Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

still got spyware


  • Please log in to reply

#1
hulud

hulud

    Member

  • Member
  • PipPipPip
  • 268 posts
on this laptop, im still getting spyware showing up after a spybot scan.

i've done all the "do this before posting an hjt log" stuff, and here are my results:

AVG Anti-spyware log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:02:52 PM 05/15/2007

+ Scan result:



C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1015.dll -> Adware.Gator : No action taken.
C:\WINNT\Downloaded Program Files\CONFLICT.2\HDPlugin1015.dll -> Adware.Gator : No action taken.
C:\WINNT\Downloaded Program Files\CONFLICT.3\HDPlugin1015.dll -> Adware.Gator : No action taken.
C:\WINNT\Downloaded Program Files\CONFLICT.4\HDPlugin1015.dll -> Adware.Gator : No action taken.
C:\WINNT\Downloaded Program Files\CONFLICT.5\HDPlugin1015.dll -> Adware.Gator : No action taken.
C:\WINNT\Downloaded Program Files\CONFLICT.6\HDPlugin1015.dll -> Adware.Gator : No action taken.
C:\WINNT\Downloaded Program Files\CONFLICT.7\HDPlugin1015.dll -> Adware.Gator : No action taken.
C:\WINNT\SYSTEM32\OpPorts.exe -> Backdoor.HacDef.a : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9A97AZKY\84785_mssql[1].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9A97AZKY\84785_mssql[2].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9A97AZKY\84785_mssql[3].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9A97AZKY\84785_mssql[4].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9A97AZKY\84785_mssql[5].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9A97AZKY\84785_mssql[6].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\D4WK3HEQ\84785_mssql[1].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\D4WK3HEQ\84785_mssql[2].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\D4WK3HEQ\84785_mssql[3].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MYE7VL55\84785_mssql[1].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MYE7VL55\84785_mssql[2].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\MYE7VL55\84785_mssql[3].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\S92C8H3U\84785_mssql[1].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\S92C8H3U\84785_mssql[2].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\S92C8H3U\84785_mssql[3].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\S92C8H3U\84785_mssql[4].exe -> Backdoor.Mytobor.e : No action taken.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\S92C8H3U\84785_mssql[5].exe -> Backdoor.Mytobor.e : No action taken.
C:\WINNT\SYSTEM32\eraseme_44402.exe -> Backdoor.SdBot.aad : No action taken.


::Report end

SUPERAntiSpyware log
SUPERAntiSpyware Scan Log
Generated 05/15/2007 at 02:41 PM

Application Version : 3.6.1000

Core Rules Database Version : 3190
Trace Rules Database Version: 1200

Scan type : Complete Scan
Total Scan Time : 02:10:11

Memory items scanned : 513
Memory threats detected : 0
Registry items scanned : 5938
Registry threats detected : 0
File items scanned : 42206
File threats detected : 1

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\BDOMINGUEZ\FAVORITES\ONLINE SECURITY TEST.URL

Panda Activescan log

Incident Status Location

Adware:adware/popmonster Not disinfected c:\winnt\system32\MSrdk.xml
Spyware:spyware/betterinet Not disinfected c:\winnt\inf\biini.inf
Adware:adware/sidesearch Not disinfected c:\program files\Lycos
Adware:Adware/Gator Not disinfected C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1015.dll
Adware:Adware/Gator Not disinfected C:\WINNT\Downloaded Program Files\CONFLICT.2\HDPlugin1015.dll
Adware:Adware/Gator Not disinfected C:\WINNT\Downloaded Program Files\CONFLICT.3\HDPlugin1015.dll
Adware:Adware/Gator Not disinfected C:\WINNT\Downloaded Program Files\CONFLICT.4\HDPlugin1015.dll
Adware:Adware/Gator Not disinfected C:\WINNT\Downloaded Program Files\CONFLICT.5\HDPlugin1015.dll
Adware:Adware/Gator Not disinfected C:\WINNT\Downloaded Program Files\CONFLICT.6\HDPlugin1015.dll
Adware:Adware/Gator Not disinfected C:\WINNT\Downloaded Program Files\CONFLICT.7\HDPlugin1015.dll
Virus:W32/Sdbot.FGO.worm Disinfected C:\WINNT\SYSTEM32\eraseme_44402.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\SYSTEM32\o
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\WINNT\SYSTEM32\wrstd.dll
HiJackThis log
Logfile of HijackThis v1.99.1
Scan saved at 6:11:30 AM, on 05/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
E:\Program Files\Netscreen\Netscreen-Remote\IreIKE.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\SYSTEM32\Brmfrmps.exe
E:\Program Files\Netscreen\Netscreen-Remote\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\MSSQL7\binn\sqlagent.exe
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\OfficeScan NT\RAUAgent.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
E:\Program Files\Netscreen\Netscreen-Remote\SafeCfg.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [OWS Setup CmdLine] "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /pkg "Office 2000 Server Extensions"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteAgent] "C:\Program Files\OfficeScan NT\RAUAgent.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Verizon Online Control Pad] "C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = C:\Program Files\D-Link\AirPlusG DWL-G122\AirPlus.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetScreen-Remote.lnk = E:\Program Files\Netscreen\Netscreen-Remote\SafeCfg.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.co...ease/instub.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://connor-mail/o...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://connor-mail/o...stall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://204.249.114.5.../RemoveCtrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {BB9BE2FF-06DB-47FA-BC0B-C7BB25348AC2} (CasinoLoader Control) - http://www.casinolas...asinoloader.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://webview.webex...bex/ieatgpc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - E:\Program Files\Netscreen\Netscreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - E:\Program Files\Netscreen\Netscreen-Remote\IreIKE.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: Office Server Extensions Notification Service (OWSTimer) - Unknown owner - C:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
O23 - Service: Seagate Communication - Unknown owner - C:\WINNT\system32\dllcache\seagatecom.exe (file missing)
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\OfficeScan NT\tmlisten.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)


all help greatly appreciated!
  • 0

Advertisements


#2
hulud

hulud

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 268 posts
if it helps, this is the threat im picking up via spybot scans, LSA:

Posted Image

spybot can't remove it, even when running after a restart
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP