how-to block ads
|
Toco83
@btcentralplus.com
| HJT Log - Can't clean computer, please help
I have no idea how this happened, but one morning my laptop wouldn't boot up. When I finally did get it going it started showing pop up messages, strange alerts telling me that Internet Explorer or Windows Explorer had experienced an error and would have to shut down, even if I wasn't using them. It was really slow, especially when online. Frequently I'd get messages saying that the computer was going to shut itself down, displaying a timer, although it didn't always shut down when the time ran out.
I've tried all of the spyware programs suggested. Spybot Search & Destroy keeps finding the same problems and says it needs to restart to remove them, but when I search again they're still there. Adaware wouldn't work at first until I tried AVG Anti-Spyware, which told me I had a Trojan as well as other infections. These programs keep telling me that they've deleted everything, but I'm still getting the lag and strange alerts. According to Windows Defender there isn't anything bad inside my computer.
I tried to run an online virus scan at the two sites suggested but both times the computer kept restarting itself before they could finish.
Here's the Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 16:55:13, on 08/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\ServicePackFiles\services.exe
C:\Program Files\BT Broadband 205\Help\bin\mpbtn.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\ServicePackFiles\free.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/cust···ide.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/cust···ide.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.pcservicecall.co.uk/
F3 - REG:win.ini: run=C:\WINDOWS\ServicePackFiles\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0e68e476-52e6-4479-b468-d99914afcd4c} - C:\WINDOWS\system32\dxdres.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: H - {875DFA42-0F20-449b-B8AE-4795E5A30B98} - rtreywem.dll (file missing)
O2 - BHO: (no name) - {DD102800-A957-4A4F-BFAE-B7206F8D9045} - C:\WINDOWS\System32\yabaw.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [xem] C:\WINDOWS\ServicePackFiles\services.exe
O4 - HKCU\..\Run: [xem] C:\WINDOWS\ServicePackFiles\services.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 205\Help\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···10435617
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - »www.ca.com/us/securityadvisor/vi···scan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - »download.mcafee.com/molbin/iss-l···scan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{114A6CFC-1020-46E0-B6FB-39703B708E8B}: NameServer = 194.72.9.38 194.74.65.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{114A6CFC-1020-46E0-B6FB-39703B708E8B}: NameServer = 194.72.9.38 194.74.65.68
O20 - AppInit_DLLs: c:\windows\system32\xxwvvwu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Microsoft Media - Unknown owner - C:\WINDOWS\System32\dllcache\Rtsecar.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
After reading a few other topics I also searched for Vundo bit didn't find any.
Can anyone help? | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| You have a LOT more problems than spyware. Your system has been compromised by a backdoor trojan and an information/password stealing trojan, among other assorted nasties.
Here is a desciption of the worst of the lot I see there:
A variant of this very dangerous trojan: Infostealer.Banker.D
»www.symantec.com/enterprise/secu···&tabid=1
as evidenced by this entry:
O2 - BHO: H - {875DFA42-0F20-449b-B8AE-4795E5A30B98} - rtreywem.dll (file missing)
W32/Vanebot-AX Worm
»www.sophos.com/security/analyses···tax.html
as evidenced by this entry:
O23 - Service: Microsoft Media - Unknown owner - C:\WINDOWS\System32\dllcache\Rtsecar.exe
An intruder has complete control over your machine and I see some files running that indicate more than one! I won't recommend cleaning this machine unless you have NO use for trusting it in the future. A reformat/reinstall of the operating system is really the only safe recommendation I can make. First thing, get this computer off the internet and off of any networks. If you need to access the internet, even to visit this topic here, use a known clean computer. However, your stolen information and the presence of an intruder, the damaqe is already done and no telling what else may have been compromised at this point.
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
»www.microsoft.com/technet/securi···rat.mspx
Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you.
IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Then, acceess this information from a non-compromised computer to follow the steps needed.
When should I re-format? How should I reinstall?
»Security »When should I re-format? How should I reinstall?
With that Infostealer.Banker.D trojan, there is a good chance stolen info from your machine that may result in not only identify theft but bank theft and more.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
»Security »How to report ID theft, fraud, drive-by installs, hijacking and malware?
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
Toco83
@btcentralplus.com
| Holy crap. Thanks for telling me that!
I've followed those links and I've already cancelled my credit card, is there anything else I should do? This means they have every password, right?
So should I never use the computer again? I already reinstalled Windows from the discs when the problems first started because nothing was working, so should I do it again?
And how the heck did this happen?!
Thanks for the help. | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Yes, Holy Carp is right! I rather got the shivers looking at your log because I saw many more in there but highlighted the most serious 2 that I saw. The variant of infostealing trojan you had -I can't be specific about without examining the file itself, but it is of that flavor and if this were my PC, yes, I would treat it as if every password were stolen and change them ALL. I would also be changing accounts and passwords for everything. Then you had a remote access trojan (meaning anyone in there could do anything and you would not know it and they don't leave traces of what was done), including changing settings in the Windows registry, installing hidden programs and files (in order to get back in if need be). Those are generally the most malicious types of infections you can have on a PC. Often times a compromised PC like that one is used to send spam and attack other computers which could also jeopardize your service with your ISP.
Did you reformat or just install over the top from the recovery disc's? A reformat/reinstall would normally wipe everything from the hard-drive and give you a fresh start as outlined in the that one link I gave you:
»Security »When should I re-format? How should I reinstall?
That FAQ covers a lot more than I can enumerate here.
These days a reinstall can be any number of different methods depending on the manufacturer's instructions. I would check with them, or even hire a professional local shop to do it for you it this intimates you (it does me - I don't do it often enough on a lot of different systems to advise on how to reformat/reinstall), I can only tell you the circumstances and the type of malware on there I DO see that I would make that recommendation. I wouldn't trust the PC and I would take all precautions for protecting any info you have on there as it could very well be in the hands of someone trying to cash in on that.
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
Toco83
@btcentralplus.com
| There wasn't anything on the computer itself besides essays and stuff, but I did use it for banking and online shopping so I've changed all of my passwords and cancelled my credit card. Is there anything else I should've done?
I'm not sure what type of install I did. I think it wiped my hard drive clean, because none of my old stuff is on there and the laptop basically started from scratch like when I first got it. I did that because the computer wouldn't start up - in fact, it took me a couple of tries to get it to even install from the CDs without turning itself off. Then when I did get it re-installed it had all of the alerts and weird messages that I mentioned.
I haven't used the laptop for anything since it went crazy, apart from downloading all of the anti-spyware stuff. I've been using this clean computer instead for checking emails and so on, and posting here. But they could've gotten information from it before it started acting up, right?
What I don't understand is how this happened. One night my laptop was fine, the next morning it wouldn't start, and then all this! How did I get the Trojan? I didn't get any weird emails or anything, and if I had I wouldn't have opened them. Sorry if I'm being really naive, but I don't get how this happened. Does that mean someone had control of my computer before it went screwy?
Any further advice/help anyone could give me would be reallly appreciated. | |
Toco83
@btcentralplus.com
| I used the System Recovery CD and did a complete reformat.
Here's my second Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 11:35:32, on 09/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\James\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.pcservicecall.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.pcservicecall.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Is it still there? | |
Toco83
@btcentralplus.com
| Sorry for posting again, but now the 'clean' computer I was using is starting to act up.
Here's an HJT log from the computer I'm using right now:
Logfile of HijackThis v1.99.1
Scan saved at 11:50:37, on 09/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\SYSTEM~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
»login.passport.net/uilogin.srf?lc=2057&id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
»uk.red.clientapps.yahoo.com/cust···m/info/b
t_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
»uk.red.clientapps.yahoo.com/cust···hoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program
Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program
Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter
Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch
USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband
205\Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program
Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
»tools.ebayimg.com/eps/wl/activex···3-18.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE102696-0668-4BAB-B8AC-4D531F0DE632}: NameServer =
194.72.9.38 194.74.65.68
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION -
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Please can anyone help?? | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to Toco83
First computer looks a lot better - no problems and that should have gotten rid of all the malware.
The second computer, the log is very chopped up and hard to read (we'll fix that in a moment) but on a quick scan I don't see anything really bad. By "acting up", what exactly are you seeing?
I noticed this program installed:
C:\Program Files\SpywareDetector
Is that something you installed on purpose?
Here is how to fix the formatting on your HJT logs and you also need to put HijackThis into it's own permanent folder rather than running it straight out of the zip file (it won't make good backups that way).
1. Fix the formatting of your logs:
Open Notepad and select the *format* tab at the top. Make sure that wordwrap is unchecked
2. Move Hijackthis to it's own folder:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
»russelltexas.com/malware/createhjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.
Run Hijackthis from the new location to scan and make a new log and post that back here. Let me know what symptoms you are seeing and my question about SpywareDetector
Also have you run that 2nd computer through the recommended steps for scanning? Was any malware found?
--
It takes a disaster to make a woman out of a femaleMicrosoft MVP/Windows Security 2003-2007Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
|
