loads of spyware!

sidthereal · 03-04-2006, 12:02 PM

folks i did a scan using scanspyware software, and got the following log:

Application Information

=======================

Application Version: ScanSpyware v3.8 build 3.8.0.4

Original Database: pests01-02-06.db

Updated Database: ssdb030206.db

Current Date: Saturday, March 04, 2006 04:15:34 PM

__________________________________________________

Directories recognized:

=======================

__________________________________________________

Files recognized:

=================

[AGOBOT]

C:\WINDOWS\System32\atiphexx.exe

[AlCan.A]

C:\WINDOWS\System32\taskmgr.com

[NauPointBar]

C:\WINDOWS\downloaded program files\iEBINST2.TaskDB

[NauPointBar]

C:\WINDOWS\downloaded program files\iEBINST2.ResultDB

[RBOT.OR]

C:\WINDOWS\System32\atiphexx.exe

[SAH Agent]

C:\WINDOWS\downloaded program files\setup.inf

[SAH Agent]

C:\WINDOWS\downloaded program files\SETUP.INF

__________________________________________________

Registry keys recognized:

=========================

[NetPumper]

HKEY_CLASSES_ROOT\Interface\{E0ABBF96-17DC-44CA-96D0-6217064A97BA}

[NetPumper]

HKEY_CLASSES_ROOT\TypeLib\{F7258F6E-9F60-49C0-8C82-F0A0993D68E0}

[NetPumper]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0A BBF96-17DC-44CA-96D0-6217064A97BA}

[NetPumper]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F7258 F6E-9F60-49C0-8C82-F0A0993D68E0}

__________________________________________________

Registry values recognized:

===========================

__________________________________________________

Cookies recognized:

===================

[Tracking Cookies]

c:\documents and settings\family\cookies\family@statcounter[2].txt

__________________________________________________

Now since im using a trial version, i cant remove the programme through the software, and an additional scan using Panda antivirus online scan, showed 2 spywares of
1. pcpowerscan.exe
2.Redhotnetworks videox.inf

but a search on the computer did not find the above two files,
i have also deleted the system restore files, thinking maybe the backup had the adware, but the scan still shows the same result.

please help

sidthereal · 03-04-2006, 05:34 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:58:46 PM, on 3/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\FAMILY\My Documents\HijackThis.exe

R0 - HKCU\Software\M*cros*ft\Internet Explorer\Main,Start Page = http://www.msn.co.in
R0 - HKLM\Software\M*cros*ft\Internet Explorer\Main,Start Page = http://www.msn.co.in
R0 - HKCU\Software\M*cros*ft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\M*cros*ft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CleanMyPCPopupBlocker Class - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\M*cros*ft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37670.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

**Buzz1927** · 03-04-2006, 06:00 PM

Scanspyware is on the rogue list.
http://www.spywarewarrior.com/rogue_anti-spyware.htm

"false positives work as goad to purchase".

sidthereal · 03-04-2006, 10:40 PM

Now since im using a trial version, i cant remove the programme through the software, and an additional scan using Panda antivirus online scan, showed 2 spywares of
1. pcpowerscan.exe
2.Redhotnetworks videox.inf

but a search on the computer did not find the above two files,
i have also deleted the system restore files, thinking maybe the backup had the adware, but the scan still shows the same result.

please help

**Buzz1927** · 03-04-2006, 10:44 PM

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

Exit Spy Sweeper.

Then run the Panda scan again, and see if it flags anything.

sidthereal · 03-08-2006, 04:26 PM

downloaded spy sweeper, and ran the full version.
Removed Redhotnetworks videox.inf
couldnt find pcpowerscan.exe

**Buzz1927** · 03-08-2006, 04:29 PM

Post the results of the Panda scan.

sidthereal · 03-08-2006, 05:23 PM

pcpowersca.exe detected

scan in progress

sidthereal · 03-08-2006, 06:43 PM

yes..only pcpowerscan.exe adware found. Videox has been removed by spysweeper.

EDIT: sorry wrong location specified.
sorry again. Correct location in subsequent post.

**Buzz1927** · 03-08-2006, 07:03 PM

Quote:

its found in program files/system32 folder

You sure this isn't Windows\system32? Did you save the report?

03-04-2006, 12:02 PM	#1 (permalink)
sidthereal Gold Member Join Date: Jun 2005 Posts: 263	loads of spyware! folks i did a scan using scanspyware software, and got the following log: Application Information ======================= Application Version: ScanSpyware v3.8 build 3.8.0.4 Original Database: pests01-02-06.db Updated Database: ssdb030206.db Current Date: Saturday, March 04, 2006 04:15:34 PM __________________________________________________ Directories recognized: ======================= __________________________________________________ Files recognized: ================= [AGOBOT] C:\WINDOWS\System32\atiphexx.exe [AlCan.A] C:\WINDOWS\System32\taskmgr.com [NauPointBar] C:\WINDOWS\downloaded program files\iEBINST2.TaskDB [NauPointBar] C:\WINDOWS\downloaded program files\iEBINST2.ResultDB [RBOT.OR] C:\WINDOWS\System32\atiphexx.exe [SAH Agent] C:\WINDOWS\downloaded program files\setup.inf [SAH Agent] C:\WINDOWS\downloaded program files\SETUP.INF __________________________________________________ Registry keys recognized: ========================= [NetPumper] HKEY_CLASSES_ROOT\Interface\{E0ABBF96-17DC-44CA-96D0-6217064A97BA} [NetPumper] HKEY_CLASSES_ROOT\TypeLib\{F7258F6E-9F60-49C0-8C82-F0A0993D68E0} [NetPumper] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0A BBF96-17DC-44CA-96D0-6217064A97BA} [NetPumper] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F7258 F6E-9F60-49C0-8C82-F0A0993D68E0} __________________________________________________ Registry values recognized: =========================== __________________________________________________ Cookies recognized: =================== [Tracking Cookies] c:\documents and settings\family\cookies\family@statcounter[2].txt __________________________________________________ Now since im using a trial version, i cant remove the programme through the software, and an additional scan using Panda antivirus online scan, showed 2 spywares of 1. pcpowerscan.exe 2.Redhotnetworks videox.inf but a search on the computer did not find the above two files, i have also deleted the system restore files, thinking maybe the backup had the adware, but the scan still shows the same result. please help __________________ he who laughs last must have a terrible sense of humor :eek:

03-04-2006, 05:34 PM	#2 (permalink)
sidthereal Gold Member Join Date: Jun 2005 Posts: 263	Logfile of HijackThis v1.99.1 Scan saved at 9:58:46 PM, on 3/4/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\cidaemon.exe C:\Program Files\Yahoo!\Messenger\YPager.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Documents and Settings\FAMILY\My Documents\HijackThis.exe R0 - HKCU\Software\Mcrosft\Internet Explorer\Main,Start Page = http://www.msn.co.in R0 - HKLM\Software\Mcrosft\Internet Explorer\Main,Start Page = http://www.msn.co.in R0 - HKCU\Software\Mcrosft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Mcrosft\Internet Explorer\Main,Local Page = O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: CleanMyPCPopupBlocker Class - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O6 - HKCU\Software\Policies\Mcrosft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37670.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe __________________ he who laughs last must have a terrible sense of humor :eek:

03-04-2006, 06:00 PM	#3 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,927	Scanspyware is on the rogue list. http://www.spywarewarrior.com/rogue_anti-spyware.htm "false positives work as goad to purchase". __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

03-04-2006, 10:40 PM	#4 (permalink)
sidthereal Gold Member Join Date: Jun 2005 Posts: 263	Now since im using a trial version, i cant remove the programme through the software, and an additional scan using Panda antivirus online scan, showed 2 spywares of 1. pcpowerscan.exe 2.Redhotnetworks videox.inf but a search on the computer did not find the above two files, i have also deleted the system restore files, thinking maybe the backup had the adware, but the scan still shows the same result. please help __________________ he who laughs last must have a terrible sense of humor :eek:

03-04-2006, 10:44 PM	#5 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,927	Download the trial version of Spy Sweeper from Here Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) You will be prompted to check for updated definitions, please do so. (This may take several minutes) Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box. Click on Sweep and allow it to fully scan your system. When the sweep has finished, click Remove. Click Select All and then Next Exit Spy Sweeper. Then run the Panda scan again, and see if it flags anything. __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

03-08-2006, 04:26 PM	#6 (permalink)
sidthereal Gold Member Join Date: Jun 2005 Posts: 263	downloaded spy sweeper, and ran the full version. Removed Redhotnetworks videox.inf couldnt find pcpowerscan.exe __________________ he who laughs last must have a terrible sense of humor :eek:

03-08-2006, 04:29 PM	#7 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,927	Post the results of the Panda scan. __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

03-08-2006, 05:23 PM	#8 (permalink)
sidthereal Gold Member Join Date: Jun 2005 Posts: 263	pcpowersca.exe detected scan in progress __________________ he who laughs last must have a terrible sense of humor :eek:

03-08-2006, 06:43 PM	#9 (permalink)
sidthereal Gold Member Join Date: Jun 2005 Posts: 263	yes..only pcpowerscan.exe adware found. Videox has been removed by spysweeper. EDIT: sorry wrong location specified. sorry again. Correct location in subsequent post. __________________ he who laughs last must have a terrible sense of humor :eek: Last edited by sidthereal; 03-08-2006 at 11:09 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode