary. I don't show Help and Support or My Documents in the the start up list. Just don't ever use those.

Did a right click and scan with Malwarebytes' Anti-Malware on the files that have the infection and it says they are clean, but Spybot shows them as this.
gdiplus.dll NiceSpy.Keylogger
npptools.dll Protexis.RecOnServer
regsvr32.exe AdDestination
rundll32.exe Win32.Delf.rtk
SpOrder.dll webHancer
There might be more of them since I did not allow Spybot to run through the whole system32 folder. It was taking hours to run it and Spybot does not fix them.

Thanks for the help,
Nick




Malwarebytes' Anti-Malware 1.33
Database version: 1689
Windows 5.1.2600 Service Pack 2

1/24/2009 1:08:44 PM
mbam-log-2009-01-24 (13-08-39).txt

Scan type: Quick Scan
Objects scanned: 43621
Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:49 PM, on 1/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229286056250
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ken545
2009-01-24, 23:25
Hello,

These are all legit windows files
gdiplus.dll
npptools.dll
regsvr32.exe
rundll32.exe
SpOrder.dll

Your HJT log is clean and Malwarebytes did not find anything to worry about.


Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

toobad22
2009-01-25, 17:30
Hi Ken,

Thanks for all the help here.
Nick



Logfile of random's system information tool 1.05 (written by random/random)
Run by NUN at 2009-01-25 09:16:10
Microsoft Windows XP Professional Service Pack 2
System drive C: has 59 GB (77%) free of 76 GB
Total RAM: 3199 MB (85% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:17 AM, on 1/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\DOWN LOADS\RSIT random's system information tool.exe
C:\Program Files\Trend Micro\HijackThis\NUN.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229286056250
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3603 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-10-14 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-01-29 16859648]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-27 1261336]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-11-12 13672448]
"WheelMouse"=C:\Program Files\OCZ Technology\Mouse\Amoumain.exe [2006-12-28 196608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=181
"NoDrives"=03F8FF03
"NoDriveAutoRun"=03F8FF03
"NoActiveDesktop"=01000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-01-25 09:16:10 ----D---- C:\rsit
2009-01-24 13:39:31 ----D---- C:\WINDOWS\ie7updates
2009-01-24 13:29:25 ----HDC---- C:\WINDOWS\ie7
2009-01-24 12:37:41 ----D---- C:\Program Files\SpywareBlaster
2009-01-24 12:37:41 ----A---- C:\WINDOWS\system32\MSSTDFMT.DLL
2009-01-24 03:24:36 ----D---- C:\Documents and Settings\NUN\Application Data\Malwarebytes
2009-01-24 03:24:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-24 03:24:32 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-19 18:23:15 ----D---- C:\Program Files\Trend Micro
2009-01-19 18:22:34 ----D---- C:\WINDOWS\ERDNT
2009-01-19 18:20:36 ----D---- C:\Program Files\ERUNT
2009-01-17 16:06:20 ----D---- C:\Documents and Settings\All Users\Application Data\EPSON
2009-01-11 09:13:10 ----D---- C:\Program Files\SSC Service Utility
2009-01-11 08:58:30 ----A---- C:\WINDOWS\system32\ECBTEG.DLL
2009-01-11 08:58:30 ----A---- C:\WINDOWS\system32\EBPCHP.DLL
2009-01-10 23:21:42 ----A---- C:\WINDOWS\system32\E_FLBAIA.DLL
2009-01-10 23:21:42 ----A---- C:\WINDOWS\system32\E_FD4BAIA.DLL
2009-01-10 23:21:12 ----D---- C:\Program Files\EPSON
2009-01-10 23:16:27 ----A---- C:\WINDOWS\EPSMTL32.TXT
2009-01-04 11:46:51 ----D---- C:\Program Files\OCZ Technology

======List of files/folders modified in the last 1 months======

2009-01-25 09:16:17 ----D---- C:\WINDOWS\Temp
2009-01-25 09:16:04 ----A---- C:\WINDOWS\NeroDigital.ini
2009-01-25 09:15:33 ----AD---- C:\WINDOWS
2009-01-25 09:14:30 ----RD---- C:\Program Files
2009-01-25 09:13:56 ----D---- C:\WINDOWS\Internet Logs
2009-01-25 09:05:33 ----N---- C:\WINDOWS\SchedLgU.Txt
2009-01-25 08:56:45 ----D---- C:\WINDOWS\system32
2009-01-25 08:56:45 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-25 08:52:55 ----D---- C:\WINDOWS\system32\drivers
2009-01-25 08:52:32 ----SHD---- C:\WINDOWS\Installer
2009-01-25 08:52:32 ----SHD---- C:\Config.Msi
2009-01-25 08:52:32 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-01-24 14:45:56 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-24 13:54:59 ----HD---- C:\WINDOWS\inf
2009-01-24 13:54:57 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-01-24 13:54:29 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-01-24 13:47:02 ----D---- C:\WINDOWS\Debug
2009-01-24 13:42:41 ----D---- C:\Program Files\Internet Explorer
2009-01-24 13:40:11 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-24 13:40:02 ----D---- C:\WINDOWS\system32\en-US
2009-01-24 13:39:44 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-24 13:31:53 ----D---- C:\WINDOWS\Help
2009-01-24 13:30:27 ----D---- C:\WINDOWS\WBEM
2009-01-24 13:30:22 ----D---- C:\WINDOWS\Media
2009-01-20 18:17:39 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-19 19:58:44 ----A---- C:\WINDOWS\WORDPAD.INI
2009-01-19 19:51:55 ----D---- C:\WINDOWS\system32\config
2009-01-17 17:20:12 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-01-17 16:06:46 ----D---- C:\WINDOWS\system32\wbem
2009-01-17 16:06:46 ----D---- C:\WINDOWS\Registration
2009-01-12 18:18:49 ----D---- C:\Program Files\EPSON Print CD
2009-01-11 20:04:59 ----ASH---- C:\boot.ini
2009-01-11 20:04:59 ----A---- C:\WINDOWS\win.ini
2009-01-11 20:04:59 ----A---- C:\WINDOWS\SYSTEM.INI
2009-01-11 15:09:59 ----D---- C:\Program Files\Motorola Phone Tools
2009-01-11 13:33:48 ----A---- C:\WINDOWS\EPSONCD.INI
2009-01-04 19:41:23 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-27 18:24:22 ----D---- C:\Program Files\CCleaner
2008-12-27 08:20:13 ----D---- C:\WINDOWS\WinSxS
2008-12-27 08:19:59 ----D---- C:\Program Files\Common Files
2008-12-27 07:32:13 ----D---- C:\WINDOWS\pss

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Amfilter;OCZ Technology Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\Amfilter.sys [2006-12-28 8704]
R1 AsIO;AsIO; C:\WINDOWS\system32\drivers\AsIO.sys [2007-03-09 12664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-10-14 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-10-14 26824]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2007-07-19 127768]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-07-09 394952]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-10-14 76040]
R2 ppsio2;PPDevice; C:\WINDOWS\system32\drivers\ppsio2.sys [2001-06-08 23200]
R3 Amusbprt;OCZ Technology HID-compliant Mouse Driver; C:\WINDOWS\system32\DRIVERS\Amusbprt.sys [2006-12-28 13824]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-01-30 4725760]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2007-03-09 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-11-12 6188320]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2007-12-06 285952]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 cpuz128;cpuz128; \??\C:\Program Files\PC Wizard 2008\pcwiz32.sys []
S3 giveio;giveio; \??\C:\WINDOWS\system32\giveio.sys []
S3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\System32\DRIVERS\HidBatt.sys [2001-08-17 19200]
S3 motccgp;Motorola USB Composite Device Driver; C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService; C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 7680]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 motport;Motorola USB Diagnostic Port; C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 23680]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 APC UPS Service;APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [2005-12-12 176193]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-14 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-14 231704]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-11-12 163908]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-07-09 75304]
S3 TUWinStylerThemeSvc;TuneUp WinStyler Theme Service; C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe [2005-08-10 118272]

-----------------EOF-----------------




XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX





info.txt logfile of random's system information tool 1.05 2009-01-25 09:16:18

======Uninstall list======

-->MsiExec /X{AC54E544-3E42-443C-A91D-A00A6974C592}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Avanquest update-->C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Digimax i6 PMP Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84E9D2E2-FE5B-49D4-A88A-9B0A973B713B}\Setup.exe" anything
Digimax Reader-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD67A9A9-B292-43B2-A4F9-59AD62626CAD}\setup.exe" -l0x9
EPSON Print CD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\setup.exe" -l0x9 -SYSTEM
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Motorola Driver Installation 3.5.0-->MsiExec.exe /I{D2BD3C8F-9D7F-472B-BDF9-7309A5CB813A}
Motorola Phone Tools-->C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe -runfromtemp -l0x0009 -removeonly
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX v8.10.13-->MsiExec.exe /X{AC54E544-3E42-443C-A91D-A00A6974C592}
OCZ Technology Laser Gaming Mouse-->C:\Program Files\OCZ Technology\Mouse\Uninst32.exe
Samsung Converter-->C:\Program Files\InstallShield Installation Information\{4B55E0A8-07F5-4966-9B7B-D32C8ADC0FF4}\setup.exe -runfromtemp -l0x0009 -removeonly
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
SSC Service Utility v4.30-->"C:\Program Files\SSC Service Utility\unins000.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
XviD MPEG-4 Video Codec-->"C:\Program Files\XviD\unins000.exe"
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG Anti-Virus Free
AV: CA Anti-Virus
FW: ZoneAlarm Firewall

System event log

Computer Name: NUNYA
Event Code: 7036
Message: The Terminal Services service entered the running state.

Record Number: 2198
Source Name: Service Control Manager
Time Written: 20081220102358.000000-360
Event Type: information
User:

Computer Name: NUNYA
Event Code: 7036
Message: The Application Layer Gateway Service service entered the running state.

Record Number: 2197
Source Name: Service Control Manager
Time Written: 20081220102358.000000-360
Event Type: information
User:

Computer Name: NUNYA
Event Code: 7035
Message: The Application Layer Gateway Service service was successfully sent a start control.

Record Number: 2196
Source Name: Service Control Manager
Time Written: 20081220102358.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: NUNYA
Event Code: 7036
Message: The Network Location Awareness (NLA) service entered the running state.

Record Number: 2195
Source Name: Service Control Manager
Time Written: 20081220102358.000000-360
Event Type: information
User:

Computer Name: NUNYA
Event Code: 7036
Message: The SSDP Discovery Service service entered the running state.

Record Number: 2194
Source Name: Service Control Manager
Time Written: 20081220102358.000000-360
Event Type: information
User:

Application event log

Computer Name: NUNYA
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 301
Source Name: SecurityCenter
Time Written: 20081007200341.000000-300
Event Type: information
User:

Computer Name: NUNYA
Event Code: 1000
Message: Faulting application iexplore.exe, version 6.0.2900.2180, faulting module ole32.dll, version 5.1.2600.2726, fault address 0x0004b2e9.

Record Number: 300
Source Name: Application Error
Time Written: 20081007171605.000000-300
Event Type: error
User:

Computer Name: NUNYA
Event Code: 1000
Message: Faulting application ut3.exe, version 0.0.0.0, faulting module ut3.exe, version 0.0.0.0, fault address 0x00742411.

Record Number: 299
Source Name: Application Error
Time Written: 20081007162353.000000-300
Event Type: error
User:

Computer Name: NUNYA
Event Code: 1000
Message: Faulting application ut3.exe, version 0.0.0.0, faulting module ut3.exe, version 0.0.0.0, fault address 0x00943a18.

Record Number: 298
Source Name: Application Error
Time Written: 20081007162351.000000-300
Event Type: error
User:

Computer Name: NUNYA
Event Code: 4618
Message: The COM+ Event System raised an unexpected access violation at address 0x7752B2E9, attempting to access address 0x0000000C. Please contact Microsoft Product Support Services to report this error.
ole32!CreateGenericComposite+0xdde
ole32!CreateGenericComposite+0xe82
ole32!CreateGenericComposite+0xe4b
ole32!CreateGenericComposite+0x1bdb
ole32!CreateGenericComposite+0x185d
ole32!CoGetClassObject+0xe3
ole32!CoGetClassObject+0x99
ole32!CoGetClassObject+0x1b
es!DllGetClassObject+0x4447
es!DllUnregisterServer+0x1c7
es!DllGetClassObject+0xc5
ole32!CoCreateInstance+0x1d47
ole32!CoCreateInstance+0x1f78
ole32!CoCreateInstance+0x1a9a
ole32!OleInitialize+0x30f
ole32!CoCreateInstanceEx+0x4f
ole32!CoCreateInstanceEx+0x1e
ole32!CoCreateInstance+0x34
sens!+0x2474
sens!+0x26ab
ntdll!RtlUpcaseUnicodeString+0x159
ntdll!RtlUpcaseUnicodeString+0x197
ntdll!RtlUpcaseUnicodeString+0x259
ntdll!RtlUpcaseUnicodeString+0x230
kernel32!GetModuleFileNameA+0x1b4

Record Number: 297
Source Name: EventSystem
Time Written: 20081007161341.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"tvdumpflags"=8

-----------------EOF-----------------

ken545
2009-01-25, 19:05
Looks ok :bigthumb:




How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

ken545
2009-01-25, 20:14
Double Post

toobad22
2009-01-28, 02:24
Hi Ken,

I tried to send this the other day, but the website was not responding. Then my 8800GTX video card died. Waiting for a replacement on it.

gdiplus.dll NiceSpy.Keylogger (This file is clean now).

npptools.dll Protexis.RecOnServer

regsvr32.exe AdDestination

rundll32.exe Win32.Delf.rtk

SpOrder.dll webHancer (This file is gone now).

I uploaded a print screen shot of the SpyBot scan of these files.
Do these Host files look right to you?
Isn't 127.0.0.1 www.007guard.com a bad site?

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

Thanks again,
Nick

ken545
2009-01-28, 03:03
Nick,

The sites in your host files are bad, but thats fine, when your in one of those sites ( lets hope you don't go there ) it looks here 127.0.0.1 for bad things to download and 127.0.0.1 is your own computer , it does not find what its looking for and goes away. The hosts file was most likely set by Spybot and its protecting you.

Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

toobad22
2009-01-28, 22:01
Hi Ken,

Here is the log from Eset.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3807 (20090128)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=ac188a630614a34dab245e9837e13663
# end=stopped
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-28 07:51:10
# local_time=2009-01-28 01:51:10 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=75712
# found=0
# scan_time=986



I sent SpyBot an email before. I waited almost 5 days then gave up on that, then I tried the forums. I got this today from someone at SpyBot. This is what it says.

From: Sandra Klass <detections@spybot.info>
Subject: Re: [SBSD] Spyware
Hello Nick,

We are sorry, but this is a false positive that will be fixed in out
next detection update. :-)

Best regards
Sandra
Team Spybot

---------------------------------------------------------
Spybot-Search&Destroy: http://www.spybot.info/
.........................................................
All incoming and outgoing mails are scanned
using an up-to-date anti-virus application.
---------------------------------------------------------

Nick wrote:
> Programmversion: "1.6.0"
> Updateversion: "2009-01-14"
> Windows-Version:winxp
> Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>
> Hi,
>
> Spybot did not find these files using the interface. I found them by using the right click and scan to find them. I do not know how to get rid or clean them.
> Any help would be greatly appreciated.
> Nick
> PS. It will only allow me to include 1 file.
>
>
> gdiplus.dll NiceSpy.Keylogger
>
> npptools.dll Protexis.RecOnServer
>
> regsvr32.exe AdDestination
>
> rundll32.exe Win32.Delf.rtk
>
> SpOrder.dll webHancer

ken545
2009-01-28, 22:41
Hi,

ESET found no infections and Spybot said there false positives so don't worry about them. There all legit windows files that will cause you problems if you delete them.

Ken

PepiMK
2009-01-28, 23:16
(reply just to get page 2 working)

toobad22
2009-01-30, 14:57
Hi Ken,

Been waiting for a reply from you, did not know there was a second page. Sorry about that and thanks for all your help!

Nick

ken545
2009-01-30, 17:09
We had to burp the forum to get the second page to load, don't know why this happened.

Anyway, this was my post.



ESET found no infections and Spybot said there false positives so don't worry about them. There all legit windows files that will cause you problems if you delete them.

Ken