1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Threats and High Threats on XoftSpy

Discussion in 'Virus & Other Malware Removal' started by aroominyork, Apr 5, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. aroominyork

    aroominyork Thread Starter

    Joined:
    Oct 16, 2003
    Messages:
    356
    I run:
    AMD Athlon 64 2.40 GB
    512MB RAM
    Windows XP (SP2)
    80 GB hard disk

    It's been intermittently running slow. Crtl-Alt-Delete > Performance will show CPU usage at 99%-100%. I ran XoftSpy which came up with the following threats or high threats.


    Vendor / Type / Category / Object


    CWS.Googlems / Registry Value / Malware / Software\Microsoft\Internet Explorer\main/search bar

    VX2 / Registry Value / BHO / Software\Microsoft\Internet Explorer\toolbar\webbrowser

    1st Alert 1.3 / File / Carding / C:\File_Id.diz

    Haxdoor / File / Trojan / C\WINDOWS\system32\w32tm.exe (High Threat)

    EPS E-Mail Password / Sender File / Password Capture / C:\What’sNew.txt

    Tracking Cookie File / Data Miner / C:\Documents and settings\first user\cookies\first [email protected]

    What is the best way to deal with them? I could buy a XoftSpy licence for $40, but I am asking this question because every anti-virus or spyware programme seems to pick up different issues, so will any one safeguard me? Can I get rid of these without buying a licence, and what is my way forward? Thanks.
     
  2. whisperer

    whisperer

    Joined:
    Jun 16, 2005
    Messages:
    14
    Hi roominyork,

    My name is whisperer and I use GT also as a signature, hope you do not mind if I shorten yours to ‘riy’ :)

    To assist in the diagnosis of your problem
    1. Download HijackThis from this link, this will install a copy in the following directory C:\Program Files\HijackThis
    2. Please go to this directory and select HijackThis.exe to run the file
      • Choose the Do a system scan and save a logfile option
    3. In the same directory you will now find an hijackthis.log, please copy and paste the entire content back to this thread
    GT (y)
     
  3. aroominyork

    aroominyork Thread Starter

    Joined:
    Oct 16, 2003
    Messages:
    356
    The Hijack log result is:

    Logfile of HijackThis v1.99.1
    Scan saved at 08:19:52, on 02/05/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\STOPzilla!\SZServer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\gsicon.exe
    C:\WINDOWS\system32\dslagent.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\Program Files\STOPzilla!\STOPzilla.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
    C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yghacbmozb.com/DbHLt/i5llgYhmAbEHT6qSXOF14Ts9OiHM6uF_/Eo_FBvzLXhWiOOMrIxOVafqma.jpg
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
    O4 - Global Startup: BTTray.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1112104185067
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53B03F0F-6B1A-42EF-A709-E25AB519FD2F}: NameServer = 62.6.40.162 194.72.0.98
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

    Also, I ran STOPzilla which detected the fololwing:
    DotCom Toolbar
    IEPlugin
    Mirar Toolbar
    Winshow
    Adultlinks
    Blazefind
    Domains
    Ebates-MoeMoneyMaker
    IST.Powerscan
    IST.SideFind
    Iefeats.

    Thanks for this help. (PS I was away for 3 weeks, hence the delay in posting this reply!)
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,961
    First Name:
    Derek
    did stopzila fix them or just detect them as you have spyware doctor & that normally detects & fixes all the problems in your list
    Where did Stopzilla find these pests
     
  5. aroominyork

    aroominyork Thread Starter

    Joined:
    Oct 16, 2003
    Messages:
    356
    I haven't purchased Spyware Doctor so my download only detects problems - it doesn't fix them. I'd buy a package but is Spyware Doctor the best one to buy (how long is a piece of string...)? I ran a scan it and it showed about 180 infections, about 20 Low risk, 100 High risk, 40 Elevated risk and 20 Medium risk. Can you guide me on this?
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,961
    First Name:
    Derek
    Spyware Doctor is good but I prefer spysweeper

    both are quite efficient at removing pests

    try the spysweeper trial which does remove what it finds

    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
    • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
    • Install it. Once the program is installed, it will open.
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Options on the left side.
    • Click the Sweep Options tab.
    • Under What to Sweep please put a check next to the following:
      • Sweep Memory
      • Sweep Registry
      • Sweep Cookies
      • Sweep All User Accounts
      • Enable Direct Disk Sweeping
      • Sweep Contents of Compressed Files
      • Sweep for Rootkits
      • Please UNCHECK Do not Sweep System Restore Folder.
    • Click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  7. aroominyork

    aroominyork Thread Starter

    Joined:
    Oct 16, 2003
    Messages:
    356
    Thanks for this help dvk.

    The Spysweeper log is:
    ********
    16:46: | Start of Session, 04 May 2006 |
    16:46: Spy Sweeper started
    16:46: Sweep initiated using definitions version 556
    16:46: Starting Memory Sweep
    16:49: Memory Sweep Complete, Elapsed Time: 00:02:20
    16:49: Starting Registry Sweep
    16:49: Found Adware: powerscan
    16:49: HKLM\software\microsoft\windows\currentversion\uninstall\power scan\ (2 subtraces) (ID = 136826)
    16:49: Found Adware: lopdotcom
    16:49: HKU\S-1-5-21-507921405-725345543-1188974485-1004\software\microsoft\internet explorer\new windows\allow\ || lop.com (ID = 130287)
    16:49: HKU\S-1-5-21-507921405-725345543-1188974485-1004\software\microsoft\internet explorer\new windows\allow\ || searchweb2.com (ID = 130288)
    16:49: HKU\S-1-5-21-507921405-725345543-1188974485-1004\software\microsoft\internet explorer\new windows\allow\ || www.lop.com (ID = 130289)
    16:49: HKU\S-1-5-21-507921405-725345543-1188974485-1004\software\microsoft\internet explorer\new windows\allow\ || www.searchweb2.com (ID = 130290)
    16:49: Registry Sweep Complete, Elapsed Time:00:00:12
    16:49: Starting Cookie Sweep
    16:49: Found Spy Cookie: 2o7.net cookie
    16:49: first [email protected][2].txt (ID = 1958)
    16:49: first [email protected][1].txt (ID = 1958)
    16:49: Found Spy Cookie: 888 cookie
    16:49: first [email protected][1].txt (ID = 2019)
    16:49: first [email protected][2].txt (ID = 2019)
    16:49: Found Spy Cookie: yieldmanager cookie
    16:49: first [email protected][1].txt (ID = 3751)
    16:49: first [email protected][2].txt (ID = 3751)
    16:49: Found Spy Cookie: adknowledge cookie
    16:49: first [email protected][1].txt (ID = 2072)
    16:49: Found Spy Cookie: adlegend cookie
    16:49: first [email protected][1].txt (ID = 2074)
    16:49: Found Spy Cookie: hbmediapro cookie
    16:49: first [email protected][2].txt (ID = 2768)
    16:49: Found Spy Cookie: ask cookie
    16:49: first [email protected][1].txt (ID = 2245)
    16:49: Found Spy Cookie: a cookie
    16:49: first [email protected][1].txt (ID = 2027)
    16:49: Found Spy Cookie: belnk cookie
    16:49: first [email protected][1].txt (ID = 2292)
    16:49: Found Spy Cookie: burstnet cookie
    16:49: first [email protected][2].txt (ID = 2336)
    16:49: Found Spy Cookie: cassava cookie
    16:49: first [email protected][1].txt (ID = 2362)
    16:49: Found Spy Cookie: 360i cookie
    16:49: first [email protected][1].txt (ID = 1962)
    16:49: first [email protected][2].txt (ID = 2293)
    16:49: Found Spy Cookie: go.com cookie
    16:49: first [email protected][1].txt (ID = 2728)
    16:49: Found Spy Cookie: touchclarity cookie
    16:49: first [email protected][1].txt (ID = 3566)
    16:49: first [email protected][1].txt (ID = 1958)
    16:49: first [email protected][1].txt (ID = 1958)
    16:49: Found Spy Cookie: partypoker cookie
    16:49: first [email protected][2].txt (ID = 3111)
    16:49: Found Spy Cookie: rn11 cookie
    16:49: first [email protected][2].txt (ID = 3261)
    16:49: Found Spy Cookie: adjuggler cookie
    16:49: first [email protected][1].txt (ID = 2071)
    16:49: first [email protected][1].txt (ID = 1958)
    16:49: Found Spy Cookie: searchweb2 cookie
    16:49: first [email protected][2].txt (ID = 3325)
    16:49: Found Spy Cookie: web-stat cookie
    16:49: first [email protected][2].txt (ID = 3649)
    16:49: Found Spy Cookie: reliablestats cookie
    16:49: first [email protected][2].txt (ID = 3254)
    16:49: Found Spy Cookie: tickle cookie
    16:49: first [email protected][1].txt (ID = 3530)
    16:49: first [email protected][2].txt (ID = 2020)
    16:49: Found Spy Cookie: redzip cookie
    16:49: first [email protected][2].txt (ID = 3250)
    16:49: first [email protected][2].txt (ID = 3326)
    16:49: Cookie Sweep Complete, Elapsed Time: 00:00:01
    16:49: Starting File Sweep
    16:51: a0059771.exe (ID = 121)
    16:52: a0038105.exe (ID = 121)
    16:53: a0059772.exe (ID = 90)
    16:53: a0038093.exe (ID = 120)
    16:53: a0038094.exe (ID = 122)
    16:56: a0059758.exe (ID = 122)
    16:56: dxtezjlp.exe (ID = 95)
    16:57: sta10.exe (ID = 120)
    16:57: hdpykesy.exe (ID = 95)
    16:58: a0059759.exe (ID = 122)
    16:58: a0059770.exe (ID = 91)
    16:59: a0038106.exe (ID = 90)
    17:00: comver.dll (ID = 111424)
    17:01: ystzyrzy.exe (ID = 95)
    17:01: 582b21b0.exe (ID = 121)
    17:01: 58b8c88e.exe (ID = 121)
    17:02: Found Adware: sexfiles dialers
    17:02: dating.lnk (ID = 75396)
    17:02: a0038107.exe (ID = 91)
    17:03: File Sweep Complete, Elapsed Time: 00:13:50
    17:03: Full Sweep has completed. Elapsed time 00:16:31
    17:03: Traces Found: 56
    17:05: Removal process initiated
    17:05: Quarantining All Traces: lopdotcom
    17:05: Quarantining All Traces: powerscan
    17:05: Quarantining All Traces: sexfiles dialers
    17:05: Quarantining All Traces: 2o7.net cookie
    17:05: Quarantining All Traces: 360i cookie
    17:05: Quarantining All Traces: 888 cookie
    17:05: Quarantining All Traces: a cookie
    17:05: Quarantining All Traces: adjuggler cookie
    17:05: Quarantining All Traces: adknowledge cookie
    17:05: Quarantining All Traces: adlegend cookie
    17:05: Quarantining All Traces: ask cookie
    17:05: Quarantining All Traces: belnk cookie
    17:05: Quarantining All Traces: burstnet cookie
    17:05: Quarantining All Traces: cassava cookie
    17:05: Quarantining All Traces: go.com cookie
    17:05: Quarantining All Traces: hbmediapro cookie
    17:05: Quarantining All Traces: partypoker cookie
    17:05: Quarantining All Traces: redzip cookie
    17:05: Quarantining All Traces: reliablestats cookie
    17:05: Quarantining All Traces: rn11 cookie
    17:05: Quarantining All Traces: searchweb2 cookie
    17:05: Quarantining All Traces: tickle cookie
    17:05: Quarantining All Traces: touchclarity cookie
    17:05: Quarantining All Traces: web-stat cookie
    17:05: Quarantining All Traces: yieldmanager cookie
    17:05: Removal process completed. Elapsed time 00:00:15
    ********
    16:45: | Start of Session, 04 May 2006 |
    16:45: Spy Sweeper started
    16:45: Your definitions are up to date.
    16:46: | End of Session, 04 May 2006 |


    The Hijack This log is:
    Logfile of HijackThis v1.99.1
    Scan saved at 17:07:01, on 04/05/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\STOPzilla!\SZServer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\gsicon.exe
    C:\WINDOWS\system32\dslagent.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\Program Files\STOPzilla!\STOPzilla.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yghacbmozb.com/DbHLt/i5llgYhmAbEHT6qSXOF14Ts9OiHM6uF_/Eo_FBvzLXhWiOOMrIxOVafqma.jpg
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
    O4 - Global Startup: BTTray.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1112104185067
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53B03F0F-6B1A-42EF-A709-E25AB519FD2F}: NameServer = 62.6.40.162 194.72.0.98
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,961
    First Name:
    Derek
    run HJT & fix this
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yghacbmozb.com/DbHLt/i5ll...rIxOVafqma.jpg


    If Spyware Doctor is only the trial then I would uninstall it unless you are going to buy it

    then it appears clean so

    Turn off system restore by following instructions here
    http://www.online-tutorials.com/folder9/920.htm
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.

    and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place

    go to www.java.com & download the latest version of java 1.5.0.6

    install it & then go to add/remove programs and UNINSTALL ALL previous versions of sun java
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/456159

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice