1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Possible Spyware

Discussion in 'Virus & Other Malware Removal' started by Tinker-2006, Jan 22, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Tinker-2006

    Tinker-2006 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    61
    Heloo, i have had a new MOBO and am unable to use my Packard Bell Restore Disc. I have deleted all from my add/remove programmes and tried to rid everything i can to put my pc back to a clean stage.

    Though i think spyware is hiding somewere. I have ran a Full System Scan in Safe Mode using Ewido with no results. The pc will be setting up a new Internet Connex and anything i can get rid of is good.

    Hijackthis LOG:

    Logfile of HijackThis v1.99.1
    Scan saved at 17:08:50, on 22/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\htpatch.exe
    C:\Apps\ActivBoard\MMKeybd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Apps\ActivBoard\TrayMon.exe
    C:\Apps\ActivBoard\OSD.exe
    C:\KMaestro\Key_e.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Wanadoo - {4E7BD74F-2B8D-469E-A3F1-F068B59BBB2A} - C:\PROGRA~1\wanadoo1\wanadoo1.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
    O3 - Toolbar: Wanadoo - {4E7BD74F-2B8D-469E-A3F1-F068B59BBB2A} - C:\PROGRA~1\wanadoo1\wanadoo1.dll (file missing)
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: orange search - file://C:\Program Files\WANADOO1\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
    O8 - Extra context menu item: Wanadoo Search - file://C:\Program Files\WANADOO1\Cache\SelectedContextSearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137253192590
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137333049513
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
    O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe



    Tinker

    :confused:
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Run ActiveScan online virus scan:
    http://www.pandasoftware.com/products/activescan.htm

    Once you are on the Panda site click the Scan your PC button.
    A new window will open...click the Check Now button.
    Enter your Country.
    Enter your State/Province.
    Enter your e-mail address and click send.
    Select either Home User or Company.
    Click the big Scan Now button.
    If it wants to install an ActiveX component allow it.
    It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    When download is complete, click on My Computer to start the scan.
    When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post the contents of the ActiveScan report.
     
  3. Tinker-2006

    Tinker-2006 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    61
    PC is not connected to the Internet yet. I can do that tomorrow and will post the results.

    Thnx for reply.

    Tinker
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  5. Tinker-2006

    Tinker-2006 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    61
    Panda Scan complete with a Clean report.

    Tinker

    :confused:
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    What makes you suspect there is spyware hidden?
     
  7. Tinker-2006

    Tinker-2006 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    61
    I had the MOBO fitted at a PC Shop. I asked him if i had spyware, he did something with regedit and immediatley said yes i have. Now i did have a few downloaded programmes installed, that i picked up a while back. I have removed all instances of them and all seems strangely fine.

    Only issue now is sometimes when i select control panel, everything freezes and i need to stop the drwatson process in the task manager then my screen refreshes and all good? I have checked for all available updates too.

    Thnx for keeping an eye on the post

    Tinker
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Don¬ít do anything with it yet!


    Click here for info on how to boot to safe mode if you don't already know how.


    Reboot into Safe Mode.


    Double click WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    Reboot back to Normal Mode!


    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Copy and paste WinPFind.txt in your next post here please.
     
  9. Tinker-2006

    Tinker-2006 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    61
    I have tried the programme several times now and it keeps freezing. About 2 minutes into the Scan. I have tried safe mode. Reading that it could take over 30 Mins, i left it for over an hour and still at the same place.

    This is the last line when it stops:

    \tsseCryp. dll ()
    \\{D9872D13-7651-4471-9EEE-F0A00218BEBB} - Multiscan = ()

    I had to write that down as it gives no report. As soon as i press minimize or the tab in the taskbar i am prompted with: This programme is not responding?

    Tinker
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hmmm ok. Well, I don't know what hidden items he found but nothing is turning up and all our attempts are having no success.

    Let's give this a try.....

    Download Combofix to your desktop:

    * Double-click Combofix.exe and follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note: Do not mouse click Combofix's window while it's running. That may cause it to stall.
     
  11. Tinker-2006

    Tinker-2006 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    61
    Log Report


    "Peter" - 07-01-24 22:45:52 Service Pack 2
    ComboFix 07-01-24.2 - Running from: "C:\Documents and Settings\Peter\Desktop"

    ((((((((((((((((((((((((((((((( Files Created from 2006-12-24 to 2007-01-24 ))))))))))))))))))))))))))))))))))


    2007-01-24 01:46 <DIR> d-------- C:\WINDOWS\system32\ageia
    2007-01-24 01:46 <DIR> d-------- C:\Program Files\AGEIA Technologies
    2007-01-24 01:41 <DIR> d-------- C:\Program Files\Ubisoft
    2007-01-23 17:45 182,272 --a------ C:\WINDOWS\patchw32.dll
    2007-01-23 17:45 <DIR> d-------- C:\Program Files\ubi.com
    2007-01-23 17:45 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
    2007-01-23 17:41 <DIR> d-------- C:\Program Files\Red Storm Entertainment
    2007-01-23 17:26 <DIR> d---s---- C:\Program Files\Xfire
    2007-01-23 17:18 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
    2007-01-23 17:12 <DIR> d-------- C:\Program Files\7-Zip
    2007-01-23 17:08 <DIR> d-------- C:\DOCUME~1\Peter\Application Data\Talkback
    2007-01-23 17:07 <DIR> d-------- C:\Program Files\Mozilla Firefox
    2007-01-23 16:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
    2007-01-23 16:48 <DIR> d-------- C:\WINDOWS\system32\LogFiles
    2007-01-23 16:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
    2007-01-23 15:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-01-23 14:49 <DIR> d-------- C:\WINDOWS\WBEM
    2007-01-23 14:49 <DIR> d-------- C:\WINDOWS\system32\en-US
    2007-01-23 14:48 <DIR> d--h-c--- C:\WINDOWS\ie7
    2007-01-23 14:46 121,856 --------- C:\WINDOWS\system32\xmllite.dll
    2007-01-23 14:46 <DIR> d-------- C:\WINDOWS\network diagnostic
    2007-01-23 14:44 <DIR> d-------- C:\dcc842f23a6dc61ab93c6147e1
    2007-01-22 17:13 <DIR> d-------- C:\Program Files\ewido anti-malware
    2007-01-22 17:08 <DIR> d-------- C:\Program Files\Hijackthis


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-01-24 16:17 -------- d-------- C:\DOCUME~1\Peter\Application Data\xfire
    2007-01-24 02:02 98304 --a--c--- C:\WINDOWS\system32\cmdlineext.dll
    2007-01-24 01:41 -------- d--h----- C:\Program Files\installshield installation information
    2007-01-22 15:01 -------- d-------- C:\Program Files\Common Files\adobe
    2007-01-22 15:01 -------- d-------- C:\DOCUME~1\Peter\Application Data\adobe
    2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
    2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
    2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
    2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
    2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
    2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
    2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
    2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
    2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
    2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
    2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
    2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
    2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
    2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
    2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
    2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
    2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "Update Service"="C:\\PROGRA~1\\COMMON~1\\TEKNUM~1\\update.exe /startup"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "HTpatch"="C:\\WINDOWS\\htpatch.exe"
    "ACTIVBOARD"="C:\\Apps\\ActivBoard\\MMKeybd.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "KeyMaestro"="C:\\KMaestro\\KMaestro.exe"
    "Microsoft Works Update Detection"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe\""
    "Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
    "AGEIA PhysX SysTray"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\KeyMaestro]
    "FirstRun"=dword:00000001
    "RepeatFlag"=dword:00000000
    "PowerEnable"=dword:00000001
    "BTCplayEnable"=dword:00000001
    "MsPlayEnable"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


    Completion time: 07-01-24 22:49:04



    Tinker
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Are there any files in this folder? C:\dcc842f23a6dc61ab93c6147e1
     
  13. Tinker-2006

    Tinker-2006 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    61
    Hi

    There is 1 item, a very long Text File named: msxml4-KB927978-enu

    Tinker
     
  14. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    That doesn't seem harmful. I really am not seeing anything.
     
  15. Tinker-2006

    Tinker-2006 Thread Starter

    Joined:
    Apr 27, 2006
    Messages:
    61
    Things do seem to be running fine. Had no issues apart from the odd occasion with DRWatson not responding. Ewido trial runs out shortly, then i will re-install my Registered Norton Security Pk again.

    Thnx for your time, I guess we can close the Thread.

    :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/537426

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice