Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan won't allow spybot to run...


  • Please log in to reply

#1
iamsuranovi

iamsuranovi

    New Member

  • Member
  • Pip
  • 2 posts
I have gotten malware and/or trojan(s) from things my kid downloaded. (MyWebSearch and ZWINKY) I've gotten rid of a lot, but cannot seem to get rid of what counts. When I play a game or try to run Spybot (for instance) my PC restarts. Usually it doesn't restart otherwise, but sometimes will anyway. This has caused 2 games and search to run as processes instead of programs. A sys restore fixed search, but the rest... I have installed hijackthis and run a scan The results follow. I'm no newbie, but no expert, either. I can't afford to buy anything, all I need is help. Here is what the scan found:

Deckard's System Scanner v20071014.68
Run by MOM on 2007-11-19 10:57:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
21: 2007-11-19 15:57:19 UTC - RP890 - Deckard's System Scanner Restore Point
20: 2007-11-18 15:00:29 UTC - RP889 - Software Distribution Service 3.0
19: 2007-11-18 14:09:37 UTC - RP888 - Removed Windows Defender
18: 2007-11-18 02:15:52 UTC - RP887 - THE restore point
17: 2007-11-17 23:49:29 UTC - RP886 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-11-09 18:20:37 UTC - RP870 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as MOM.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:49 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BeClean\bca.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\MOM\Local Settings\Temporary Internet Files\Content.IE5\KRR3Y41H\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MOM.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insightbb.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\5.bin\MWSBAR.DLL (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BeClean Agent] C:\Program Files\BeClean\bca.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm035NJUS
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: DCleaner - {D4AC5FD3-C2EE-4FC4-83EC-925E685134F4} - C:\Program Files\DCleaner\DCleaner.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activewor...ldsDownload.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/animated/91-butrw2.gif
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/MariasFolder/odd%20pix/dance.gif
O24 - Desktop Component 10: (no name) - file:///C:/Documents%20and%20Settings/All%20Users/Documents/My%20Pictures/Backgrounds/Photographic/willow-t.jpg
O24 - Desktop Component 11: (no name) - file:///C:/Documents%20and%20Settings/All%20Users/Documents/My%20Pictures/Backgrounds/Photographic/t-early-autumn800.jpg
O24 - Desktop Component 2: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/MariasFolder/odd%20pix/ballsak.gif
O24 - Desktop Component 3: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/MariasFolder/odd%20pix/panda.gif
O24 - Desktop Component 4: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/MariasFolder/odd%20pix/girdance.gif
O24 - Desktop Component 5: (no name) - file:///C:/Documents%20and%20Settings/All%20Users/Documents/My%20Pictures/Backgrounds/Photographic/t-millstream800.jpg
O24 - Desktop Component 6: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/animated/478-ringblomma.gif
O24 - Desktop Component 7: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/animated/1454_daffy_fra__led.gif
O24 - Desktop Component 8: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/animated/chick12.gif
O24 - Desktop Component 9: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/animated/aladybug1.gif

--
End of file - 8558 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 PxHelper - c:\windows\system32\drivers\pxhelper.sys <Not Verified; VERITAS Software, Inc.; PxHelp20>

S3 ADSFilter (ADSFilter - (Aluria Filter Driver)) - c:\windows\system32\drivers\adsfilter.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S2 PavPrSrv (Panda Process Protection Service) -
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Parallel Device
Device ID: ROOT\LEGACY_HPFECP13\0000
Manufacturer:
Name: Parallel Device
PNP Device ID: ROOT\LEGACY_HPFECP13\0000
Service: HPFECP13

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ROOT\PORTS\0000
Manufacturer: (Standard port types)
Name: Communications Port (COM4)
PNP Device ID: ROOT\PORTS\0000
Service: Serial


-- Scheduled Tasks -------------------------------------------------------------

2007-11-18 18:13:02 356 --a------ C:\WINDOWS\Tasks\WebReg 20051102181305.job


-- Files created between 2007-10-19 and 2007-11-19 -----------------------------

2007-11-19 10:58:33 0 d-------- C:\Program Files\Trend Micro
2007-11-19 09:25:51 0 d-------- C:\Program Files\Enigma Software Group
2007-11-19 09:16:46 0 d--hs---- C:\FOUND.000
2007-11-18 13:40:01 0 d-------- C:\Program Files\Fairies
2007-11-18 10:43:10 0 dr-h----- C:\Documents and Settings\MOM\Recent
2007-11-18 10:39:17 0 d-------- C:\Program Files\Deep Quest
2007-11-18 10:38:02 0 d-------- C:\Program Files\Dream Chronicles
2007-11-18 10:36:06 0 d-------- C:\Program Files\Doras Carnival 2 At the Boardwalk
2007-11-18 10:35:43 0 d-------- C:\Program Files\Blue Reef Sudoku
2007-11-18 10:29:21 0 d--hs---- C:\WINDOWS\ftpcache
2007-11-17 19:01:39 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-11-17 19:00:58 34504 --a------ C:\WINDOWS\hosts
2007-11-17 18:31:58 0 d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-11-17 18:31:24 0 d-------- C:\WINDOWS\BDOSCAN8
2007-11-17 18:31:15 0 d-------- C:\Program Files\DCleaner
2007-11-17 12:27:27 0 d-------- C:\Program Files\Java(2)
2007-11-17 12:27:06 0 d-------- C:\Program Files\Common Files\Java(2)
2007-11-15 21:52:16 0 d-------- C:\WINDOWS\BDOSCAN8(2)
2007-11-15 17:16:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-15 17:05:58 0 d-------- C:\Program Files\Windows Live Safety Center
2007-11-09 09:04:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-08 13:21:44 0 d-------- C:\Documents and Settings\MOM\Application Data\Sun
2007-11-07 16:14:41 0 d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache(2)
2007-11-07 15:26:39 0 d-------- C:\Program Files\Age Of Castles
2007-10-31 12:38:25 0 d-------- C:\Documents and Settings\MOM\Application Data\iWin
2007-10-28 15:35:27 0 d-------- C:\Program Files\Common Files\Borland Shared
2007-10-28 15:35:26 0 d-------- C:\Program Files\Cosmi
2007-10-20 10:46:26 0 d-------- C:\Documents and Settings\MOM\Application Data\Viewpoint


-- Find3M Report ---------------------------------------------------------------

2007-10-10 23:02:42 0 d-------- C:\Program Files\Design Manager
2007-09-30 18:25:42 0 d-------- C:\Program Files\Bonjour
2007-09-30 18:11:16 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-30 16:20:12 817664 ---h----- C:\WINDOWS\system32\WODFAMOH.DLL <Not Verified; Abrosoft; FantaMorph>
2007-09-26 12:53:18 1881321 --a------ C:\Program Files\mushclient380.exe
2007-09-26 12:49:28 2015276 --a------ C:\Program Files\mushclient414.exe
2007-09-25 22:01:38 81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-09-22 09:31:58 0 d-------- C:\Program Files\Build-a-lot
2007-09-22 09:23:12 0 d-------- C:\Documents and Settings\MOM\Application Data\Leadertech
2007-09-11 12:32:48 61440 --a------ C:\WINDOWS\diabunin.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/29/2005 02:08 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [08/01/2005 04:28 PM]
"BeClean Agent"="C:\Program Files\BeClean\bca.exe" [12/01/2003 07:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [08/13/2007 07:04 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\MOM\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [7/30/1997 2:50:58 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=00000000
"NoSaveSettings"=00000000
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7489 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-11-19 11:01:00 ------------

After seeing the log, I increased my memory from 1000 to 1440. What do I do now?
  • 0

Advertisements


#2
iamsuranovi

iamsuranovi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I forgot to mention- My PC will not start in safe mode, for some reason. I don't care if I have to go in and pick these files out one at a time, please help me find a way to do this.
  • 0






Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP