Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Wednesday 27.11.2024 / 21:55
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > constantly re-occuring spy/malware
Show topics
 
Forums
Forums
Constantly re-occuring spy/malware
  Jump to:
 
Posted Message
gringer
Junior Member
_ 		18. March 2006 @ 08:20 _ Link to this message    Send private message to this user   
Hi all,

Every time I run spybot, these same critters are back again. I'm updated and immunised.



I kill them everytime with spybot but alas, they returneth.

Also, there is something called zzzhpsetup in the startup processes which nothing on the web can seem to identify, only label with a "?"

Any help much appreciated,

Thanks.
[ + quote]
Advertisement
_ 		__
JaPK
Senior Member
_ 		18. March 2006 @ 08:23 _ Link to this message    Send private message to this user   
Hi, please post a HijackThis log to here.

Instructions -> http://forums.afterdawn.com/thread_view.cfm/263784
(steps 3,4,5)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
gringer
Junior Member
_ 		18. March 2006 @ 08:28 _ Link to this message    Send private message to this user   
Hello,

here is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 2:27:12 AM, on 19/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avginet.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\BenQ\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

-----------------------

thanks.
[ + quote]
JaPK
Senior Member
_ 		18. March 2006 @ 08:59 _ Link to this message    Send private message to this user   
Ok, those found objects are cookies. If you want to prevent those from coming to your computer, install SpywareBlaster. -> http://www.javacoolsoftware.com/spywareblaster.html


Your log looks clean but there are few files that look suspicious

Lets check those out:

Do this.

Make your hidden files visible:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Show hidden files and folders.

Go to http://www.virustotal.com
-> Press Browse
-> Search this file D:\-->Setup.exe
-> OK and Send
-> Post the results to here so we can see if it is dirty

Check this file too in the virustotal and post the results here:
C:\Program Files\PowerISO\-->PWRISOVM.EXE
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

This message has been edited since posting. Last time this message was edited on 18. March 2006 @ 09:07
gringer
Junior Member
_ 		18. March 2006 @ 09:29 _ Link to this message    Send private message to this user   
Results :

The D:/setup.exe is weird. It was actually my girlfreinds mp3 cd in the dvd drive, however no such file is on the disc.

The other one appears to be clean :

This is a report processed by VirusTotal on 03/18/2006 at 20:25:53 (CET) after scanning the file "PWRISOVM.EXE" file.

Antivirus Version Update Result
AntiVir 6.34.0.53 03.18.2006 no virus found
Avast 4.6.695.0 03.17.2006 no virus found
AVG 718 03.17.2006 no virus found
Avira 6.34.0.53 03.18.2006 no virus found
BitDefender 7.2 03.18.2006 no virus found
CAT-QuickHeal 8.00 03.18.2006 no virus found
ClamAV devel-20060126 03.17.2006 no virus found
DrWeb 4.33 03.18.2006 no virus found
eTrust-InoculateIT 23.71.105 03.18.2006 no virus found
eTrust-Vet 12.4.2123 03.17.2006 no virus found
Ewido 3.5 03.18.2006 no virus found
Fortinet 2.71.0.0 03.18.2006 no virus found
F-Prot 3.16c 03.17.2006 no virus found
Ikarus 0.2.59.0 03.17.2006 no virus found
Kaspersky 4.0.2.24 03.18.2006 no virus found
McAfee 4721 03.17.2006 no virus found
NOD32v2 1.1450 03.18.2006 no virus found
Norman 5.70.10 03.17.2006 no virus found
Panda 9.0.0.4 03.18.2006 no virus found
Sophos 4.03.0 03.18.2006 no virus found
Symantec 8.0 03.18.2006 no virus found
TheHacker 5.9.5.115 03.17.2006 no virus found
UNA 1.83 03.16.2006 no virus found
VBA32 3.10.5 03.17.2006 no virus found

cheers.

p.s.

Spybot recognises ctfmon.exe as a coolwebsearch variant, however when I googled it, it identified it as being nothing to worry about.
[ + quote]

This message has been edited since posting. Last time this message was edited on 18. March 2006 @ 09:39
JaPK
Senior Member
_ 		18. March 2006 @ 09:38 _ Link to this message    Send private message to this user   
Ok.

Run HijackThis and fix this entry: (Do a system scan only, check entry, close all other windows, press Fix checked)

O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe


Then do a new system scan with HijackThis and check that is the
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe entry gone

And tell me if it is not gone.

By the way, have you checked that cd for viruses?

[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
gringer
Junior Member
_ 		18. March 2006 @ 09:45 _ Link to this message    Send private message to this user   
Ok,

HijackThis seems to have gotten rid of the setup.exe

I scanned the CD with AVG and it yielded nothing.

p.s.

Spybot recognises ctfmon.exe as a coolwebsearch variant, however when I googled it, it identified it as being nothing to worry about.
[ + quote]
JaPK
Senior Member
_ 		18. March 2006 @ 09:50 _ Link to this message    Send private message to this user   
Ok it is propably a false positive



[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

This message has been edited since posting. Last time this message was edited on 18. March 2006 @ 09:51
gringer
Junior Member
_ 		18. March 2006 @ 09:52 _ Link to this message    Send private message to this user   
Great,

Thankyou very much for helping me out, very much appreciated!

I think its time to sleep now, thanks again.

gringer.
[ + quote]
Advertisement
_ 		__
 
_
JaPK
Senior Member
_ 		18. March 2006 @ 09:56 _ Link to this message    Send private message to this user   
By the way, if you want to make your computer (especially the startup) faster, you can fix these entries with HijackThis:

O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

The following can also be fixed if you don't need any Japanese translating/writing support:

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

And you are welcome =)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

This message has been edited since posting. Last time this message was edited on 18. March 2006 @ 09:56
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > constantly re-occuring spy/malware
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2024 by AfterDawn Ltd.

  IDG TechNetwork