Author Topic: frustrated spyware help!!!  (Read 4010 times)

0 Members and 1 Guest are viewing this topic.

schmeedogg

  • Guest
frustrated spyware help!!!
« on: February 22, 2005, 03:30:57 AM »
I was hoping someone here can help me.  got a virus sunday.  not sure what the main virus is, but i have oodles of pop-ups and ads now, along with a crazy desktop background now, changed favorites, new desktop icons, pretty much the works.  ive run HJT and cleaned and ad-aware and fixed, and spybot and fixed.  gone into regedit and tried to delete all necessary registries, but it comes back every time.  im almost out of options now.  any help would be greatly appreciated.

heres my log file

Logfile of HijackThis v1.97.7
Scan saved at 9:30:53 PM, on 2/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\ohgpjlg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\dplloc.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\divrn11n.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\uncqhct.exe
c:\windows\system32\packager.exe
C:\Documents and Settings\Zack\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Zack\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Zack\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {D2BA3E77-469A-4C26-907F-D296E0520502} - C:\WINDOWS\System32\fdhe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [B59U] C:\WINDOWS\ohgpjlg.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [qziruh] C:\WINDOWS\qziruh.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [uncqhct] c:\windows\system32\uncqhct.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Zack\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [4soh34e] dplloc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [LB7nRQKqO] divrn11n.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx


thanks again!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31078
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: frustrated spyware help!!!
« Reply #1 on: February 22, 2005, 03:41:01 AM »
First of all, you are using a very old version of HijackThis, please use the latest (1.99.1)
Click on the link in my signature and visit the HijackThis section.
It has everything you need (to know).

Secondly, your Windows as well as your IE are not up-to-date which leaves your system very vulnarable to infections/hacking etc.

I suggest you do not only have a look at the HJT section but also follow the instruction in the malware removal section on my website.
« Last Edit: February 22, 2005, 03:43:31 AM by Eddy »

schmeedogg

  • Guest
Re: frustrated spyware help!!!
« Reply #2 on: February 22, 2005, 03:45:57 AM »
donwloaded newer version, heres the new log.

Logfile of HijackThis v1.99.1
Scan saved at 9:45:29 PM, on 2/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\ohgpjlg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\dplloc.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\divrn11n.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\uncqhct.exe
c:\windows\system32\packager.exe
C:\Documents and Settings\Zack\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {D2BA3E77-469A-4C26-907F-D296E0520502} - C:\WINDOWS\System32\fdhe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [B59U] C:\WINDOWS\ohgpjlg.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [qziruh] C:\WINDOWS\qziruh.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [uncqhct] c:\windows\system32\uncqhct.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Zack\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [4soh34e] dplloc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [LB7nRQKqO] divrn11n.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Filter: text/html - {4AFBD83F-2AA1-4EE6-9B10-0F6C90F932F9} - C:\WINDOWS\System32\fdhe.dll
O18 - Filter: text/plain - {4AFBD83F-2AA1-4EE6-9B10-0F6C90F932F9} - C:\WINDOWS\System32\fdhe.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\ipti32.exe (file missing)





Spyros

  • Guest
Re: frustrated spyware help!!!
« Reply #3 on: February 22, 2005, 10:25:00 AM »
You can copy/paste the hijackthis log here: http://hijackthis.de/ and see the results.  ;)