Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

spyware Smart security problems


  • This topic is locked This topic is locked

#1
Khael

Khael

    New Member

  • Member
  • Pip
  • 1 posts
I was surfing the net when all of the sudden i get this message stating that I have spyware software intruding my cpu. My screen background changed and I couldn't use my right click function to change it back. I ran all my spyware programs and found a ton of crap in my system now. I did a search and found that some other people have had this same problem and so I downloaded the hijackthis program and followed the instructions. This is what the logs says:

Logfile of HijackThis v1.99.1
Scan saved at 1:16:53 AM, on 4/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Mcq.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\wp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmai...earch.php?qq=%s
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Tks] C:\WINDOWS\Mcq.exe
O4 - HKLM\..\Run: [Gni] C:\WINDOWS\Khu.exe
O4 - HKLM\..\Run: [Hvo] C:\WINDOWS\Efg.exe
O4 - HKLM\..\Run: [Vlr] C:\WINDOWS\Mbm.exe
O4 - HKLM\..\Run: [Laa] C:\WINDOWS\System32\Gve.exe
O4 - HKLM\..\Run: [Hau] C:\WINDOWS\System32\Qcu.exe
O4 - HKLM\..\Run: [Cni] C:\WINDOWS\Dmc.exe
O4 - HKLM\..\Run: [Pug] C:\WINDOWS\Sce.exe
O4 - HKLM\..\Run: [Esa] C:\WINDOWS\System32\Rfi.exe
O4 - HKLM\..\Run: [Bvp] C:\WINDOWS\Tko.exe
O4 - HKLM\..\Run: [Mkc] C:\WINDOWS\Krh.exe
O4 - HKLM\..\Run: [Tsc] C:\WINDOWS\System32\Fke.exe
O4 - HKLM\..\Run: [Bfh] C:\WINDOWS\Udp.exe
O4 - HKLM\..\Run: [Cag] C:\WINDOWS\Jvr.exe
O4 - HKLM\..\Run: [Lei] C:\WINDOWS\System32\Qqi.exe
O4 - HKLM\..\Run: [Kgn] C:\WINDOWS\System32\Fpp.exe
O4 - HKLM\..\Run: [Lhg] C:\WINDOWS\System32\Hev.exe
O4 - HKLM\..\Run: [Oia] C:\WINDOWS\Sfe.exe
O4 - HKLM\..\Run: [Ocn] C:\WINDOWS\System32\Kuj.exe
O4 - HKLM\..\Run: [Bkb] C:\WINDOWS\System32\Vdn.exe
O4 - HKLM\..\Run: [Hto] C:\WINDOWS\System32\Ibh.exe
O4 - HKLM\..\Run: [Mab] C:\WINDOWS\System32\Ehu.exe
O4 - HKLM\..\Run: [Hpc] C:\WINDOWS\System32\Gok.exe
O4 - HKLM\..\Run: [Lkm] C:\WINDOWS\Icv.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{CADCD893-2820-484B-8F92-4B89ABD541EB}\SECURITY.EXE
O4 - HKLM\..\Run: [Uln] C:\WINDOWS\Rpj.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Tks] C:\WINDOWS\Mcq.exe
O4 - HKCU\..\Run: [Gni] C:\WINDOWS\Khu.exe
O4 - HKCU\..\Run: [Hvo] C:\WINDOWS\Efg.exe
O4 - HKCU\..\Run: [Vlr] C:\WINDOWS\Mbm.exe
O4 - HKCU\..\Run: [Laa] C:\WINDOWS\System32\Gve.exe
O4 - HKCU\..\Run: [Hau] C:\WINDOWS\System32\Qcu.exe
O4 - HKCU\..\Run: [Cni] C:\WINDOWS\Dmc.exe
O4 - HKCU\..\Run: [Pug] C:\WINDOWS\Sce.exe
O4 - HKCU\..\Run: [Esa] C:\WINDOWS\System32\Rfi.exe
O4 - HKCU\..\Run: [Bvp] C:\WINDOWS\Tko.exe
O4 - HKCU\..\Run: [Mkc] C:\WINDOWS\Krh.exe
O4 - HKCU\..\Run: [Tsc] C:\WINDOWS\System32\Fke.exe
O4 - HKCU\..\Run: [Bfh] C:\WINDOWS\Udp.exe
O4 - HKCU\..\Run: [Cag] C:\WINDOWS\Jvr.exe
O4 - HKCU\..\Run: [Lei] C:\WINDOWS\System32\Qqi.exe
O4 - HKCU\..\Run: [Kgn] C:\WINDOWS\System32\Fpp.exe
O4 - HKCU\..\Run: [Lhg] C:\WINDOWS\System32\Hev.exe
O4 - HKCU\..\Run: [Oia] C:\WINDOWS\Sfe.exe
O4 - HKCU\..\Run: [Ocn] C:\WINDOWS\System32\Kuj.exe
O4 - HKCU\..\Run: [Bkb] C:\WINDOWS\System32\Vdn.exe
O4 - HKCU\..\Run: [Hto] C:\WINDOWS\System32\Ibh.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Mab] C:\WINDOWS\System32\Ehu.exe
O4 - HKCU\..\Run: [Hpc] C:\WINDOWS\System32\Gok.exe
O4 - HKCU\..\Run: [Lkm] C:\WINDOWS\Icv.exe
O4 - HKCU\..\Run: [Uln] C:\WINDOWS\Rpj.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109784380608
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Please can someone help me. I'm not cpu illiterate enough to fix this myself.

Thanks a lot,

Khael.
  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi Khael!

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update and reboot.

Next, I would like you to run a few scans for me AFTER you have applied the Windows updates. Please follow these instructions:

Please update, configure, and re-run Ad-aware and Spybot S&D as below:
Make sure you're using the latest version of Ad-aware(Ad-aware SE 1.05) If you're using an older version, download Ad-aware SE Personal 1.05 and install it.

Before scanning with Ad-aware SE Free:
Run a FULL adaware scan using the following configuration below
  • Update
    • Select Check for updates.
    • Then Connect and download SE1R28 16.02.2005 .
  • Click Start
  • Select Perform Full System Scan and hit Next to let Ad-Aware scan your drives.
  • It will list malware files and registry keys. Click Next.
  • Under the Critical Objects tab, rightclick in the list, choose Select All, then Next.
  • It will ask for verification of checked items-. Choose OK.
  • Close Ad-Aware, Shut down and reboot your system.
Scanning in Spybot Search and Destroy:

1. Download and Install Spybot S&D, accepting the Default Settings
(Please ensure you have version 1.3 final.)
Home - The home of Spybot-S&D!: http://www.safer-networking.org/

Here is a nice Tutorial http://www.safer-net...p?page=tutorial

2. Go to Start > Programs >Spybot Search & Destroy and choose 'Spybot S&D'

3. Close ALL windows except Spybot S&D

4. Click the button 'Search for Updates' and download and install the Updates.

5. Next click the button 'Check for Problems'

6. When Spybot is complete, it will be showing 'RED' entries BLACK entries and GREEN entries in the window

7. Make sure there is a check mark beside the RED entries ONLY.

8. Choose Fix Selected Problems and allow Spybot to fix the RED entries.

Also, run at least 2 of these online virus scans:

Housecall<<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan<<<Accept default settings, save and post the log
RAV online scan<<<Add a check by 'Autoclean', leave everything else as is.
eTrust Antivirus Web Scan<<<'Cure' whatever is found, then delete if unsuccessful
Bitdefender ScanOnline<<<Place a check by everything under 'Scan Options'.
Command on Demand

Also run an online trojan scan here: http://www.trojanscan.com/
Reboot when finished.
  • 0

#3
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
This thread is being closed due to lack of response from original poster. If you need help in the future, please pm a Moderator or Administrator to re-open this thread.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP