probably my father got spyware...*_*

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

h4ck34d

Thread Starter
Joined
Sep 1, 2007
Messages
8
Hi everyone.
My father got malware or something bad like this! Everything started wheno he phoned me crying "my internet explorer doesn't start anymore". I was very far from my home that period, so i liquidated hime with a generic "ok, use firefox for now and don't bother me".
Now I returned home and my father blocked me saying "now YOU MUST revive my internet explorer, because I'm not able to use firefox".
Completely amazed by this sentence (how a person can be unable to use firefox??), I approached the problem and, sadly, I recognized that, maybe, there are some other problems on my father's pc.
So, these are the problem I found:
- INTERNET EXPLORER DOESN'T START when i click the icon. Hard drive works for a second and the hourglass appears, but...nothing else happen.
- I.E. STARTS NORMALLY only when requested by a specific hyperlinked element on a software GUI (i.e. the "send log to TrenMicro" button on hijackthis v2).
- ALL THE ICONS ON THE SYSTRAY DISAPPEARED. I checked on the "toolbar properties", to see if the option "hide" was selected. I found that ALL the elements are tagged as "hide if inactive" and this cannot be changed (is the only choice). Here I also found some oddities like the default icon of AdAware Adwatch associated with a strange "MSN occupied IRC offline ICQ occupied" sentence, probably relative to the last time i used mirand IM on my father's pc (months ago), or the generic folder icon associated with elements appeared on the systray only for a short period of time, such as "GMAL has 1 new message" (mozilla thinderbird notifier)
- a strange (imho) "dllhost.exe" is running on the pc (task manager evidence)
- three services of an OLD PROGRAM NOW UNINSTALLED (PRTG Watchdog demo edition) were still running. I started WinXP in safe mode and deleted all the remaining file of the uninstalled program. Then i run RegCleaner to eliminate all the entries associated with this from my registry. Now PRTG doesn't appear on my taskmanager anymore, but i reported this because it seemed to me VERY SUSPICIOUS. Maybe could help.

The PC works normally with Firefox. The connection seems clean and no extra hard drive work are detected. But I very disappointed with all this and I'm worried because my father use the computer to work and there is important data on it. I fear an attack of some kind...

Please help!

THIS IS THE LOGFILE


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.42.13, on 03/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
E:\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - http://aiuto.alice.it/ata/static/installers/WebflowActiveXInstaller_4-1-5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E964DA43-D592-416F-A8F8-06B8A6132B74}: NameServer = 151.99.0.100,212.216.112.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4353 bytes
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top