Tired of spyware...(HijackThis log..)

[Dark_Tigra]

I dunno' how this crap keeps getting on my computer, I have anti-spyware things, firewall, blah blah, all that stuff everyone here says you should have.

 

 

 

 

 

 

 

However, I keep getting it. "Apropos" has been popping up lately, I get SpySweeper Alerts for it daily almost, along with that I find DealHelper and PeopleOnPage spyware that whenever I click "Delete" it never does...

 

 

 

 

 

 

 

Anyways, here's the log, I figured maybe it might help...I've tried everything else it seems, lol.

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

 

 

 

Scan saved at 8:59:54 AM, on 5/16/2005

 

 

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

 

 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

 

 

 

 

 

 

Running processes:

 

 

 

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\csrss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\services[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\Explorer[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\hkcmd[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\BCMSMMSG[Caution: ExecutableFile]

 

 

 

C:\Program Files\Real\RealPlayer\RealPlay[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\rppetjt[Caution: ExecutableFile]

 

 

 

C:\Program Files\Messenger Plus! 3\MsgPlus[Caution: ExecutableFile]

 

 

 

C:\Program Files\D-Link\Air USB Utility\AirCFG[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\ntpsvc[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\ntlript[Caution: ExecutableFile]

 

 

 

C:\Program Files\Webroot\Spy Sweeper\SpySweeper[Caution: ExecutableFile]

 

 

 

C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile]

 

 

 

C:\Program Files\Messenger\Msmsgs[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\LVComS[Caution: ExecutableFile]

 

 

 

C:\Program Files\Logitech\Video\LowLight[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\Akhw[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\Fkm2OBS[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\Program Files\WZCBDL Service\WZCBDLS[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\alg[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\wscntfy[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\Documents and Settings\Owner\Desktop\runescape[Caution: ExecutableFile]

 

 

 

C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile]

 

 

 

C:\Program Files\CxtPls\CxtPls[Caution: ExecutableFile]

 

 

 

C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis[Caution: ExecutableFile]

 

 

 

 

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.hickorytech.net

 

 

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.hickorytech.net

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com

 

 

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

 

 

 

O2 - BHO: (no name) - SOFTWARE - (no file)

 

 

 

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll

 

 

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

 

 

 

O2 - BHO: (no name) - {BD91A350-69CD-6E3E-BA5A-3A76121E57B2} - C:\WINDOWS\System32\mpthii.dll

 

 

 

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)

 

 

 

O2 - BHO: CSearchHelpIEExtension Object - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\hAXBX6h.dll (file missing)

 

 

 

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)

 

 

 

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray[Caution: ExecutableFile]" /r

 

 

 

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay[Caution: ExecutableFile] SYSTEMBOOTHIDEPLAYER

 

 

 

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [wviuibb] C:\WINDOWS\System32\rppetjt[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [bun42bo0] C:\documents and settings\owner\local settings\temp\bun42bo0[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [vdplayd] C:\WINDOWS\System32\vdplayd[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [5WMF7ZT5G72G9@] C:\WINDOWS\system32\QjwVU[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [oF9Q3pR] ntpsvc[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx[Caution: ExecutableFile] "Owner"

 

 

 

O4 - HKCU\..\Run: [Zoq4RfdqX] ntlript[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper[Caution: ExecutableFile]" /0

 

 

 

O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer[Caution: ExecutableFile] /0

 

 

 

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus[Caution: ExecutableFile]" /WinStart

 

 

 

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile]" /background

 

 

 

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs[Caution: ExecutableFile]" /background

 

 

 

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager[Caution: ExecutableFile] -quiet

 

 

 

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf[Caution: ExecutableFile]

 

 

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

 

 

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

 

 

 

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

 

 

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab

 

 

 

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab

 

 

 

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab

 

 

 

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab

 

 

 

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab

 

 

 

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab

 

 

 

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

 

 

 

O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS[Caution: ExecutableFile]

 

 

 

 

 

 

 

Thanks to anyone who can help. It's beyond me what has happened, my sister used my computer once and it all went to hell. My computer has slowed down, when I try to shut down it has to close like 20 Mozilla applications, something which someone told me means that other people are using my internet...It takes like 20 minutes to shut down, I usually end up just unplugging it, even though it's now good for it. Things open really slowly, etc etc. I'm just getting tired of it. My computer, when I bought it, was super-fast. Now it sucks.

[Mercifull]

Note to other Tech heads around here, this HJT log contains a lot of unknown exe's. I know theres bad stuff here but i dont have time right now to go throught it all. Hopefully somone with more time can help out here.

[Dark_Tigra]

Too bad you have no time, lol, I was just going to PM you straight away since I know you're a credible "tech" type guy. Oh well..

 

 

 

 

 

 

 

Hopefully someone can help out, I don't want to delete random things lol

[Dark_Tigra]

So...Noone can help...

[zonda]

well like merc said there are a few unknown exe's to me, and I'm not gonna bother to google them because I am a lazy lazy man.... besides that you have alot of add ons and tool bars that you probobly don't use \ need.

[Vape]

Your current security programs are obviously not doing the job. Download Ad-Aware SE, Spybot S&D and AVG antivirus. Update them. Restart your computer in safe mode (mash the f8 key during startup.) Run scans.

 

 

 

 

 

 

 

Restart your pc in safe mode with networking. Go to housecall.trnedmicro.com, run scan.

 

 

 

 

 

 

 

Restart your pc. Post another Hijackthis log.

[Panix]

I don't read the tech forums but it's 2am and I'm kinda bored so.....

 

 

 

 

 

 

 

I wanted to know if anyone has tried using Deep Freeze, Protect-On or DriveShield as solutions to the spyware problem. We use DriveShield at the school system I work for. It pretty much takes a 'picture' of the computer when you lock it down. All functionality works with the computer but all changes to protected drive letters are lost upon reboot. (such as spyware, malware, viruses, trojans, term papers, legitimate program installs, etc). We ended up having to put a drive letter, unprotected, off to the side for people to save documents and such.

 

 

 

 

 

 

 

The only difference is we don't allow teachers and students to install programs. Of course, this would be different on a home machine. You wouldn't have to really keep some complex password to toggle the protection but this would be a great program for situation like what was described. (The computer is protected, sister mucks it up, you reboot, good as new). You do have to reboot when you turn it on and off but for the protection it gives, you can't beat it. It allows you to test an installation before making it a 'permanent' change. Just install the program, see if it's something you want to keep. If so, disable the program, reboot and install.

 

 

 

 

 

 

 

There's one called 'Fortres' I believe that actually allows you to make exceptions. This would allow one to not protect say 'My Documents', allowing files to be saved there like before and leaving the rest of the hard drive protected. I've never tried it but we are looking into implementing this on administrators' machines were they do alot more typing and need to save stuff to the hard drive. This might be a little better for home users as well since the protection is a little more customizable.

 

 

 

 

 

 

 

It might seem like alot of work but you NEVER have to worry about spyware, adware, trojans, etc staying on your computer ever again. Ad-Aware and Spybot are no longer deployed on the new machines we send out and it has REALLY reduced the amount of time we spend fixing machines :)

 

 

 

 

 

 

 

Links:

 

 

 

 

 

 

 

Protect-On

 

 

 

DriveShield

 

 

 

Deep Freeze

 

 

 

Fortres

 

 

 

 

 

 

 

Maybe this should be a post in itself?

[zonda]

I don't read the tech forums but it's 2am and I'm kinda bored so.....

 

 

 

 

 

 

 

I wanted to know if anyone has tried using Deep Freeze, Protect-On or DriveShield as solutions to the spyware problem. We use DriveShield at the school system I work for. It pretty much takes a 'picture' of the computer when you lock it down. All functionality works with the computer but all changes to protected drive letters are lost upon reboot. (such as spyware, malware, viruses, trojans, term papers, legitimate program installs, etc). We ended up having to put a drive letter, unprotected, off to the side for people to save documents and such.

 

 

 

 

 

 

 

The only difference is we don't allow teachers and students to install programs. Of course, this would be different on a home machine. You wouldn't have to really keep some complex password to toggle the protection but this would be a great program for situation like what was described. (The computer is protected, sister mucks it up, you reboot, good as new). You do have to reboot when you turn it on and off but for the protection it gives, you can't beat it. It allows you to test an installation before making it a 'permanent' change. Just install the program, see if it's something you want to keep. If so, disable the program, reboot and install.

 

 

 

 

 

 

 

There's one called 'Fortres' I believe that actually allows you to make exceptions. This would allow one to not protect say 'My Documents', allowing files to be saved there like before and leaving the rest of the hard drive protected. I've never tried it but we are looking into implementing this on administrators' machines were they do alot more typing and need to save stuff to the hard drive. This might be a little better for home users as well since the protection is a little more customizable.

 

 

 

 

 

 

 

It might seem like alot of work but you NEVER have to worry about spyware, adware, trojans, etc staying on your computer ever again. Ad-Aware and Spybot are no longer deployed on the new machines we send out and it has REALLY reduced the amount of time we spend fixing machines :)

 

 

 

 

 

 

 

Links:

 

 

 

 

 

 

 

Protect-On

 

 

 

DriveShield

 

 

 

Deep Freeze

 

 

 

Fortres

 

 

 

 

 

 

 

Maybe this should be a post in itself?

 

 

 

 

 

 

 

Another good one is using a cleanslate :wink: