Results 1 to 5 of 5

Thread: Need help with spyware

  1. #1
    Junior Member
    Join Date
    Oct 2006
    Posts
    10

    Need help with spyware

    Hi I am currently trying to help a friend get all the spyware and mess of thier computer. I have run ccleaner, spyboy, and adaware and safe mode, and have gotten a hijack this log. Can I can some help on what i should remove? Here is my hijack this log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:05:25 PM, on 9/30/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\uninstall\rundl132.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\Logo1_.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mygirlyspace.com/home-page/hp.php?id=L682098741
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/activation/activate-redirect.jsp?LG=ENG&IVR=3004813130442221934011365264226615395363331337297&SO={257BBC47-1B26-432e-9F84-188603799DD3}
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - (no file)
    O2 - BHO: (no name) - {FA507697-BBDB-4D94-B296-F3075987B5EB} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [load] C:\WINDOWS\uninstall\rundl132.exe
    O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDWG32] LYLoadbr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDOG32] LYLoador.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDSG32] LYLoadar.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDMG32] LYLoadmr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDHG32] LYLoadhr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDQG32] LYLoadqr.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msavp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msavp.dll
    O15 - Trusted Zone: http://www.gmail.com
    O15 - Trusted Zone: http://www.kodakgallery.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O20 - AppInit_DLLs: avwgcmn.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
    O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Remote Help Session Manager (Rasautol) - Unknown owner - C:\WINDOWS\system32\ntsokele.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 6462 bytes

  2. #2
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    O4 - HKLM\..\Run: [load] C:\WINDOWS\uninstall\rundl132.exe

    O4 - HKLM\..\Policies\Explorer\Run: [MSDEG32] LYLoader.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDWG32] LYLoadbr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDCG32 ] LYLeador.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDOG32] LYLoador.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDSG32] LYLoadar.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDMG32] LYLoadmr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDHG32] LYLoadhr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [MSDQG32] LYLoadqr.exe

    O23 - Service: Remote Help Session Manager (Rasautol) - Unknown owner - C:\WINDOWS\system32\ntsokele.exe
    I came in to the world with nothing. I still have most of it.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Post your log here and let them analyse it:

    http://www.hijackthis.de/

    rcgreen seems to have spotted most of them

    C:\Windows\uninstall\rundl132.exe

    Get rid if the file as well as the registry call to it (the 04 entry)

    There are two 02- BHO entries with no name or file.............. get rid of them.

    O10 - Unknown file in Winsock LSP: c:\windows\system32\msavp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msavp.dll

    Don't try to fix these with HJT. Go here:

    http://cexx.org/lspfix.htm

  4. #4
    Junior Member
    Join Date
    Oct 2006
    Posts
    10
    Thanks for the help. Ill go ahead and remove those and see if it helps the problem.

  5. #5
    Junior Member WHiZZY's Avatar
    Join Date
    Oct 2007
    Posts
    1
    @HackerSlayer,

    Never remove anything via HiJackThis without ensuring that you have a backup log.

    Also, please do revert and post here so we could know what has happened since your last post!!

Similar Threads

  1. FTC holding spyware workshop - speak up!
    By ric-o in forum Spyware / Adware
    Replies: 1
    Last Post: March 10th, 2005, 07:09 PM
  2. Replies: 12
    Last Post: February 9th, 2005, 08:11 PM
  3. 2004 Spyware Mini Tut
    By StatiCoR3 in forum The Security Tutorials Forum
    Replies: 4
    Last Post: August 12th, 2004, 12:11 AM
  4. FAQ About Spyware And Spyware Security
    By Spyder32 in forum The Security Tutorials Forum
    Replies: 8
    Last Post: July 24th, 2004, 07:31 AM
  5. Spyware Information., tools/tips for removal of spyware.
    By saintakaagni in forum Spyware / Adware
    Replies: 6
    Last Post: February 4th, 2004, 11:48 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •