Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware [resolved]


  • This topic is locked This topic is locked

#16
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Chezz ;)

The only item in your log is this one:O2 - BHO: (no name) - {C67EA70A-1DE9-1344-6308-0B06CF2A76BA} - (no file)
Have not been able to find any information as to what it is, it is likely to be a loose end.

Your HJT.log is very cean :)

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm

Please post the logs From panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Panda has been very good at finding hiden malware. ;)

Thanks

Kc :tazz:
  • 0

Advertisements


#17
Chezz

Chezz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi.....Panda scan found 5 instances,I can locate 4 of the files but the file C:\WINDOWS\system32\LASS~1.EXE I am unable to locate.

Also I don't know if this is a problem or not
C\windows\system32 folder contains following files

Isass-description of file---LSA Shell created 27 Aug.2002

Isass-description of file--Isass Application--created 4 Mar 2005

Does the application one seem suspect to you or is it a windows file,because it was round about the 4 March when things started to go wrong with pc.

Thanx for your time and for doing a great job :tazz:

PANDA SCAN REPORT

Incident Status Location

Adware:Adware/WebSpecials No disinfected C:\Program Files\WebSpecials\uninst.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\LASS~1.EXE
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\uninst.exe
Adware:Adware/FindWhatever No disinfected C:\WINDOWS\system32\unregister.exe


Logfile of HijackThis v1.99.1
Scan saved at 12:52:18, on 15/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Voyager100Test\fts.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Barbara\My Documents\Hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.packardbell.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.packardbell.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C67EA70A-1DE9-1344-6308-0B06CF2A76BA} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\Voyager100Test\fts.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,21/mcgdmgr.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packa...nfosFinder2.CAB
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
  • 0

#18
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Chezz

I would like you to search for this item: C:\WINDOWS\system32\Isass1.EXE if found right click on the icon select properties and make a note.

C:\WINDOWS\system32\Isass.EXE now redo the search follow the same intructions as above.

Will wait for your results
Kc :tazz:
  • 0

#19
Chezz

Chezz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi again .......no results for Isass1.EXE .
search results for lsass are


TYPE OF FILE

lsass C\windows\NTservicepackuninstall Application
LSASS C\windows\1386 EX_File
lsass C\windows\system32 application
lsass C\windows\servicepackFiles\ application

The lsass file I reffered to doesn't show in search results but there is another one there its a small icon,looks like 3 blocks with the letters M,F,C,one letter to each block.
size 408 kb
created 4 March.
Thanx again :tazz:
  • 0

#20
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Chezz

lsass C\windows\NTservicepackuninstall Application (12kb)
LSASS C\windows\1386 EX_File (12kb)
lsass C\windows\system32 application (13kb)
lsass C\windows\servicepackFiles\ application (13kb) legal files


The other file has to be the bad guy well done, get rid off it

Kc :tazz:
  • 0

#21
Chezz

Chezz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi........Deleted all suspicious files now,done another scan at Panda

Adware:Adware/PurityScan No disinfected C:\RECYCLER\S-1-5-21-2959571466-242843114-1688267432-1005\Dc2.exe
Adware:Adware/WebSpecials No disinfected C:\RECYCLER\S-1-5-21-2959571466-242843114-1688267432-1005\Dc3\uninst.exe
Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-2959571466-242843114-1688267432-1005\Dc5.inf
Adware:Adware/FindWhatever No disinfected C:\RECYCLER\S-1-5-21-2959571466-242843114-1688267432-1005\Dc6.exe
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\system32\uninst.exe
The last named file in the list has now been deleted as well.

Restarted pc after each item had been deleted,just to see if the one item in Hijackthis log would disappear,but no it wants to stay.
O2 - BHO: (no name) - {C67EA70A-1DE9-1344-6308-0B06CF2A76BA} - (no file)
It doesn,t seem to be causing a problem at the mo so I will carry on looking for suspect files,if anything shows will let you know,or if you come across anything relating to it you could e-mail me.


Anyway many many thanks for all your help and advice its been an experience for me,and you have definately made an improvement to pc.

thanx again Thatman for a marvellous job :tazz:

Proud to be a member of this fantastic site ;).What a great job you all do.
  • 0

#22
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Chezz

And thanks to you also this was a log haul, But we got there first.

Post a log ever day if you can i wil checkit

Well we been there done it what next ;)

Kc :tazz:
  • 0

#23
Chezz

Chezz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
http://www.geekstogo...ORLD-t8750.html

Shouldn't this be PINNED so we can all see it,c,mon all you geeks give yourselves a round of applause you do a fantastic job, pin it see how much praise you are worthy of.

Thanx again thatman fantastic job :tazz: .

will post again to you let you know how things are. ;)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP