LinkBack URL
About LinkBacks- 01-13-2006 04:18 PM #1Member
- Join Date
- Apr 2005
- Posts
- 36
- Points
- 0
constant spyware & viruses on comp...help plz
i have constant spyware and viruses that keep coming back on my computer no matter what i do, spyware with names such as NameShifter, i have ran stuff such as ad-aware, spybot search & destroy, and ewido, here is my HJT log
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\Msshll.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\per.exe
C:\WINDOWS\System32\Scnex.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philstar.com/
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Fast Home] C:\WINDOWS\system32\svcnvt.exe home
O4 - HKLM\..\Run: [rscn] C:\WINDOWS\System32\bum727.exe ymmud
O4 - HKLM\..\Run: [Comm Driver] Commh32.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [dmxah.exe] C:\WINDOWS\System32\dmxah.exe
O4 - HKLM\..\RunServices: [SysPilot] Fdxxl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{44980D7C-6427-45E0-8E4F-06DD917241FC}: NameServer = 85.255.114.90,85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{71067C5D-E629-4B4D-9BF6-750452ECE2FE}: NameServer = 85.255.114.90,85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD6CC2F8-5351-40D2-8914-A8DC87298C5E}: NameServer = 85.255.114.90,85.255.112.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{44980D7C-6427-45E0-8E4F-06DD917241FC}: NameServer = 85.255.114.90,85.255.112.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{44980D7C-6427-45E0-8E4F-06DD917241FC}: NameServer = 85.255.114.90,85.255.112.98
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
- 01-13-2006 07:04 PM #2Member
- Join Date
- Sep 2003
- Location
- Yorkshire U.K.
- Posts
- 14,022
- Points
- 2335
HI
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
O4 - HKLM\..\Run: [Fast Home] C:\WINDOWS\system32\svcnvt.exe home
O4 - HKLM\..\Run: [rscn] C:\WINDOWS\System32\bum727.exe ymmud
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [dmxah.exe] C:\WINDOWS\System32\dmxah.exe
Reboot then delete the following files (if found) :-
C:\WINDOWS\system32\svcnvt.exe ... file
C:\WINDOWS\System32\bum727.exe ... file
C:\WINDOWS\System32\per.exe ... file
C:\WINDOWS\System32\dmxah.exe ... file
Let us know if the problem persists and post a new hijackthis log.
steam
- 01-13-2006 07:23 PM #3Member
- Join Date
- Apr 2005
- Posts
- 36
- Points
- 0
thanks im currently having no problems but heres my HJT log
Logfile of HijackThis v1.99.1
Scan saved at 6:20:08 PM, on 1/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\Msshll.exe
C:\WINDOWS\System32\Scnex.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philstar.com/
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Comm Driver] Commh32.exe
O4 - HKLM\..\RunServices: [SysPilot] Fdxxl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{44980D7C-6427-45E0-8E4F-06DD917241FC}: NameServer = 85.255.114.90,85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{71067C5D-E629-4B4D-9BF6-750452ECE2FE}: NameServer = 85.255.114.90,85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD6CC2F8-5351-40D2-8914-A8DC87298C5E}: NameServer = 85.255.114.90,85.255.112.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{44980D7C-6427-45E0-8E4F-06DD917241FC}: NameServer = 85.255.114.90,85.255.112.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{44980D7C-6427-45E0-8E4F-06DD917241FC}: NameServer = 85.255.114.90,85.255.112.98
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
- 01-13-2006 07:59 PM #4Member
- Join Date
- Sep 2003
- Location
- Yorkshire U.K.
- Posts
- 14,022
- Points
- 2335
I suppose you do know you have a keylogger and monitoring software running on your computer...
G Data "PC Spion" - monitoring and surveillance software, captures all users activity on the PC
steam
- 01-21-2006 02:09 PM #5Member
- Join Date
- Apr 2005
- Posts
- 36
- Points
- 0
how do i get rid of it?
- 01-21-2006 06:04 PM #6Member
- Join Date
- Sep 2003
- Location
- Yorkshire U.K.
- Posts
- 14,022
- Points
- 2335
HI
If you are not aware of this being installed on your computer, then it is most likely that someone else with access to your computer installed it to check on you ... if you are a child, they will instantly know if you remove it.
As I have no way of knowing if you are a child or a parent, I will tell you how to remove it, and you must decide what to do...
these files are not shown as running :-
Commh32.exe
Fdxxl.exe
But These in you "running processes" are running (obviously)
C:\WINDOWS\System32\Msshll.exe
C:\WINDOWS\System32\Scnex.exe
and they are all part of the same monitoring software...
first go to add\remove programs in the Control panel and uninstall anything to do with G Data or "PC Spion"
If nothing is there...
Run hijackthis and fix these :-
O4 - HKLM\..\Run: [Comm Driver] Commh32.exe
O4 - HKLM\..\RunServices: [SysPilot] Fdxxl.exe
And if you didn't disable regedit on purpose, fix this as well..
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
reboot find and delete :-
C:\WINDOWS\System32\Msshll.exe
C:\WINDOWS\System32\Scnex.exe
and these, which you will need to search for...
Commh32.exe
Fdxxl.exe
Post a new hijackthis log
steam
