PDA

View Full Version : SpyBot Scans slow, Bearshare keeps opening, random popups and Command service aRR!!!



paul06
2006-08-30, 07:17
Ahhh i need helpppp i have crazy spyware and adware problem after i noticed popups and werid stuff like bearshare keeps opening for no reason and a different homepage. i installed Spybot S & D did a scan and fixed some problems but it said i would have to wait until restart to fix the uinfixed problems because they was still in memory so i did that then it scanned again and command service wont go away but now when i try to scan its reallly really long and i gave up after an hour on a scan so heres my hijackthis log ThankZ!!!!!!!!!!!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 7:06:43 PM, on 8/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\ha3f.exe
C:\nwnmff_13.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\ms077363-147248.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\kybrdff_13.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\ms0687363-14724.exe
C:\dfndrff_13.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\PSLister\PSLister.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\kybrdff_14.exe
C:\PROGRA~1\COMMON~1\iioo\iioom.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\CMFibula\CMFibula.exe
C:\WINDOWS\system32\czuehf.exe
c:\dfndrff_14.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\{A83BA03D-05FC-1033-1128-020404230001}\Update.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Paltalk Messenger\Paltalk.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\sys011472487363-.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\sys11-1472487363.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\UGF1bHlab3I\command.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\ac3_0003.exe
c:\nwnmff_14.exe
c:\ucmoreiex.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\GLB13.tmp
C:\WINDOWS\system32\RUNDLL32.EXE
c:\topaff.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Paul\Desktop\h\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\BearShare\BearShare.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\stdrun4.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\mmxp2passion.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\eltfuntarg.exe
c:\MTE3NDI6ODoxNgnew.exe
C:\WINDOWS\sys02472487363-1.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\stdrun6.exe
C:\WINDOWS\sys0372487363-14.exe
c:\stub_113_4_0_4_0newer.exe
c:\SS1001newer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\Common Files\misc002\141.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\whCC-GIANT.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\fufudc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qvppl.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,crwsvpd.exe
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: SEARCHESSISTANT Search - {4E7BD74F-2B8D-469F-83B8-BD2AE6D9FA2E} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O3 - Toolbar: SEARCHESSISTANT Related - {4E7BD74F-2B8D-469E-83B8-BD2AE6D9FA2E} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dimension] C:\Program Files\Dimension\Dimension.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [tyya1148] RUNDLL32.EXE w005a9c4.dll,n 003a114500000003005a9c4
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\yoyykc.exe reg_run
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [sys11-1472487363] C:\WINDOWS\sys11-1472487363.exe
O4 - HKLM\..\Run: [RreN4HW] C:\WINDOWS\system32\czuehf.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [newname] c:\\nwnmff_14.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ms077363-147248] C:\WINDOWS\ms077363-147248.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_14.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1153980078\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_14.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ms0687363-14724] C:\WINDOWS\ms0687363-14724.exe
O4 - HKLM\..\Run: [sys011472487363-] C:\WINDOWS\sys011472487363-.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [loaddr] c:\topaff.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [iioo] C:\PROGRA~1\COMMON~1\iioo\iioom.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: pqpp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: QuickSpoof Add to &Spoofs ... - C:\Program Files\QuickSpoof\AddSpoof.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\lv0m09d1e.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF1bHlab3I\command.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

LonnyRJones
2006-09-04, 03:37
Paul

Restart your pc then Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

It appears as if you do not use an antivirus program , why is that ?
It appears as though you dont have SpyBot either, why ?

tashi
2006-09-10, 23:30
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.