InterviewSolution
Saved Bookmarks
InterviewSolution
| 1. |
Solve : Winantispy2007 downloaded to my computer without my permission? |
|
Answer» You still have a couple of bad entries showing up... You appear to have a PurityScan infection. Copy everything inside the quote box below (starting with dir) and paste it into Notepad. Go up to File > Save As... and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.I'm sorry there wasnt anything in the notepad file I did it but it came up empty. After fixing the others here is the hijack log. Logfile of HijackThis v1.99.1 Scan saved at 9:48:31 PM, on 7/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\vsnpstd2.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\Pando Networks\Pando\pando.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Raynelle\My Documents\my programs\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: CafeMom Toolbar - {8151A608-00FB-4D5C-8B8D-40E239E32A42} - C:\Program Files\CafeMom Toolbar\cmtb.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\pando.exe" /Minimized O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll O9 - Extra button: (no name) - {07DB8C18-9FD9-4e43-AF16-043E44D89768} - C:\Program Files\CafeMom Toolbar\cmtb.dll O9 - Extra 'Tools' menuitem: CafeMom Toolbar - {07DB8C18-9FD9-4e43-AF16-043E44D89768} - C:\Program Files\CafeMom Toolbar\cmtb.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - OPTIONS group: [INTERNATIONAL] International* O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL CONNECTIVITY Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe I seem to be getting IE pop ups like a myspace celebrity profile and I won this crap, but I dont even have IE open.. I use Mozilla firefox. AND I have the popupblocker on IE set at block ALL popups.. In the add/remove programs list I have windows internet exlporer 7 and IEpro7 entries... is this the same thing? I also have programs that have no size on it? Im sorry I keep posting UGHH now I am getting pop ups in firefox.... something like system doctor.com your computer is under attack! get help now! You could be getting the popups through the messenger service which would indicate that your windows is not uptodate. If this is the case then update your windows or disable the messenger service. Start>Settings>Control Panel>Admin Tools>Services>Messenger...Disable. Did you run the scans I suggested, all 4 of them?I am now.. sorry.. the ROGUE remover wiped out a bunch of things that said winanitspy2007. but i'm still getting the pop up. ewido is running, and so is panda active scan. I'm getting a question from zone alarm to allow a generic hos process for win32 services to accept internet connections.. its svchost.exe???/Okay...look in C:\Program Files for a ?racle folder. The question mark is a wildcard, which means it could start with any letter. So, the folder could be called Tracle, Iracle, or (most likely) Oracle. This folder needs to be deleted. If you find more than one folder with such a name, let me know before you do anything. Did you try this suggestion from Fed... Quote from: Fed on July 21, 2007, 09:14:35 PM You could be getting the popups through the messenger service which would indicate that your windows is not uptodate.You can also try Shoot The Messenger. As for ZoneAlarm...it may be a legit request, but you might want to read through this thread... http://www.computing.net/security/wwwboard/forum/272.html Quote from: nellenaz on July 21, 2007, 09:00:46 PM In the add/remove programs list I have windows internet exlporer 7 and IEpro7 entries... is this the same thing? I also have programs that have no size on it?This is IE7Pro... http://www.ie7pro.com It's an add-on for IE7. You don't need it, but it's not malicious. Also...not all programs list their filesizes. Are any of these programs suspicious?By the way, here is some info for those programs you listed earlier... Digital Content Portal (Comes with some Dell computers. Some consider it to be spyware, but it doesn't appear to be malicious. Can be removed if you don't want it.) EarthLink Setup Files (Can be removed if you have no interest in EarthLink.) f Get HI speed Internet! (Not sure what this is. Probably related to FlashGet. Should be able to remove safely.) Macromedia Flash Player (You should keep this.) Microsoft .NET Framework 1.1 (You might want to upgrade to 2.0.) Microsoft .NET Framework 1.1 Hotfix (KB8928366) (Are you sure that's the right number? I can't find info on this exact hotfix.) Microsoft COMPRESSION Client Pack 1.0 For windows (This is safe.) Microsoft Plus! Digital Media Edition Installer (This is safe, but you don't need it.) Microsoft Plus! Photo story 2 I.E Microsoft User-mode driver Framework feature Pack 1.0 (This is safe. Keep it if you want it.) NetZero Installer (You can remove this if you have no interest in NetZero.) PhotoClick (Not sure about this one. Could be related to this.) RealPlayer Basic (Media player that probably came with your computer. It's safe.) (Safe.) Sonic DLA (Safe, but not free.) Sonic RecordNow! Audio (Safe, but not free.) Sonic RecordNow! Copy (Safe, but not free.) Sonic RecordNow! Data (Safe, but not free.) Sonic Update Manager (Safe.) WebCyberCoach 3.2 Dell (Came with Dell. Should be safe.) Windows Installer 3.1 (KB89353) (This is safe.) Windows Media Format 11 runtime (Part of Windows Media Player. You should keep this.) Windows Media Player 11 (You should keep this.) Apple Software Update (Safe. Probably came with your Apple Mobile Device.) IE7Pro (IE7 add-on. Safe.) Learn2 Player (Uninstall Only) (Bloatware installed by AOL; often comes with Dell computers. It's not malicious, but you don't need it.) Conexant D480 MDC v.9x Modem (Modem driver. Might want to keep this.) Digital Line Detect (Comes with Dell; used to be considered spyware. Should be safe, but you don't need it.) AOL Coach Version 1 (build:20040229. 1 en) (AOL bloatware. Not malicious, but you don't need it.) AOL Connectivity Services (Automatically reconnects you if you lose your AOL connection.) Apple Mobile Device Support (Comes with the latest versions of iTunes. If you don't have an iPhone, then you don't need this.) Viewpoint Media Player (More AOL bloatware. Technically not malicious, but I usually advise removing it.) Windows Desktop Search 3.01 (Search tool. You don't need it, but it's safe, and might be useful.) Well I ran ALL the programs Fed suggested, coupled with what Chris told me and I seem to be in the clear. I didnt have a ?acle folder, but i did see something like that deleted with one of the programs. I'm going to run all of the programs again Roguerunner, AVG Free Ccleaner panda active scan superantispyware ewido online and spybot and see what they come up with again how often should I run these programs? And thank you Chris for all the information on those programs.. I'm going to be deleting a LOT today.. Quote from: CBMatt on July 22, 2007, 04:04:32 AM By the way, here is some info for those programs you listed earlier... it wasn't!! it is KB928366 somehow and 8 got added.. I was c/p from microsoft onenote. so probably happened then. AVG Free came up clean!! Will keep you updated. Oh and the messenger service was already disabled. oh and no none of the programs were suspicious, I just didnt know what they were. Thanks guys!!! You're lifesavers!!! Don't forget to keep your Windows uptodate and create a new restore point.So, no more popups, then? Excellent. Like Fed says, you should clear your restore points and create a new one... 1. Go to Start > Programs > Accessories > System Tools > System Restore 2. Click on System Restore Settings. 3. Check Turn off System Restore and click OK. 4. Restart your computer. 5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK. 6. Create a new restore point and close the program. System Restore will now be active again. If you would like to learn more about System Restore, go here. Also, I see that your Java is out of date. You'll want to correct this quickly, as it will help provide further protection for you. To do so, go here and click on Free Java Download. You will be given instructions on what to do next. Once you have installed the latest version, you should remove any older versions of Java. For more info on infections and how to stay clean, please read through this guide.As this issue appears to be resolved, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged. If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem. |
|