Help!! I've been attacked by Spyware!

Factual Questions
1

One wrong click last week turned my computer life upside down. Since then I’ve been downloading/buying spyware killers and pop-up stoppers but there is still spyware on my computer.

So far I’ve downloaded Ad-aware, Spyware Blaster, Spyware Killer, Secretmaker, and Bazooka. All of them, except Bazooka, say there is no more spyware on my computer, but Bazooka says there are 8 detected objects and they recommend manual removal. Now, I’ve tried the manual removal thing and have been successful at almost uninstalling one file, but it says if you cannot find all the files and delete them, then it will still remain on your computer, and well, I can’t find them all.

So now what do I do? I don’t want to keep buying or downloading different programs but I am afraid to go into my online checking account or make an online purchase until the spyware is gone.

Please Help!

2

You didn’t say what specific files or spyware you are having problems with, so it is a little hard to give you a solution. However, for a start, go to Merijn.org and download CWShredder and Hijackthis. Run CWShredder, and see if you still have the same problems. If so, run Hijackthis, but don’t make any changes. Hijackthis does not distinguish between good registry entries or bad ones; save a log to a text file, and post it here. I will have a look.

3

Bazooka says I have the following detected objects:

2ndthought Adware
BookedSpace
Cydoor
Flingstone Bridge
HelpExpress
IGetNet
Internet Optimizer
MS Media Player GUID
I actually did try hijackthis but I had no idea what to do after the scan. Here is the log file and thank you, I really appreciate your help.

Logfile of HijackThis v1.97.7
Scan saved at 10:16:21 PM, on 5/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus
avapsvc.exe
C:\WINDOWS\System32
vsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\NORTON~1
avapw32.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\shicoxp.exe
C:\WINDOWS\mwsvm.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\system32\a.exe
C:\Program Files\FreeMem Standard\freemem.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\DIANA\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivesearch.com/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?si-001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topfivesearch.com/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=0B3CEA24-FD28-439D-88D0-5419459C1044&version_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS waintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS
em214.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM…\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM…\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM…\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [nwiz] nwiz.exe /install
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM…\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
avapw32.exe
O4 - HKLM…\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM…\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM…\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM…\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM…\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM…\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM…\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM…\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM…\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM…\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM…\Run: [Internet Optimizer] “C:\Program Files\Internet Optimizer\optimize.exe”
O4 - HKCU…\Run: [FreeMem Pro] “C:\Program Files\FreeMem Standard\freemem.exe” Startup
O4 - HKCU…\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU…\Run: [SPYKILLER] C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT /TRAY
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - 亚博|爱游戏
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\DIANA\LOCALS~1\Temp\ThereInstallHelper.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip…{24162936-7951-4F87-B264-416675348363}: NameServer = 198.81.19.4
O17 - HKLM\System\CS1\Services\Tcpip…{24162936-7951-4F87-B264-416675348363}: NameServer = 198.81.19.4

4

Once you’ve eradicated the nasties, dump IE for Mozilla. You will be glad you did, in more ways than one.

5

Kazaa is responsible for Cydoor and several of the other spyware programs; if you remove Cydoor, Kazaa won’t work any longer. I advise you to dump Kazaa. Download Kazaabegone, which will remove all versions of Kazaa and associated spyware.

AS for the rest of the crap in your Hijackthis log, put a checkmark next to all of the following items, and click on Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivesearch.com/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?si-001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivesearch.com/sidesearch.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.topfivesearch.com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topfivesearch.com/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch...4&version_id=18

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS waintec.dll

O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)

O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS
em214.dll

O4 - HKLM…\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM…\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM…\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM…\Run: [Internet Optimizer] “C:\Program Files\Internet Optimizer\optimize.exe”

O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com

O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\DIANA\LOCALS~1\Temp\ThereInstallHelper.dll

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab

6

Sorry for the big hijack but I didn’t want to start a whole new thread on a never-ending problem.

The spyware that is attacking me sends a pop up message everytime I double click on my AIM quicklaunch. ( so if I close the AIM window, then open it again, the pop-up pops and says ALERT SPYWARE ACTIVITY DETECTED ON YOUR COMPUTER!)

Here is my log from Hijack This;

Logfile of HijackThis v1.97.7
Scan saved at 10:37:03 PM, on 5/2/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\UMonit2K.exe
C:\WINNT\loadqm.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {F9F3004A-1161-4CC2-9C68-816046E0C5CF} - C:\WINNT\System32\phplff.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM…\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM…\Run: [CARPService] carpserv.exe
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\Run: [UMonit2K.exe] “C:\WINNT\System32\UMonit2K.exe”
O4 - HKLM…\Run: [LoadQM] loadqm.exe
O4 - HKLM…\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM…\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU…\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU…\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU…\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU…\Run: [sysmon] C:\WINNT\System32\sysmon\sysmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2569f32da76d57033722/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4322/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

Spysweeper and Spybot Search & Destroy both say there is nothing in my computer, but everytime I run Ad-Aware it picks up on the same thing (CoolWebSearch).

7

First, download and run CWShredder to get rid of CoolWebSearch. If that doesn’t solve all your problems, check the following item in Hijackthis and hit Fix Checked :

O2 - BHO: (no name) - {F9F3004A-1161-4CC2-9C68-816046E0C5CF} - C:\WINNT\System32\phplff.dll

8

I have Norton Antivirus and SpyHunter scheduled to scan and delete viruses, adware, spyware and other questionable files daily, and then immediately defrag.

Its like giving my computer a shot of Ex-Lax!

9

I have used Hijackthis a bit, but when i just went to Merijn.org I couldn’t link to it. Is it down, hacked, or am I infected?

10

Here is my log. Simple things have already figured to eliminate- usually items “01” and most BHO’s. Any suggestion of what else to eliminate?

Logfile of HijackThis v1.97.7
Scan saved at 12:07:15 AM, on 5/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\dllcache\MSSvc.EXE
C:\WINNT\system32\MSTask.exe
c:\winnt\system32\dllcache\runbatch.exe
C:\WINNT\system32\dllcache\MSSvc.EXE
C:\WINNT\system32\dllcache\cmd.exe
C:\WINNT\system32\dllcache\MSSvc.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
c:\winnt\system32\dllcache\userlist.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
c:\winnt\system32\dllcache
et.exe
C:\WINNT\system32
et1.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\system32\pctspk.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM…\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM…\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM…\Run: [PCTVOICE] pctspk.exe
O4 - HKLM…\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

11

I hope someone can help us? Seems to be bad out there!

12

Sorry I haven’t answered sooner, the Sasser virus has had me running all day.

I believe you are infected with the Win32/Parite.B virus. If you aren’t running an anti-virus program, download and install AVG from Grisoft, or run the Panda free online scanner. If it finds and removes this or any other viruses, post an new Hijackthis log here.

13

Man, I know, our work computers were shut down all day due to it. Assuming your reply was to me, I have the newest Symantec upload. Over the last few months, it has caught & “quarentined” several virii.

However, once a day or so, some bastards attempt to hijack my home page with some Spyware. Winpatrol alerts me on this. I use “Hijackthis” to get rid of the more obvious bad files. I have run “CWSShredder” and have “Spyware blaster” installed & up.

I can again go to Merijn.

14

Well, at work we finally licked the worm, but…

Fear? Maybe you could still lend us a hand?

15

The only suspicious things I see in your last HJT log are these running processes:

c:\winnt\system32\dllcache\runbatch.exe
c:\winnt\system32\dllcache\userlist.exe

which are sometimes associated with the Win32/Parite.B virus (unless you are runnning Novell Netware?). Go to Start/Run, and type regedit, then navigate to see if the following key exists (don’t make any changes):

HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ PINF

If it does, you are infected. Try ther online Panda scanner I linked to in my previous post.

If it does not exist, try ending those processes in the Task Manager, and see if your problems persist.