spyware prob

[stratocaster27]

hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 10:05:23 PM, on 10/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\DOBE~1\winlogon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\M?crosoft\w?wexec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ErrorSafe Free\uers.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\djnoobie\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R3 - URLSearchHook: (no name) - {84B03C1A-ADA0-D67C-D6C8-82DA1DCA69B3} - C:\WINDOWS\system32\lkwra.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {84B03C1A-ADA0-D67C-D6C8-82DA1DCA69B3} - C:\WINDOWS\system32\lkwra.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\DOBE~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Error Safe Free] C:\Program Files\ErrorSafe Free\uers.exe /scan
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

 

[PC eye]

The only unknown seen there is R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Do you have some reason to suspect any malware from some other problem?

 

[stratocaster27]

yes, i get popups when i use IE, and sites are showin up on my desktop

 

[PC eye]

Do you have active desktop enabled? Popup ads are everyone's nightmare. That's why IE 6 has the option to block popups while on various sites in the privacy section after you go to "Tools" on the explorer bar and click on the "Internet Options" link. At the bottom of the privacy section place a check on the "Block popups". Then go to the security tab and go through the four sections there to check off the block popups in each one.

A good adware/spyware remover should locate and remove any pop makers that slip on the drive along with data miners that advertisers use to collect data on your browsing habits. To disable the active desktop right click on the desktop and click on the desktop tab. At the bottom of that screen click on the customize button and then the "web" tab in the center. You simply uncheck all items found.

 

[edifier]

Oh, there's more there than just Spyware!. Do the following.

This entry here - O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto tells me you've been messing with your startup programs. Please return this to Normal Startup.

Run HijackThis and put a check by the following entries, close all open windows and browsers except HijackThis and click 'Fix Checked'

R3 - URLSearchHook: (no name) - {84B03C1A-ADA0-D67C-D6C8-82DA1DCA69B3} - C:\WINDOWS\system32\lkwra.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {84B03C1A-ADA0-D67C-D6C8-82DA1DCA69B3} - C:\WINDOWS\system32\lkwra.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\DOBE~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Error Safe Free] C:\Program Files\ErrorSafe Free\uers.exe /scan

Exit HijackThis.

Next, Go to ADD/REMOVE Programs and uninstall the following if present.

Ares
ErrorSafe Free
Yazzle
YazzleActiveX
Purityscan
Snowballwars
Cowabanga
OIN Search

( or anything else with OIN in the name )


Reboot your computer and navigate to C/Program Files and delete any of the above folders if still present.

Post a new 'HJT' log and we'll work on the other infections. Could you also explain why it appears there is no Antivirus installed and running on your computer.

 

[PC eye]

You missed a few.

C:\WINDOWS\DOBE~1\winlogon.exe Winlogon.exe outside of the system32 folder? Not good
C:\Program Files\Common Files\M?crosoft\w?wexec.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -

Those that are no longer needed.
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[edifier]

You missed a few.

That's why i said this!.

Post a new 'HJT' log and we'll work on the other infections.

 

[PC eye]

Could you also explain why it appears there is no Antivirus installed and running on your computer.

Some people are not familiar with running antivirus or spyware/adware removers. Others prefer not to since Norton, McAFee, and other programs interfere with games and applications. It's up to them.

That's why i said this!.

The idea is to clean off what is clearly visible and then examine a new log to see if anything else shows up. If nothing else is found you start a search for the host file if some type of trojan remains hidden on the drive. The gamespyarcade and Google tool bars are adware carriers there.

 

[edifier]

Others prefer not to since Norton, McAFee, and other programs interfere with games and applications. It's up to them.

If that is the choice they have made, then they should be prepared to cleanup their machines themselves.

The idea is to clean off what is clearly visible and then examine a new log to see if anything else shows up.

There are different, multiple infections present and the poster was given enough to do to begin with the cleaning. Then would be given another cleaning tool and instructions to deal with the trojans!.

 

[PC eye]

Since HT only covers IE addons and some new startups found that advice is often given prior to having someone post a log. Often you wouldn't even know a trojan of some type is there since it doesn't make any entries in the system registry or is in deeper then HT will show.

 

[Counter - Strike]

i am having pop up problems as well but i just simply got a few good pop up blockers(google toolbar,yahoo toolbar,windows live toolbar and i hate pop ups) and scanned my system wit ad-ware se and spybot and it seems to be working up to this point

 

[PC eye]

You still get those even with IE 7! You just don't see as many since it is the new browser out. But something that goes well with AdAware is Ewido under the new name of AVG Anti-Spyware Free found at http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free That catches a ton of data miners that AdAware misses. But going into the security setting in each catagory on IE allows you to enable the "block all popups" option there. You just won't be able to open a second window from a link.