Trojan won't allow spybot to run...

I have gotten malware and/or trojan(s) from things my kid downloaded. (MyWebSearch and ZWINKY) I've gotten rid of a lot, but cannot seem to get rid of what counts. When I play a game or try to run Spybot (for instance) my PC restarts. Usually it doesn't restart otherwise, but sometimes will anyway. This has caused 2 games and search to run as processes instead of programs. A sys restore fixed search, but the rest... I have installed hijackthis and run a scan The results follow. I'm no newbie, but no expert, either. I can't afford to buy anything, all I need is help. Here is what the scan found:

Deckard's System Scanner v20071014.68
Run by MOM on 2007-11-19 10:57:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
21: 2007-11-19 15:57:19 UTC - RP890 - Deckard's System Scanner Restore Point
20: 2007-11-18 15:00:29 UTC - RP889 - Software Distribution Service 3.0
19: 2007-11-18 14:09:37 UTC - RP888 - Removed Windows Defender
18: 2007-11-18 02:15:52 UTC - RP887 - THE restore point
17: 2007-11-17 23:49:29 UTC - RP886 - Software Distribution Service 3.0

-- First Restore Point --
1: 2007-11-09 18:20:37 UTC - RP870 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 480 MiB (512 MiB recommended).

-- HijackThis (run as MOM.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:49 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BeClean\bca.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\MOM\Local Settings\Temporary Internet Files\Content.IE5\KRR3Y41H\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MOM.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insightbb.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\5.bin\MWSBAR.DLL (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BeClean Agent] C:\Program Files\BeClean\bca.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm035NJUS
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: DCleaner - {D4AC5FD3-C2EE-4FC4-83EC-925E685134F4} - C:\Program Files\DCleaner\DCleaner.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activewor...ldsDownload.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/animated/91-butrw2.gif
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/MariasFolder/odd%20pix/dance.gif
O24 - Desktop Component 10: (no name) - file:///C:/Documents%20and%20Settings/All%20Users/Documents/My%20Pictures/Backgrounds/Photographic/willow-t.jpg
O24 - Desktop Component 11: (no name) - file:///C:/Documents%20and%20Settings/All%20Users/Documents/My%20Pictures/Backgrounds/Photographic/t-early-autumn800.jpg
O24 - Desktop Component 2: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/MariasFolder/odd%20pix/ballsak.gif
O24 - Desktop Component 3: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/MariasFolder/odd%20pix/panda.gif
O24 - Desktop Component 4: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/MariasFolder/odd%20pix/girdance.gif
O24 - Desktop Component 5: (no name) - file:///C:/Documents%20and%20Settings/All%20Users/Documents/My%20Pictures/Backgrounds/Photographic/t-millstream800.jpg
O24 - Desktop Component 6: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/animated/478-ringblomma.gif
O24 - Desktop Component 7: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/animated/1454_daffy_fra__led.gif
O24 - Desktop Component 8: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/animated/chick12.gif
O24 - Desktop Component 9: (no name) - file:///C:/Documents%20and%20Settings/MOM/My%20Documents/My%20Pictures/animated/aladybug1.gif

--
End of file - 8558 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 PxHelper - c:\windows\system32\drivers\pxhelper.sys <Not Verified; VERITAS Software, Inc.; PxHelp20>

S3 ADSFilter (ADSFilter - (Aluria Filter Driver)) - c:\windows\system32\drivers\adsfilter.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S2 PavPrSrv (Panda Process Protection Service) -
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Parallel Device
Device ID: ROOT\LEGACY_HPFECP13\0000
Manufacturer:
Name: Parallel Device
PNP Device ID: ROOT\LEGACY_HPFECP13\0000
Service: HPFECP13

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ROOT\PORTS\0000
Manufacturer: (Standard port types)
Name: Communications Port (COM4)
PNP Device ID: ROOT\PORTS\0000
Service: Serial

-- Scheduled Tasks -------------------------------------------------------------

2007-11-18 18:13:02 356 --a------ C:\WINDOWS\Tasks\WebReg 20051102181305.job

-- Files created between 2007-10-19 and 2007-11-19 -----------------------------

2007-11-19 10:58:33 0 d-------- C:\Program Files\Trend Micro
2007-11-19 09:25:51 0 d-------- C:\Program Files\Enigma Software Group
2007-11-19 09:16:46 0 d--hs---- C:\FOUND.000
2007-11-18 13:40:01 0 d-------- C:\Program Files\Fairies
2007-11-18 10:43:10 0 dr-h----- C:\Documents and Settings\MOM\Recent
2007-11-18 10:39:17 0 d-------- C:\Program Files\Deep Quest
2007-11-18 10:38:02 0 d-------- C:\Program Files\Dream Chronicles
2007-11-18 10:36:06 0 d-------- C:\Program Files\Doras Carnival 2 At the Boardwalk
2007-11-18 10:35:43 0 d-------- C:\Program Files\Blue Reef Sudoku
2007-11-18 10:29:21 0 d--hs---- C:\WINDOWS\ftpcache
2007-11-17 19:01:39 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-11-17 19:00:58 34504 --a------ C:\WINDOWS\hosts
2007-11-17 18:31:58 0 d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-11-17 18:31:24 0 d-------- C:\WINDOWS\BDOSCAN8
2007-11-17 18:31:15 0 d-------- C:\Program Files\DCleaner
2007-11-17 12:27:27 0 d-------- C:\Program Files\Java(2)
2007-11-17 12:27:06 0 d-------- C:\Program Files\Common Files\Java(2)
2007-11-15 21:52:16 0 d-------- C:\WINDOWS\BDOSCAN8(2)
2007-11-15 17:16:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-15 17:05:58 0 d-------- C:\Program Files\Windows Live Safety Center
2007-11-09 09:04:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-08 13:21:44 0 d-------- C:\Documents and Settings\MOM\Application Data\Sun
2007-11-07 16:14:41 0 d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache(2)
2007-11-07 15:26:39 0 d-------- C:\Program Files\Age Of Castles
2007-10-31 12:38:25 0 d-------- C:\Documents and Settings\MOM\Application Data\iWin
2007-10-28 15:35:27 0 d-------- C:\Program Files\Common Files\Borland Shared
2007-10-28 15:35:26 0 d-------- C:\Program Files\Cosmi
2007-10-20 10:46:26 0 d-------- C:\Documents and Settings\MOM\Application Data\Viewpoint

-- Find3M Report ---------------------------------------------------------------

2007-10-10 23:02:42 0 d-------- C:\Program Files\Design Manager
2007-09-30 18:25:42 0 d-------- C:\Program Files\Bonjour
2007-09-30 18:11:16 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-30 16:20:12 817664 ---h----- C:\WINDOWS\system32\WODFAMOH.DLL <Not Verified; Abrosoft; FantaMorph>
2007-09-26 12:53:18 1881321 --a------ C:\Program Files\mushclient380.exe
2007-09-26 12:49:28 2015276 --a------ C:\Program Files\mushclient414.exe
2007-09-25 22:01:38 81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-09-22 09:31:58 0 d-------- C:\Program Files\Build-a-lot
2007-09-22 09:23:12 0 d-------- C:\Documents and Settings\MOM\Application Data\Leadertech
2007-09-11 12:32:48 61440 --a------ C:\WINDOWS\diabunin.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07/29/2005 02:08 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [08/01/2005 04:28 PM]
"BeClean Agent"="C:\Program Files\BeClean\bca.exe" [12/01/2003 07:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [08/13/2007 07:04 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\MOM\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [7/30/1997 2:50:58 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=00000000
"NoSaveSettings"=00000000
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7489 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2007-11-19 11:01:00 ------------

After seeing the log, I increased my memory from 1000 to 1440. What do I do now?

#1
iamsuranovi

Posted 19 November 2007 - 10:18 AM

Advertisements

#2
iamsuranovi

Posted 19 November 2007 - 10:26 AM

Similar Topics

1 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us