Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Files (spyware Infection Desktop)


  • This topic is locked This topic is locked
2 replies to this topic

#1 Deadboy

Deadboy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 03 January 2006 - 04:33 PM

Hello,

I have been presented with a blue desktop, with a black box. In Red:SPYWARE INFECTION.. a couple spaces down, in white writing.. "your system is infected with spyware. Windows recommends you to use a spyware removal tool to prevent loss of important data and increase system performance. Using this PC before having it cleaned from spyware threats is highly discouraged."

I first tried to eradicate the problem using Spysweeper and since then on start up I get the message:
windows cannot find C:\WINDOWS\inet20003\services.exe

I see on the forum another member had a similar problem and so I have followed the same instructions you gave him (caacaacomputer, Dec 27 2005). I began with the preparation guide as suggested and then, Hijackthis, smitrem, ewido and Panda and again Hijackthis.

Its seems to of worked. Below is the post of the reports. Would you be able to let me know of any other items I need to clear. Unfortunately I still get the 'windows cannot find ... ' message on start up.

Many thanks

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 18:35:45, 03/01/2006
+ Report-Checksum: 21D8C2FA

+ Scan result:

HKU\S-1-5-21-842925246-362288127-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Roger\Application Data\Mozilla\Firefox\Profiles\epo6i6vl.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> Trojan.Agent.bu : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Logger.Small.dg : Cleaned with backup
C:\WINDOWS\hosts -> Trojan.Qhost.el : Cleaned with backup
C:\WINDOWS\inet20002\services.exe -> Downloader.CWS.r : Cleaned with backup
C:\WINDOWS\inet20003\mm4.exe -> Proxy.Delf.an : Cleaned with backup
C:\WINDOWS\ms1.exe -> Downloader.Tiny.al : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
C:\WINDOWS\tool3.exe -> Downloader.Small.bwr : Cleaned with backup


::Report End------------------------------------------------



Incident Status Location

Virus:Trj/Moli.CQ Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
Adware:adware/cws.searchmeup Not desinfected C:\WINDOWS\kl.exe
Adware:adware/cws.loadadv Not desinfected C:\WINDOWS\loadadv728.exe
Adware:adware/secure32 Not desinfected C:\WINDOWS\secure32.html
Adware:adware/azesearch Not desinfected C:\WINDOWS\system32\azebar.xml
Adware:adware program Not desinfected C:\WINDOWS\x.exe
---------------------------------------------------------------------------------------------------------


smitRem log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 03/01/2006
The current time is: 17:51:43.70

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

desktop.html

~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 808 'explorer.exe'
Killing PID 808 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~


~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :thumbsup:
--------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 20:00:12, on 03/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: baloudHelperObj Class - {6165D324-3AAF-4C63-B545-C7D2285BEA1C} - C:\Program Files\Texthelp Systems\ReadAndWrite7.1\thhtmlbho.dll
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {630F2610-7654-11D1-83E3-0080C71A8794} (Interconnect Resources) - https://www.ib.albb.co.uk/ebs/ie/gic.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

---------------------End of reports----------------------------

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,572 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:48 AM

Posted 12 January 2006 - 10:16 AM

Sorry for the delay. Are you still having problems? If so, please post a brand new hijackthis log as a reply to this topic. Also make sure you have followed all the instructions in this topic before you post your new log:

Preparation Guide For Use Before Posting A Hijackthis Log

#3 Deadboy

Deadboy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 13 January 2006 - 08:51 AM

Hi,
No worries about the delay. I've not had any problems since my last post so I belive its sorted. Thanks for your help, we can close the ticket.
Regards and thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users