So I got a huge chunk of spyware....

[soulsaver_8229]

So I went to one of those funny video sites.......mad popups and mad spyware.......

it changed my background, when i right click only options i have is video/screensaver

I used spybot, adaware, and m$ beta spyware programs, ran avg, found 2 trojans, i deleted them

now, out of randomness my comp is giving me diffrent spyware program adds, poping up....and giving me warnings in the task bar

here is my Hijack log, anyone able to help me clean it up would be so very greatfull

Logfile of HijackThis v1.99.1
Scan saved at 11:30:42 AM, on 9/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\program files\windows media player\wmplayer.exe
C:\Program Files\Desktop Sidebar\dsidebar.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\system32\hpCE73.tmp
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1119054647703
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

and here is processes running on task manager:

alg.exe
ati2evxx.exe
ati2evxx.exe
avgamsvr.exe
avgcc.exe
avgupsvc.exe
csrss.exe
CTHELPER.EXE
dsidebar.exe
explorer.exe
firefox.exe
gcasDtServ.exe
GIANTAntiSpyware.exe
gcasServ.exe
jusched.exe
KEM.exe
KHALMNPR.exe
lsass.exe
msnmsgr.exe
mssearchnet.exe
nvctrl.exe
ObjectDock.exe
services.exe
smss.exe
spoolsv.exe
svchost.exe X6
system
system idle process- SYSTEM
taskmgr.exe
wbload.exe
wdfmgr.exe
winlogon.exe
wmplayer.exe
Ypager.exe
Yserver.exe

I've never really dealt with spyware like this, i figured a scan would get rid of it.......anyones help would be so very greatfull, and thank you

soulsaver

 

[Phoenix86]

First off the scanners out there aren't that good, you will need to run multiple scanners.

Run scans with MS anti-spyware, ad-aware in safe mode. Delete anything they find.

Next run the hijack this log through a Hi-JackThis analyzer.

Remove the entries it IDs, again in safe mode.

Re-scan and post the HJT log.

 

[soulsaver_8229]

it sposed to take over 10 mins?

still loading the parse

or am i doing it wrong?

ok its coming up in my task bar, "System warning, Spyware/Adaware Dectected"

the triangle warning sign, i cleaned all the hijack this files i was sposed to

when i double click that triangle, it comes up with an add about a spyware removel tool program to buy

 

[Phoenix86]

It'll take some time to do anything in safe mode. Safe mode loads less drivers and is slower because of that, especially you'll notice the drive access will shoot through the roof due to the DMA mode on the controller.

Ignore any pop-up, it's likely the spyware has loaded a "spyware removal tool" as comical as that is...

Will it run a scan or not?

 

[soulsaver_8229]

Ive used all the scans in safemode, and in regular.........still pops up with adds for spyware.....

oddly enough, M$ spyware found 1.......spybot found 265, and thats from that one website..... dam me for googleing funny videos =/

any other ideas to get rid of it? and i did delete the Hijack this on that site.....and its still doing it
and also, i cant really ignore it, as its in my taskbar and it pops up every 5 mins

soulsaver

 

[hulksterjoe]

looks like its maybe new stuff... I seached for mssearchnet.exe
and only 1 site comes up but it says to get rid of it..

http://www.webuser.co.uk/forums/showflat.php/Cat/0/Number/221156/an/0/page/0

 

[Phoenix86]

None of those processes are jumping out at me. The ones I didn't recogonize seem kosher.

What services are running on the box? Some spyware likes to install services instead of doing things in the run line/BHOs. You could install process guard, it's like a firewall of sorts for processes, you have to approve each one.

 

[soulsaver_8229]

but how will i know which ones are ok to run?

and i listed all processes in first post.....i dunno which ones you want tho

oh you ment services.....sorry here

Alerter MS corp
Application Layer Gatway MS corp
Application Management MS corp
Ati hotkey poller ATI
ati smart
windows audio
avg7 alert manager serivce
avg7 update service
background intelligent t...
COM+ system app
cryptogrphic service
dcom server process la.....
dhcp client
logical disk manager ad...
logical disk manager
dns client
error reporting service
event log
com+ event system
help and support
hid input serivce
http ssl
imapi cd buring com......
server
workstation
tcp/ip netbios helper
distrubuted trasnaction
windows installer
net logon
network connections
nt lm security support....
removable storage
ipsec services
protected storage
remoate access auto co....
remoate access connection
remote procedure all
remote procedure call
security accounts manager
task schedulet
secondary logon (not clicked)
system even notifaction
windows firewall/internet.....
shell hardware detection
print spooler
system restore service
ssdp discovery service
windows image aqusiti
ms software shadow co....
themes
distributed link tracking
windows user mode driv.....
universal plug and play....
volume shadow copy
uniterruptible power supply....
windows time
webclient
windows management i.....
portable media serial number
secturity center
automatic updates
network provisioning service

sorry about that, was typing fast and didnt see a copy paste option

 

[Phoenix86]

It doesn't know, you have to tell it. AKA, ID each process, approve it, see the effects.

Honeslty I haven't used it myself, I'd simply nuke the OS and load an image (I realize this isn't always available). However, it comes HIGHLY recommended.

What should happen is, you will approve a process, and start seeing the pop-ups. Then you know the culprit.

 

[soulsaver_8229]

i would love to nuke the os, to hell and back, but i have about 10 gigs of info i want to keep,,, pictures, few movies, and music.......and programs and such

and also, is this boot ini file ok? somthing doesnt seem right, is there somthing i should take off it it?

[boot loader]
timeout=4
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="L" C
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

 

[soulsaver_8229]

ok, i used that program, works great, blocked the mssearch thing.......

but still getting popups.......any clue how to stop that? and by popups i mean im not even web surfing and they pop up with spyware programs to buy.....

edit, ok nm it came back even with that program, but its not showing up on the program eaither

heres the log from Process Guard


---Process Guard Log Started---
Mon 12 - 15:04:30 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [532]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Mon 12 - 15:04:30 [EXECUTION] "c:\windows\system32\wdfmgr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [532]
[EXECUTION] Commandline - [ c:\windows\system32\wdfmgr.exe ]
Mon 12 - 15:04:30 [EXECUTION] "c:\windows\system32\ups.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [532]
[EXECUTION] Commandline - [ c:\windows\system32\ups.exe ]
Mon 12 - 15:04:31 [EXECUTION] "c:\windows\system32\alg.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [532]
[EXECUTION] Commandline - [ c:\windows\system32\alg.exe ]
Mon 12 - 15:04:32 [EXECUTION] "c:\windows\system32\ati2evxx.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [488]
[EXECUTION] Commandline - [ ati2evxx.exe -client ]
Mon 12 - 15:04:33 [EXECUTION] "c:\windows\system32\userinit.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [488]
[EXECUTION] Commandline - [ c:\windows\system32\userinit.exe ]
Mon 12 - 15:04:33 [EXECUTION] "c:\windows\system32\wbem\wmiprvse.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [704]
[EXECUTION] Commandline - [ c:\windows\system32\wbem\wmiprvse.exe -embedding ]
Mon 12 - 15:04:33 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\userinit.exe" [1908]
[EXECUTION] Commandline - [ c:\windows\explorer.exe ]
Mon 12 - 15:04:35 [EXECUTION] "c:\windows\system32\mscornet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\system32\mscornet.exe" ]
Mon 12 - 15:04:35 [EXECUTION] "c:\windows\system32\mssearchnet.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\system32\mssearchnet.exe" ]
Mon 12 - 15:04:35 [EXECUTION] "c:\windows\system32\nvctrl.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\system32\nvctrl.exe" ]
Mon 12 - 15:04:36 [EXECUTION] "c:\windows\system32\cthelper.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\system32\cthelper.exe" ]
Mon 12 - 15:04:36 [EXECUTION] "c:\windows\updreg.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\updreg.exe" ]
Mon 12 - 15:04:36 [EXECUTION] "c:\progra~1\grisoft\avgfre~1\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Mon 12 - 15:04:36 [EXECUTION] "c:\progra~1\grisoft\avgfre~1\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Mon 12 - 15:04:37 [EXECUTION] "c:\windows\ime\imjp8_1\imjpmig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\ime\imjp8_1\imjpmig.exe" /spoil /remadvdef /migration32 ]
Mon 12 - 15:04:37 [EXECUTION] "c:\windows\system32\ime\pintlgnt\imscinst.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\system32\ime\pintlgnt\imscinst.exe" /sync ]
Mon 12 - 15:04:37 [EXECUTION] "c:\windows\system32\ime\tintlgnt\tintsetp.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\system32\ime\tintlgnt\tintsetp.exe" /sync ]
Mon 12 - 15:04:37 [EXECUTION] "c:\windows\system32\ime\tintlgnt\tintsetp.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\system32\ime\tintlgnt\tintsetp.exe" /imename ]
Mon 12 - 15:04:38 [EXECUTION] "c:\program files\creative\sblive\audiohq\ahqtbu.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\program files\creative\sblive\audiohq\ahqtbu.exe" ]
Mon 12 - 15:04:38 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Mon 12 - 15:04:38 [EXECUTION] "c:\program files\yahoo!\messenger\ypager.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\program files\yahoo!\messenger\ypager.exe" -quiet ]
Mon 12 - 15:04:39 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [532]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Mon 12 - 15:04:39 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Mon 12 - 15:04:40 [EXECUTION] "c:\program files\atitool\atitool.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\program files\atitool\atitool.exe" -s ]
Mon 12 - 15:04:40 [EXECUTION] "c:\program files\logitech\setpoint\kem.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\program files\logitech\setpoint\kem.exe" ]
Mon 12 - 15:04:40 [EXECUTION] "c:\program files\stardock\objectdock\objectdock.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\program files\stardock\objectdock\objectdock.exe" ]
Mon 12 - 15:04:41 [EXECUTION] "c:\program files\logitech\setpoint\khalmnpr.exe" was allowed to run
[EXECUTION] Started by "c:\program files\logitech\setpoint\kem.exe" [1240]
[EXECUTION] Commandline - [ khalmnpr.exe /api ]
Mon 12 - 15:05:16 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [840]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[348]susds862d1c06de4b40448325fd123f20fbc3 ]
Mon 12 - 15:05:38 [EXECUTION] "c:\windows\system32\wbem\wmiprvse.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [704]
[EXECUTION] Commandline - [ c:\windows\system32\wbem\wmiprvse.exe -embedding ]
Mon 12 - 15:05:56 [EXECUTION] "c:\program files\mozill~1\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\progra~1\mozill~1\firefox.exe" -url "http://www.stardock.com/products/windowblinds/" ]
Mon 12 - 15:06:32 [EXECUTION] "c:\program files\yahoo!\messenger\yupdater.exe" was allowed to run
[EXECUTION] Started by "c:\program files\yahoo!\messenger\ypager.exe" [648]
[EXECUTION] Commandline - [ "c:\program files\yahoo!\messenger\yupdater.exe" applicationname=c:\program files\yahoo!\messenger\ypager.exe ]
Mon 12 - 15:06:38 [EXECUTION] "c:\program files\msn messenger\msnmsgr.exe" was allowed to run
[EXECUTION] Started by "c:\program files\stardock\objectdock\objectdock.exe" [1612]
[EXECUTION] Commandline - [ "c:\program files\msn messenger\msnmsgr.exe" ]
Mon 12 - 15:06:51 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\progra~1\mozill~1\firefox.exe" -url "http://www.stardock.com/products/windowblinds/" ]
Mon 12 - 15:07:00 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\progra~1\mozill~1\firefox.exe" -url "http://www.stardock.com/products/windowblinds/" ]
Mon 12 - 15:07:05 [EXECUTION] "c:\program files\stardock\object desktop\windowblinds\wbconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\program files\stardock\object desktop\windowblinds\wbconfig.exe" ]
Mon 12 - 15:07:18 [EXECUTION] "c:\program files\stardock\object desktop\windowblinds\wbload.exe" was allowed to run
[EXECUTION] Started by "c:\program files\stardock\object desktop\windowblinds\wbconfig.exe" [2768]
[EXECUTION] Commandline - [ "c:\program files\stardock\object desktop\windowblinds\wbload.exe" ]
Mon 12 - 15:08:52 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\program files\stardock\object desktop\windowblinds\wbconfig.exe" [2768]
[EXECUTION] Commandline - [ "c:\progra~1\mozill~1\firefox.exe" -url "c:\program files\stardock\object desktop\windowblinds\order.html" ]
Mon 12 - 15:09:35 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [704]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -embedding ]
Mon 12 - 15:10:05 [EXECUTION] "c:\windows\pchealth\helpctr\binaries\msconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\pchealth\helpctr\binaries\msconfig.exe" ]
Mon 12 - 15:10:30 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\program files\stardock\objectdock\objectdock.exe" [1612]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Mon 12 - 15:12:49 [EXECUTION] "c:\program files\cybers~1\cybscrub.exe" was allowed to run
[EXECUTION] Started by "c:\program files\processguard\procguard.exe" [1184]
[EXECUTION] Commandline - [ c:\progra~1\cybers~1\cybscrub.exe /x /e /a*c:\progra~1\cybers~1\config\shellpar ]
Mon 12 - 15:12:52 [EXECUTION] "c:\program files\cyberscrub professional\silent.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\cybers~1\cybscrub.exe" [3172]
[EXECUTION] Commandline - [ "c:\progra~1\cybers~1\silent.exe" "c:\documents and settings\owner\application data\cyberscrub\cyberscrub\main6341.ers" ]
Mon 12 - 15:13:01 [EXECUTION] "c:\program files\cyberscrub professional\cybscrub.exe" was allowed to run
[EXECUTION] Started by "c:\program files\processguard\procguard.exe" [1184]
[EXECUTION] Commandline - [ c:\progra~1\cybers~1\cybscrub.exe /x /e /a*c:\progra~1\cybers~1\config\shellpar ]
Mon 12 - 15:13:03 [EXECUTION] "c:\program files\cyberscrub professional\silent.exe" was allowed to run
[EXECUTION] Started by "c:\progra~1\cybers~1\cybscrub.exe" [3192]
[EXECUTION] Commandline - [ "c:\progra~1\cybers~1\silent.exe" "c:\documents and settings\owner\application data\cyberscrub\cyberscrub\main1276.ers" ]
Mon 12 - 15:21:03 [EXECUTION] "c:\program files\windows media player\wmplayer.exe" was allowed to run
[EXECUTION] Started by "c:\program files\logitech\setpoint\kem.exe" [1240]
[EXECUTION] Commandline - [ "c:\program files\windows media player\wmplayer.exe" ]
Mon 12 - 15:21:45 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1968]
[EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" c:\program

 

[PaHick]

Id try Trend Micro's online Anti-Spyware program. It worked for a couple weeks ago when nothing else would. Just a suggestion.

EDIT**

fixed link.

 

[hulksterjoe]

I say we take off and nuke it from orbit. It's the only way to be sure.

you mentioned MS and spybot.. Did you run adaware? each will catch things the other didnt

 

[soulsaver_8229]

I say we take off and nuke it from orbit. It's the only way to be sure.

you mentioned MS and spybot.. Did you run adaware? each will catch things the other didnt

yep, used spybot, adaware, and m$.......trying what above poster posted tho

ok that Trend Micro found about 20 pieces, deleted them, restarting and seeing what happens i guess, hope it works

soulsaver

 

[PaHick]

Another suggestion if I may. Download Hitman Pro . It contains the more common spyware programs. It updates all the programs before it runs them. I found it after Trend Micros. I dont know if its better , but it did add 2 more programs than I tried before Trends. I like it.

EDIT**

Time of death 3:52pm ? Hope all went well.

 

[soulsaver_8229]

Another suggestion if I may. Download Hitman Pro . It contains the more common spyware programs. It updates all the programs before it runs them. I found it after Trend Micros. I dont know if its better , but it did add 2 more programs than I tried before Trends. I like it.

EDIT**

Time of death 3:52pm ? Hope all went well.

holy hell dude what the fuck did you tell me to download that for?

i have no control over my computer at all

its download all sorts of shit down random spyware programs i already have and entering shit in on its own.............

 

[Lozer]

Got a fresh hijackthis log?

 

[soulsaver_8229]

Got a fresh hijackthis log?

sec, this Hitman bullshit is taking forever, it seems to have downloaded the major spyware programs, running them at the same time and finding all it can.......

i wish he would have told me it would bog the hell out of my computer and take over with options


soulsaver

 

[PaHick]

Sorry bud, it really is a good program though. It uses more programs than you said you tried so I thought to offer. Yes it takes over your pc pretty much while it runs through ALL the programs.

 

[soulsaver_8229]

Sorry bud, it really is a good program though. It uses more programs than you said you tried so I thought to offer. Yes it takes over your pc pretty much while it runs through ALL the programs.

its ok i wasnt expecting it thats all, seems ok tho, but im still getting pop ups, gonan restart to check hijack this log and will edit to paste

 

[Linuxtim]

Hi

If you keep getting repeated spyware then you may well have a rootkit installed.

SysInternals has a little prog that will help find them if they are there:
http://www.sysinternals.com/utilities/rootkitrevealer.html

Also try CWS Shredder
http://www.intermute.com/spysubtract/cwshredder_download.html

Lastly, try http://www.michaelhorowitz.com/removespyware.html

Regarding your data - dude it sucks to say this but BACKUP ALL YOUR SH*T all of the time. I've only had one hdd go belly up on me that I did not have a full backup for and it took me bloody weeks to get my PC back to how I like it.

Anyway, good luck with the cleaning...

L

 

[Philip]

Why is notepad.exe running as a startup program. There used to be a trojan that used notepad.exe as its hiding place. Do a google search on notepad.

 

[soulsaver_8229]

Logfile of HijackThis v1.99.1
Scan saved at 5:46:48 PM, on 9/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\system32\hp1596.tmp
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: WindowBlinds.lnk = C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbconfig.exe
O4 - Global Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1119054647703
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

[soulsaver_8229]

Hi

If you keep getting repeated spyware then you may well have a rootkit installed.

SysInternals has a little prog that will help find them if they are there:
http://www.sysinternals.com/utilities/rootkitrevealer.html

Also try CWS Shredder
http://www.intermute.com/spysubtract/cwshredder_download.html

Lastly, try http://www.michaelhorowitz.com/removespyware.html

Regarding your data - dude it sucks to say this but BACKUP ALL YOUR SH*T all of the time. I've only had one hdd go belly up on me that I did not have a full backup for and it took me bloody weeks to get my PC back to how I like it.

Anyway, good luck with the cleaning...

L

it found one but i dun know how to delete it?

HKLM\SOFTWARE\.......

key name contrain embedded nu.....


/shrug

 

[Lozer]

You're still getting a lot of popups?

 

[Phoenix86]

IMO, rootkits=format and reinstall.

 

[PaHick]

C:\WINDOWS\system32\mssearchnet.exe

Start off by deleting that sob. Ill look at some more.

 

[PaHick]

If you still cant get it go to Spybot forum and post HJT log there. Someone should get to it pretty quick.

 

[soulsaver_8229]

i think i will just do system restore......this is pointless and very bothersome.......ive tried........7 programs, and nothing........my computers fux0red i know, just thought i could clean it up

imma borrow an external hard drive and reformat

tho i have a question.......to format the drive windows in on i cant be in windows at the time right? i have to use the repair thing on the cd? and do the format option?

soulsaver

 

[soulsaver_8229]

was wondering still.........how does my bootini look? somthing i should edit out of it?


[boot loader]
timeout=4
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="L" C
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

 

[Lozer]

That WINDOWS="L" C seems funny, but I'm not sure.

About the popups, are they WareOut popups? Could try this

And looks a bit like smitfraud, in which case you download this and run the RunThis.bat while you're in Safe Mode.

And I would have had HijackThis fix
O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\system32\hp1596.tmp

 

[iSkylla]

Finally someone who uses Trend Micro products. They are really the best in the field.

I suggest getting these two programs for no Spyware/Virii. At least I haven't gotten any.

TrendMicro: PC-Cillin Internet Security
Sunbelt Software: CounterSpy

Both wonderful programs. I suggest using them. Regarding your current problem, I am not too good at TSing, I just let those two programs take care of me. But Good Luck.

 

[soulsaver_8229]

That WINDOWS="L" C seems funny, but I'm not sure.

About the popups, are they WareOut popups? Could try this

And looks a bit like smitfraud, in which case you download this and run the RunThis.bat while you're in Safe Mode.

And I would have had HijackThis fix
O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\system32\hp1596.tmp

oddly enough i tried to fix it, it kept coming back........

question tho, that /fastdetect /NoExecute=OptOut part of my bootini file, whats that all about? i noticed long load times with login and such.......

i have a custom boot skin but never did much before, just curious if that should be there

 

[Lozer]

That's normal. Try out those two tools, though, unless you're doing your restore.

 

[soulsaver_8229]

That's normal. Try out those two tools, though, unless you're doing your restore.

i did restore, thats to much to get rid of somthing i can just restore.......

imma borrow an external hdd and just get my stuff off onto it and format fresh install

thanks for everyones help so far, means a lot to me, thanks once again and im keeping some of those programs yall offered/sent, thanks a whole lot


soulsaver

 

[PaHick]

No problem, always willing to try help a forum member. Wish I coulda been more help.

 

[oROEchimaru]

update aadaware and spybot, you need to use both in safemode. I usually scan with spybot first because it doesn't remove everything it says it will. after you run spybot, run adaware... but you already been doing this of course.

before you do this, please get avast at http://www.majorgeeks.com . avast has a 30 day free trial. once installed, make sure you agree with the virus scan at the next system startup. also, before rebooting into safemode, update avast and the virus deffinitions if it lets you.

the reason i reccomend avast, again is for the installation pre-windows scan (its like scan disk). it removes alot of spyware and trojans that cannot be removed in safemode.

so in safemode run spybot, adaware, avast... then use hijack this and remove any other problems.

also, if you use IE, stop. turn off active x in IE and also go to tools>internet options>advanced and turn off "enable third party extensions". you can also disable IE for cookies, java ect... so IE can't be whored out.

you will then need to if you are not already switch to firefox at mozilla.org .

 

[LoStMaTt]

Add this to your registry. It will fix your missing Tabs in Display Properties.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000

Best AntiSpyware program EVER.
http://download.ewido.net/ewido-setup.exe

 

[Geef01]

i would love to nuke the os, to hell and back, but i have about 10 gigs of info i want to keep,,, pictures, few movies, and music.......and programs and such

I am definatly no super pro or anything like a lot of the above people are but I would definatly recommend spending your time to find all the junk you want to keep and load it on to another drive or something and then wiping that drive out. I have my hard drive setup where 40 gigs are for the main partition with the OS and the rest is a file storage partition. Also when I install a program and it puts it in C:\program_files by default I change it to F:\program_files (file storage drive) so I dont have to reinstall all my junk next time I format my OS partition. It works great for me and I only need to use 1 hard drive to do it.