Solved: Possible Spyware

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Tinker-2006

Thread Starter
Joined
Apr 27, 2006
Messages
61
Heloo, i have had a new MOBO and am unable to use my Packard Bell Restore Disc. I have deleted all from my add/remove programmes and tried to rid everything i can to put my pc back to a clean stage.

Though i think spyware is hiding somewere. I have ran a Full System Scan in Safe Mode using Ewido with no results. The pc will be setting up a new Internet Connex and anything i can get rid of is good.

Hijackthis LOG:

Logfile of HijackThis v1.99.1
Scan saved at 17:08:50, on 22/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\KMaestro\Key_e.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Wanadoo - {4E7BD74F-2B8D-469E-A3F1-F068B59BBB2A} - C:\PROGRA~1\wanadoo1\wanadoo1.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
O3 - Toolbar: Wanadoo - {4E7BD74F-2B8D-469E-A3F1-F068B59BBB2A} - C:\PROGRA~1\wanadoo1\wanadoo1.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: orange search - file://C:\Program Files\WANADOO1\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Wanadoo Search - file://C:\Program Files\WANADOO1\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137253192590
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137333049513
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe



Tinker

:confused:
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Run ActiveScan online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report.
 

Tinker-2006

Thread Starter
Joined
Apr 27, 2006
Messages
61
PC is not connected to the Internet yet. I can do that tomorrow and will post the results.

Thnx for reply.

Tinker
 

Tinker-2006

Thread Starter
Joined
Apr 27, 2006
Messages
61
I had the MOBO fitted at a PC Shop. I asked him if i had spyware, he did something with regedit and immediatley said yes i have. Now i did have a few downloaded programmes installed, that i picked up a while back. I have removed all instances of them and all seems strangely fine.

Only issue now is sometimes when i select control panel, everything freezes and i need to stop the drwatson process in the task manager then my screen refreshes and all good? I have checked for all available updates too.

Thnx for keeping an eye on the post

Tinker
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Don’t do anything with it yet!


Click here for info on how to boot to safe mode if you don't already know how.


Reboot into Safe Mode.


Double click WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient and let it complete.


Reboot back to Normal Mode!


  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Copy and paste WinPFind.txt in your next post here please.
 

Tinker-2006

Thread Starter
Joined
Apr 27, 2006
Messages
61
I have tried the programme several times now and it keeps freezing. About 2 minutes into the Scan. I have tried safe mode. Reading that it could take over 30 Mins, i left it for over an hour and still at the same place.

This is the last line when it stops:

\tsseCryp. dll ()
\\{D9872D13-7651-4471-9EEE-F0A00218BEBB} - Multiscan = ()

I had to write that down as it gives no report. As soon as i press minimize or the tab in the taskbar i am prompted with: This programme is not responding?

Tinker
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Hmmm ok. Well, I don't know what hidden items he found but nothing is turning up and all our attempts are having no success.

Let's give this a try.....

Download Combofix to your desktop:

* Double-click Combofix.exe and follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply.


Note: Do not mouse click Combofix's window while it's running. That may cause it to stall.
 

Tinker-2006

Thread Starter
Joined
Apr 27, 2006
Messages
61
Log Report


"Peter" - 07-01-24 22:45:52 Service Pack 2
ComboFix 07-01-24.2 - Running from: "C:\Documents and Settings\Peter\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-24 to 2007-01-24 ))))))))))))))))))))))))))))))))))


2007-01-24 01:46 <DIR> d-------- C:\WINDOWS\system32\ageia
2007-01-24 01:46 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-01-24 01:41 <DIR> d-------- C:\Program Files\Ubisoft
2007-01-23 17:45 182,272 --a------ C:\WINDOWS\patchw32.dll
2007-01-23 17:45 <DIR> d-------- C:\Program Files\ubi.com
2007-01-23 17:45 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-01-23 17:41 <DIR> d-------- C:\Program Files\Red Storm Entertainment
2007-01-23 17:26 <DIR> d---s---- C:\Program Files\Xfire
2007-01-23 17:18 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2007-01-23 17:12 <DIR> d-------- C:\Program Files\7-Zip
2007-01-23 17:08 <DIR> d-------- C:\DOCUME~1\Peter\Application Data\Talkback
2007-01-23 17:07 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-23 16:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-23 16:48 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-01-23 16:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-01-23 15:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-23 14:49 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-23 14:49 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-23 14:48 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-23 14:46 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-23 14:46 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-23 14:44 <DIR> d-------- C:\dcc842f23a6dc61ab93c6147e1
2007-01-22 17:13 <DIR> d-------- C:\Program Files\ewido anti-malware
2007-01-22 17:08 <DIR> d-------- C:\Program Files\Hijackthis


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-24 16:17 -------- d-------- C:\DOCUME~1\Peter\Application Data\xfire
2007-01-24 02:02 98304 --a--c--- C:\WINDOWS\system32\cmdlineext.dll
2007-01-24 01:41 -------- d--h----- C:\Program Files\installshield installation information
2007-01-22 15:01 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-22 15:01 -------- d-------- C:\DOCUME~1\Peter\Application Data\adobe
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Update Service"="C:\\PROGRA~1\\COMMON~1\\TEKNUM~1\\update.exe /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"ACTIVBOARD"="C:\\Apps\\ActivBoard\\MMKeybd.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KeyMaestro"="C:\\KMaestro\\KMaestro.exe"
"Microsoft Works Update Detection"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AGEIA PhysX SysTray"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\KeyMaestro]
"FirstRun"=dword:00000001
"RepeatFlag"=dword:00000000
"PowerEnable"=dword:00000001
"BTCplayEnable"=dword:00000001
"MsPlayEnable"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


Completion time: 07-01-24 22:49:04



Tinker
 

Tinker-2006

Thread Starter
Joined
Apr 27, 2006
Messages
61
Things do seem to be running fine. Had no issues apart from the odd occasion with DRWatson not responding. Ewido trial runs out shortly, then i will re-install my Registered Norton Security Pk again.

Thnx for your time, I guess we can close the Thread.

:)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top