SPYWARE??...TROJAN??

[hearthacker]

hi people, i was recently infected with spyware but i eradicated it using spysweeper but one main problem still persists...while i m working ..suddenly, my taskbar n stuff changes to the color of that of the classic windows color scheme and my computer restarts....please solve my prob.

heres the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:48:03 AM, on 1/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\explorer.exe
H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
H:\Program Files\FarStone\VirtualDrive\vdtask.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\FarStone\VirtualDrive\Netsrv.exe
H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
H:\Program Files\D-Tools\daemon.exe
H:\Program Files\VIAudioi\SBADeck\ADeck.exe
H:\WINDOWS\System32\ctfmon.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Sify Broadband\BBImpSec.exe
c:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\System32\LVComS.exe
H:\Program Files\Sify Broadband\BBClient.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
E:\Softwares\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

*www.sifymax.com/bbhome/?userid=12364&check=703030d1400030c1a070a11030f1506000c1102060f1b0

20814000405060c0400020505000e1b08160d1551415b6f5b574f5a5
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search

& Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - H:\Program

Files\Yahoo!\Common\yiesrvc.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] H:\Program Files\Corel\Corel Graphics

12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=010506

serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Virtual Drive] "H:\Program Files\FarStone\VirtualDrive\vdtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LogitechVideoRepair] H:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] H:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AudioDeck] H:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SystemLoader] H:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [Microsoft Office] H:\WINDOWS\System32\msvcp.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SifyBB] H:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] H:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "H:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Adobe Gamma.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 3D!Turbo Experience.lnk = H:\Program Files\MSI\3D!Turbo

Experience\3D!Turbo.exe
O4 - Global Startup: HotSync Manager.lnk = H:\Palm\HOTSYNC.EXE
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///H:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///H:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///H:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - H:\Program

Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - *static.35mb.com/applet/applet_l.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

*ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - H:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) -

*www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) -

*www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) -

*67.15.101.3/g_bin/eng/billard8_2_0_0_24.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41B1DCFE-0F22-444B-8CAF-B33F0C6E95BE}: NameServer =

210.210.69.72,202.144.50.4
O20 - Winlogon Notify: msupdate - H:\WINDOWS\SYSTEM32\msupdate32.dll
O23 - Service: Adobe LM Service - Adobe Systems - H:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - H:\Program Files\Common

Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

H:\WINDOWS\System32\nvsvc32.exe

 

[mkmkmk]

Install hijack remote,,and mail u r fresh log u will get reply in 12-24 hrs from experts ,,,,,,,,,,,

i have experienced this once,,,,,really worth dude

 

[anandk]

one problem iv noticed is that sysldr32.exe is a trojan Troj/Agobot-A.

i suggest u run microsoft antispyware and ur antivirus in safe mode or at boot time. i suggest u download avast or avg antivirus. install, update, reboot, scan. with ms antispy u can also restore ur browser and other settings.

 

[::cyborg::]

reinstall ur operating system

 

[Sreekanth V]

cyborg, It didn't worth reinstalling without giving any try.
Antivirus scan in safemode and spyware scan with some more spy removers may stop this problem.

 

[swatkat]

Hi,
Download KillBox, extract it to your desktop.


Download and install Ewido Security Suite v3.5. After download, double click on the file to launch the install process. During installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido by double-clicking the "e" icon on your desktop. The program will prompt you to update - click the "OK" button. On the left side of the main screen, click on "Update" and then click "Start Update". After the updates are installed, exit from Ewido


Reboot to Safe Mode.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

F2 - REG:system.ini: Shell=explorer.exe
O4 - HKLM\..\Run: [SystemLoader] H:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [Microsoft Office] H:\WINDOWS\System32\msvcp.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - *ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - *www.systemrequirementslab.com/sysreqlab.O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - *67.15.101.3/g_bin/eng/billard8_2_0_0_24.cab
O20 - Winlogon Notify: msupdate - H:\WINDOWS\SYSTEM32\msupdate32.dll

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


Open Killbox.exe. Check the following box:-

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.

H:\WINDOWS\System32\explorer.exe
H:\WINDOWS\sysldr32.exe
H:\WINDOWS\System32\msvcp.exe
H:\WINDOWS\SYSTEM32\msupdate32.dll

Then in Killbox click File > Paste from Clipboard.

At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes".

A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.


Reboot to Normal Mode. Perform an online virus scan at Kaspersky Online Scanner. Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log.