I think I might have spyware problems.

Discussion in 'adware, spyware & hijack cleaning' started by JCLE225, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. JCLE225

    JCLE225 Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    2
    I'm not sure if I have a virus on my laptop or not, but I would appreciate it if someone looked over my Hijackthis Log and told me if I did or not. Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:39:57 PM, on 6/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\ati2evxx.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINDOWS\ipph32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\Atiptaxx.exe
    C:\WINDOWS\system32\qttask.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\ipbs32.exe
    C:\Program Files\AIM95\aim.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Jeffrey\My Documents\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqqxm.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tqqxm.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tqqxm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqqxm.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tqqxm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tqqxm.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {9853A469-F773-CC80-D9FF-72819852F043} - C:\WINDOWS\d3mo.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [ipbs32.exe] C:\WINDOWS\system32\ipbs32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [cvchost] c:\windows\svchost.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    O4 - Global Startup: winlgn.exe
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi JCLE225

    Pls. Save HijackThis in a convenient permanent folder such as C:\HJT.

    Then Download cwshredder here Close all browser windows and click on the fix/next button.

    Run an on-line scan:

    http://housecall.antivirus.com/

    http://www.bitdefender.com/scan/Msie/index.php

    http://www.pandasoftware.es/activescan/activescan-com.asp

    http://www.ravantivirus.com/scan/

    Then check the following items in Hijackthis - close ALL windows except HijackThis and click "Fix checked":

    Any idea what these are?
    C:\WINDOWS\ipph32.exe
    C:\WINDOWS\system32\ipbs32.exe

    IF UNKNOWN pls. check.

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqqxm.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tqqxm.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tqqxm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tqqxm.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tqqxm.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tqqxm.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

    O2 - BHO: (no name) - {9853A469-F773-CC80-D9FF-72819852F043} - C:\WINDOWS\d3mo.dll

    O4 - HKLM\..\Run: [ipbs32.exe] C:\WINDOWS\system32\ipbs32.exe <--see above

    O4 - HKCU\..\Run: [cvchost] c:\windows\svchost.exe <--virus

    Reboot

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  3. JCLE225

    JCLE225 Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    2
    Here is the lastest log after I followed your instructions. I hope I fixed the problem.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:33:05 AM, on 6/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ati2evxx.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\Atiptaxx.exe
    C:\WINDOWS\system32\qttask.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\Progra~1\Support.com\client\bin\tgfix.exe
    C:\Documents and Settings\Trang\My Documents\Downloaded Programs\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [ntlw32.exe] C:\WINDOWS\system32\ntlw32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
    O4 - Global Startup: winlgn.exe
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI JCLE225

    still some more to do:

    Check in HJT again - same way as before :

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

    O4 - HKLM\..\Run: [ntlw32.exe] C:\WINDOWS\system32\ntlw32.exe

    O4 - Global Startup: winlgn.exe

    Reboot in SAFEMODE and delete:

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
    C:\WINDOWS\system32\ntlw32.exep

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
Thread Status:
Not open for further replies.