1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

probably my father got spyware...*_*

Discussion in 'Virus & Other Malware Removal' started by h4ck34d, Nov 3, 2007.

Thread Status:
Not open for further replies.
  1. h4ck34d

    h4ck34d Thread Starter

    Joined:
    Sep 1, 2007
    Messages:
    8
    Hi everyone.
    My father got malware or something bad like this! Everything started wheno he phoned me crying "my internet explorer doesn't start anymore". I was very far from my home that period, so i liquidated hime with a generic "ok, use firefox for now and don't bother me".
    Now I returned home and my father blocked me saying "now YOU MUST revive my internet explorer, because I'm not able to use firefox".
    Completely amazed by this sentence (how a person can be unable to use firefox??), I approached the problem and, sadly, I recognized that, maybe, there are some other problems on my father's pc.
    So, these are the problem I found:
    - INTERNET EXPLORER DOESN'T START when i click the icon. Hard drive works for a second and the hourglass appears, but...nothing else happen.
    - I.E. STARTS NORMALLY only when requested by a specific hyperlinked element on a software GUI (i.e. the "send log to TrenMicro" button on hijackthis v2).
    - ALL THE ICONS ON THE SYSTRAY DISAPPEARED. I checked on the "toolbar properties", to see if the option "hide" was selected. I found that ALL the elements are tagged as "hide if inactive" and this cannot be changed (is the only choice). Here I also found some oddities like the default icon of AdAware Adwatch associated with a strange "MSN occupied IRC offline ICQ occupied" sentence, probably relative to the last time i used mirand IM on my father's pc (months ago), or the generic folder icon associated with elements appeared on the systray only for a short period of time, such as "GMAL has 1 new message" (mozilla thinderbird notifier)
    - a strange (imho) "dllhost.exe" is running on the pc (task manager evidence)
    - three services of an OLD PROGRAM NOW UNINSTALLED (PRTG Watchdog demo edition) were still running. I started WinXP in safe mode and deleted all the remaining file of the uninstalled program. Then i run RegCleaner to eliminate all the entries associated with this from my registry. Now PRTG doesn't appear on my taskmanager anymore, but i reported this because it seemed to me VERY SUSPICIOUS. Maybe could help.

    The PC works normally with Firefox. The connection seems clean and no extra hard drive work are detected. But I very disappointed with all this and I'm worried because my father use the computer to work and there is important data on it. I fear an attack of some kind...

    Please help!

    THIS IS THE LOGFILE


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11.42.13, on 03/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Programmi\Symantec AntiVirus\DefWatch.exe
    C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programmi\Symantec AntiVirus\Rtvscan.exe
    C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
    E:\Mozilla Firefox\firefox.exe
    C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\OFFICE~1\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - http://aiuto.alice.it/ata/static/installers/WebflowActiveXInstaller_4-1-5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E964DA43-D592-416F-A8F8-06B8A6132B74}: NameServer = 151.99.0.100,212.216.112.222
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 4353 bytes
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - probably father spyware
  1. Lxnny
    Replies:
    4
    Views:
    1,016
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/647227

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice