WiredWX Hobby Weather ToolsLog in

 


spyware protect 2009/hjthis

3 posters

descriptionSolvedspyware protect 2009/hjthis

more_horiz
I just got this comp for Chrsitmas and all this crap is happening.:
MS XP
Home Edition
Version 2002
SP 3
eMachines Inc.
AMD Athlon(tm) 2650e
1.61 GHz.896 MB of RAM

I don't know what spyware PRotect is is and how it got on my comp! It says Attack from: 170.80.252.69, port 8075
Attacked port: 36359
Threat: BankerFox.A
A week ago I also have MS Antispyware 2009 popping up on my comp and it said I had 14 viruses but I couldn't get rid of anything because I had to buy it. Also Norton takes about 30 minutes to load and when I click for it to do something it takes about 15 to 20 more minutes. Therefore I really don't use it and don't know if my comp is protected at all. How do I get all things off of my comp?
I also know that you all like to see a HJ this log but after I downloaded it and try and open my desktop freezes. HJthis won't open and install!

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
about to do it now

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
Standing by.

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
I never saw the black screen but here is a log that came up when it restarted.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSpqlt.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

and also this popped up:
Window - No Disk
Exception Processing Message c0000013 75b6bf7c 75b6bf7c 75b6bf7c
Cancel Try Again Continue

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
Do you have any USB stuff plugged in while it was rebooting? sometimes this causes that error to happen. LMBO or ROFL

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to delete:
TDSSserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\TDSSpqlt.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
Awww yeah I have usb stuff plugged in. Is it just the extra harddrive that's messing it up or is it my graphics tablet also? it's also in a usb thingy. I'm a little hurt that you find my computer illiteracy so funny. Sad tearing
jk hehe

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
I'm not laughing at you, just the error.

When Dell (or whoever) puts an OS on these machines, they set the boot order to CD so they can boot from the XP/Vista disc, but don't change it back to the hardrive, so when they give them out, the boot order has to be configured by the user, and if it isn't, the BIOS goes looking for an OS in the CD or USB slots BEFORE it goes to the hardrive, that's why the erorrs happen.

Just unplug the USB stuff while we do this, then plug them back in once were done and you'll be fine. Smile...

Please run my avenger script in the post above.

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
I unplugged extra hd and tablet stuff this is what came up.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "TDSSserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\TDSSpqlt.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

is this right?

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
Yep.
Lets remove whatever is left.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
OMG Thanx! I don't know if it's over and the infections are gone but the spyware protect that was covering over half my screen is not showing up right now!!!
NEWays here's the log but I haven't restarted yet. Do you want it after I restart?

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

2/8/2009 3:40:59 PM
mbam-log-2009-02-08 (15-40-59).txt

Scan type: Quick Scan
Objects scanned: 51742
Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 6
Files Infected: 34

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysguard (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms antispyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrijh8s73jhbfgfd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrijh8s73jhbfgfd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tezrtsjhfr84iusjfo84f (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\gsdrgfdrrgnd.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSShrxr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSmtql.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoiqt.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSxfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tebaz\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tebaz\Local Settings\Temp\TDSS15fc.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090130215947382.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090130223934609.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090131085455593.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090131155718218.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090201064146187.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090202082637906.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090202132126484.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090203073002781.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090204081740921.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090205075948109.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090206042635093.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090206091507625.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090207101931750.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090208082542515.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090208101101125.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090208135839015.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090208145228953.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tebaz\Local Settings\Temp\winlognn.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wpv691233967690.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tebaz\Local Settings\Temp\TDSS15ec.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tebaz\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Guest 1\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkbi.log (Trojan.TDSS) -> Quarantined and deleted successfully.

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
Lets make sure we got it all now.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
    Link 3
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
DDS (Ver_09-02-01.01) - NTFSx86
Run by Tebaz at 16:08:29.76 on Sun 02/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.506 [GMT -6:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Flock\flock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tebaz\My Documents\Torrents\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACEW
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=le1200
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=le1200
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: {d5bf4552-94f1-42bd-f434-3604812c807d} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Power2GoExpress] NA
mRun: [LaunchApp]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://p.playfirst.com/play/game/dreamchronicles/dreamweb.1.0.0.10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://www.gamehouse.com/games/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} - hxxp://www.gamehouse.com/games/JBGamePlayer.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/games/zylom/zylomplayer.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://p.playfirst.com/play/game/sandscript/Sandscript.1.0.0.21.cab
DPF: {F4EBFE42-D82A-48EB-B70E-7499FFEAFF3F} - hxxp://p.playfirst.com/play/game/dressshophop/DressShopHopWeb.1.0.0.7.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

============= SERVICES / DRIVERS ===============

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-17 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-17 149352]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-6 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-27 99376]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-17 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-11 23888]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-18 29744]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081229.003\NAVENG.SYS [2008-12-29 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081229.003\NAVEX15.SYS [2008-12-29 876112]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-8-18 1245064]

=============== Created Last 30 ================

2009-02-08 15:25 --d----- c:\docume~1\tebaz\applic~1\Malwarebytes
2009-02-08 15:25 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-08 15:24 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 15:24 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-08 15:24 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-08 14:48 263 a------- C:\avexport.bat
2009-02-08 10:15 --d----- c:\program files\VS Revo Group
2009-02-07 14:07 9,216 a------- c:\windows\system32\iehelper.dll
2009-02-07 13:47 --dsh--- c:\windows\system32\twain32
2009-01-30 22:01 112,624 a------- c:\windows\system32\drivers\f65bdcb6.sys
2009-01-30 21:59 441 a------- c:\windows\system32\TDSSlrvd.dat
2009-01-23 19:35 --d----- c:\docume~1\tebaz\applic~1\XnView
2009-01-23 19:34 --d----- c:\program files\XnView
2009-01-23 19:17 --d----- c:\program files\IrfanView
2009-01-23 19:09 --d----- c:\docume~1\tebaz\applic~1\FastStone
2009-01-17 19:30 --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-01-17 19:30 --d----- c:\docume~1\tebaz\applic~1\Azureus
2009-01-17 19:30 --d----- c:\program files\AskBarDis
2009-01-17 19:28 --d----- c:\program files\Vuze
2009-01-17 14:44 --d----- c:\docume~1\tebaz\applic~1\uTorrent

==================== Find3M ====================

2008-12-27 14:31 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-27 10:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-08-18 15:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 16:08:43.51 ===============


Thank you soooooooooooooooooo sooooooooooo very much!

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    C:\Documents and Settings\Tebaz\My Documents\Torrents\dds.com
    c:\windows\system32\iehelper.dll
    c:\windows\system32\drivers\f65bdcb6.sys
    c:\windows\system32\TDSSlrvd.dat
    C:\avexport.bat
    c:\program files\AskBarDis

    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log, along with a fresh Hijack This log.
Use more than one post if needed.

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
It did ask for a restart and this log came up

========== FILES ==========
C:\Documents and Settings\Tebaz\My Documents\Torrents\dds.com moved successfully.
c:\windows\system32\iehelper.dll unregistered successfully.
c:\windows\system32\iehelper.dll moved successfully.
File move failed. c:\windows\system32\drivers\f65bdcb6.sys scheduled to be moved on reboot.
c:\windows\system32\TDSSlrvd.dat moved successfully.
C:\avexport.bat moved successfully.
c:\program files\AskBarDis\bar\Settings moved successfully.
c:\program files\AskBarDis\bar\History moved successfully.
c:\program files\AskBarDis\bar\Cache moved successfully.
c:\program files\AskBarDis\bar\bin moved successfully.
c:\program files\AskBarDis\bar moved successfully.
c:\program files\AskBarDis moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\\"SecurityProviders"|"msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" /E : value set successfully!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02082009_162626

Files moved on Reboot...
File move failed. c:\windows\system32\drivers\f65bdcb6.sys scheduled to be moved on reboot.

descriptionSolvedRe: spyware protect 2009/hjthis

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum