please help. Strange's my log

Discussion in 'adware, spyware & hijack cleaning' started by taofang, May 2, 2004.

Thread Status:
Not open for further replies.
  1. taofang

    taofang Registered Member

    May 2, 2004
    I randomly get strange sounds on my computer, like a dog barking, and now as funny as it sounds, i get "she bangs" randomly too. Please help!! I've done the scans and found no viruses using mcafee and help. =C

    Logfile of HijackThis v1.97.7
    Scan saved at 1:55:48 AM, on 5/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\ShopSafe\ShopSafe.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    C:\Program Files\ATI Multimedia\main\ATISched.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\XoftSpy\XoftSpy.exe
    C:\Program Files\WinRAR\WinRAR.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =*
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =*
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =*
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N3 - Netscape 7: # Mozilla User Preferences
    // This is a generated file!

    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("", "C:\\Sierra\\dll\\New Folder");
    user_pref("", false);
    user_pref("browser.history.last_page_visited", "");
    user_pref("", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.0.1");
    user_pref("intl.charsetmenu.browser.cache", "Shift_JIS, windows-1250, ISO-8859-1, UTF-8, TIS-620");
    user_pref("network.cookie.cookieBehavior", 0);
    user_pref("prefs.converted-to-utf8", true);
    user_pref("security.warn_entering_secure", false);
    user_pref("security.warn_leaving_secure", false);
    user_pref("security.warn_submit_insecure", false);
    user_pref("signon.SignonFileName", "48876794.s");
    user_pref("timebomb.first_launch_time", "1048876754625000");
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Internet Explorer Web Content Guard - {1B77D30A-81C9-497A-8647-142F7511B1FB} - C:\WINDOWS\System32\PAL\PCS\ieguard.dll
    O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINDOWS\System32\BhoSSafe.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [klp] C:\WINDOWS\System32\PAL\PCS\explorer.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [File System Service] wmiprvsc.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\StompSoft\Virus X-terminator\NVC\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\RunServices: [File System Service] wmiprvsc.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
    O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! NBA StatTracker -
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) -,0,0,77/
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -,0,0,17/
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) -
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} -
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -,5,0,4355/
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) -
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -
  2. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    you definitely have at least one trojan hacker there

    which is this
    PAL PC Spy Protects, Controls and Monitors everything that happens on your PC and online. It is a completely invisible KEY RECORDER and SCREEN CAPTURE utility that secretly captures anything the user sees or types on the keyboard. PAL PC Spy operates in stealth mode. Users are unaware of its existence. Special hotkey and login is necessary to invoke the program. Users are unable to terminate the program. Users are unable to uninstall the program. PAL PC Spy comes with a Screen Capture with idle detect, Key Recorder, Auto E-mailer, Network Monitor, Folder Hider Archive Utility, Clear Trace and Picture Viewer. Monitors any Email, Chat Room or PC

    I would strongly recommend downloading and running a specialised anti trojan

    the antitrojan that I use for dealing with them is

    TDS3 from

    download & install the 30 day free trial, update it manually as described here as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds


    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
  3. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    It also looks like this one running as well

    so either your antivirus isn't detecting or it's been compromised

    also do this please and report back
    Run an online antivirus check from at least one and preferably 2 of the following sites
  4. taofang

    taofang Registered Member

    May 2, 2004
    I installed the TDS-3 program and I manually updated it...but when I run the TDS-3 program it just opens up this DOS looking window (its control panel)and then scrolls a bunch of words and then closes itself without me doing anything. There's no options to click on anything since it seems to load up then close itself. Did I do something wrong?
    Thanks so much for your help!!
  5. taofang

    taofang Registered Member

    May 2, 2004
    anyone help? These sounds are driving me crazy =C
  6. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Please give this one a try: Go off-line, rename TDS-3.EXE for the time being into for example TDX.EXE, reboot, click TDX.EXE and perform a full system scan.

    Keep us posted!


  7. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Sure there was not any error like could not load radius or things like that?
    If you look in the TDS directory, logs, May, is there any log from the console for today so we can have a clue?
    Also: did you reboot your PC after installing TDS? (important)
    Please report back if you were able to perform a full system scan and the alarms from that with the way Paul told you to try?
Thread Status:
Not open for further replies.