hacker/trojan? definately something!

persistently bothered with spyware such as double click ,mediaplex,atlasdmt etc etc which i have no trouble detecting or removing but i an certain that i have some kind of trojan/dialer/hacker on my system causing the problem!

online scans dont detect anything nasty but they always exclude files that they cannot scan and there are alot of them (more than there should be) and just by the way the system is acting i can tell there is a problem!

so the problem is how can i cure it when i dont know how to find it?
i have tried running the online scans in safe mode of course and i do keep finding minor spyware problems but nothing serious!

i also downloaded a file unlocker to unlock all the system protected files to allow them to be scanned but they still wouldnt unlock? i kept getting requests to enter the file password even though it shouldnt (and hasnt from me) got 1?

i have attached a scan result from panda to illustrate what i am talking about and i would be happy to follow any advice you can give but please dont get very technical on me as my knowledge isnt great so i am a step by step person!

i am aware that this shows possible fix files in my desktop folder but what are the other items? and were do i go now? :cry:

also attached is avasts own virus cleaner log!

This sounds like adware so is not likely to be picked up by anti-virus scanners, so yopu would be better off wit a specialist anti-adware/spyware program. Sorry I haven’t downloaded the attached files, I don’t download unknown content, plus it is easier to copy and paste the contents directly into the post. That way it is available for all to see without having to download anything.

If you haven’t already got this software (freeware), download, install, update and run it.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.

  2. Ad-Aware SE Personal Edition

  3. Spybot Search and Destroy

  4. Spywareblaster Don’t install this until you are clean.

  5. Download HijackThis.zip - HiJackThis Tutorial

Hi thx for your help!

i already have ad aware and spybot and both of them detect and remove stuff regularly (it just keeps coming back) even if i delete it in safe mode with restore turned off (disconnected from the internet of course)

my anti virus is a full internet security package (ha ha!) with anti spyware and firewall as well as anti virus!
It is pc guard (supplied by my internet provider) should have renewed my norton…sigh

but this is a copy paste of what the built in spyware program detected and deleted!

PCguard Anti-Spyware
Spyware Report (06/11/2006 23:28:12)
Deleted Spyware Type Date deleted
QuestionMarket.com Spyware cookie 06/11/2006 22:56:24
Com.com Spyware cookie 06/11/2006 22:56:23
As1.falkag.de Spyware cookie 06/11/2006 22:26:17
TribalFusion.com Spyware cookie 06/11/2006 21:44:08
Mediaplex.com Spyware cookie 06/11/2006 21:32:01
DoubleClick Spyware cookie 06/11/2006 21:32:01
AtlasDMT.com Spyware cookie 06/11/2006 21:32:01
DoubleClick Spyware cookie 06/11/2006 20:56:53
Mediaplex.com Spyware cookie 06/11/2006 20:56:48
DoubleClick Spyware cookie 06/11/2006 20:56:48
AtlasDMT.com Spyware cookie 06/11/2006 20:56:48
AtlasDMT.com Spyware cookie 06/11/2006 20:39:01
Mediaplex.com Spyware cookie 06/11/2006 20:33:00
DoubleClick Spyware cookie 06/11/2006 20:32:59
DoubleClick Spyware cookie 06/11/2006 20:26:58
AtlasDMT.com Spyware cookie 06/11/2006 20:26:58
Advertising.com Spyware cookie 06/11/2006 20:26:58
TribalFusion.com Spyware cookie 06/11/2006 16:04:43
Tacoda cookie Spyware cookie 06/11/2006 16:04:43
Falkag Spyware cookie 06/11/2006 16:04:43
Falkag Spyware cookie 06/11/2006 16:04:43
Tacoda cookie Spyware cookie 06/11/2006 15:58:42
Revenue.net Spyware cookie 06/11/2006 15:58:42
DoubleClick Spyware cookie 06/11/2006 15:58:42
Ad.YieldManager.com Cookie Spyware cookie 06/11/2006 15:58:42
Revenue.net Spyware cookie 06/11/2006 15:40:39
DoubleClick Spyware cookie 06/11/2006 15:40:39
AtlasDMT.com Spyware cookie 06/11/2006 15:40:39
Ad.YieldManager.com Cookie Spyware cookie 06/11/2006 15:40:38
DoubleClick Spyware cookie 06/11/2006 15:34:37
AtlasDMT.com Spyware cookie 06/11/2006 15:34:37
DoubleClick Spyware cookie 06/11/2006 15:28:36
AtlasDMT.com Spyware cookie 06/11/2006 15:28:36
TribalFusion.com Spyware cookie 06/11/2006 00:36:26
Mediaplex.com Spyware cookie 06/11/2006 00:36:25
DoubleClick Spyware cookie 06/11/2006 00:36:25
AtlasDMT.com Spyware cookie 06/11/2006 00:36:25
TribalFusion.com Spyware cookie 06/11/2006 00:28:22
Mediaplex.com Spyware cookie 06/11/2006 00:28:21
DoubleClick Spyware cookie 06/11/2006 00:28:21
AtlasDMT.com Spyware cookie 06/11/2006 00:28:21

File generated by PCguard Anti-Spyware

my next replies i will copy paste the logs i attached earlier and a new hijack this log!

thx!

KASPERSKY ONLINE SCANNER REPORT
Monday, November 06, 2006 11:35:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/11/2006
Kaspersky Anti-Virus database records: 238710

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:
C:
D:
E:
F:
G:
H:
I:\

Scan Statistics
Total number of scanned objects 39529
Number of viruses found 1
Number of infected objects 1 / 0
Number of suspicious objects 0
Duration of the scan process 00:30:06

Infected Object Name Virus Name Last Action
C:\Documents and Settings\adam\Application Data\Telewest\PCguard advisor\client_gateway.log Object is locked skipped

C:\Documents and Settings\adam\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\adam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\adam\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\adam\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\adam\Local Settings\History\History.IE5\MSHist012006110620061107\index.dat Object is locked skipped

C:\Documents and Settings\adam\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\adam\ntuser.dat Object is locked skipped

C:\Documents and Settings\adam\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\blueyonder\PCguard\logs\FirewallService11-06-2006–21-27-15.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\blueyonder\PCguard\logs\Fw_Session.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\blueyonder\PCguard\logs\SafetyConsoleLog11-06-2006–21-27-49.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\blueyonder\PCguard\logs\ServiceModel11-06-2006–21-27-49.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_942081314_1757085696_9404 Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec{EB4E31A8-BAC0-44D4-97F5-62105EE0A721}.TmpSBE Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information_restore{14A5FE0F-6C24-4EA4-9D3D-1DD1EE1BD5F4}\RP7\A0001925.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information_restore{14A5FE0F-6C24-4EA4-9D3D-1DD1EE1BD5F4}\RP7\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_Agere Systems PCI Soft Modem.txt Object is locked skipped

C:\WINDOWS\Registration{02D4B3F1-FD88-11D1-960D-00805FC79235}.{08D4170C-10FB-42BD-813F-4E1B4280DDF1}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache{BA52B18B-46D1-4C2E-AE61-B34B36B94469}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\Sam Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Security Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\Software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\System Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information_restore{14A5FE0F-6C24-4EA4-9D3D-1DD1EE1BD5F4}\RP7\change.log Object is locked skipped

Scan process completed.

this is the kaspersky online scan result (set for full scan)

is it me or are there alot of folders/files it cant scan???

Logfile of HijackThis v1.99.1
Scan saved at 16:57:32, on 07/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\WinClamAVShield\sp_clam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HijackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blueyonder.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [Dit] Dit.exe
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [PCguard] “C:\Program Files\blueyonder\PCguard\Rps.exe”
O4 - HKLM..\Run: [PCguardadvisor.exe] “C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe”
O4 - HKLM..\Run: [SpywareTerminator] “C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162842708015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162842696187
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

I have read the tutorial for hijack this but unfortunately it doesnt seem to sink in (guess i am a bit thick) and i cant decide what is and what isnt right in this scan!

  1. I generally don’t worry about so called tracking cookies, etc. and just let the program delete them.

  2. The Kaspersky stuff not being able to be scanned or locked is a little like the avast report after a scan of files it can’t scan. The fact that they can’t be scanned or are locked doesn’t mean they are harmful.

  3. This is an on-line analysis of your log, http://hijackthis.de/logfiles/843631eca6f4839ec4daf28a671de5bd.html. There are some unknown (mostly related to PCGuard) and one possibly nasty (also related to PCGuard) but for the most part it looks clean. You need to check out the unknown entries google the file names, upload them for scanning, etc. and fix if required.

My only concerns are:

You are also using clamwin as an integration with SpywareTerminator, this could conflict with avast as it is effectively another resident AV.

You have panda in the mix, I don’t know it this is just because you have used the on-line scanner, if so you can end up with detections by avast because they don’t encrypt their virus signatures.

I don’t know if PCGuard comes with an active on access AV.

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
This seems to be yet another AV - Description: dvpapi.exe is a process belonging to Authentium Antivirus.

Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

Hi yes i am aware of possible conflicts with more than 1 anti virus product!

the panda was/is only an online scan i have never had panda anti virus!

i downloaded the spyware terminator with clam only after coming on here and reading other peoples problems to see if anything was similar to my own and i have just run a scan with it and detected (and hopefully removed) sirius annihilator.272 (but my problems persist)

pcguard is a supposedly full protection system which includes anti virus antispy firewall pop up blocker net nanny etc etc authentium are the company that provide the anti virus aspect of the product. (it seems they got different providers to supply the seperate components and stuck them all together and called it pcguard).

i am not sure what the possible nasty is that you refer too? in my hijack log!

Pandas on-line scanner dumps its unencrypted signature files in the ActiveScan folder and is a right royal screw up putting this junk into the system32 folder.

There are also many references in the forums not to have the clamwin integrated with SpywareTerminator

Look at the on-line analysis link I gave you. There is 1 entry in that analysis flagged possibly nasty, I also said it was related to PCGuard if you know what it is and it isn’t a problem then there is no problem (I have never used PCGuard, so I can’t say with any degree of certainty). All I’m saying is you must investigate all flagged entries unknown/possibly nasty, etc.

If you are aware of any possible conflict with more than one resident AV, what do you intend to do about it, any clash/conflict could leave your system vulnerable. Your system your choice though.

Also see Hidden things http://invisiblethings.org,as this is possibly what it may be if it doesn’t show up in a HJT log.

sorry i forwarded that to the online support for pcguard!
those unknown maybe nastys are all part of their internet security package so they say they are nothing to worrry about! (i hope they are correct as nobody else knows about it…lol)

i dont have an ongoing conflict with antivirus as i uninstalled the clam ( i only installed it to run 1 scan with the spyware blaster as spyware blaster recommended it ) i basically used it as a 1 off/online type scan!

i am now going to pursue the hidden things angle as that may well show up something. (will let u know)

many thanks

:slight_smile: Hi :

 Since you are using Telewest's "BlueYonder PCGuard ( Security Suite )" and NOT Avast, you 
 should be asking your questions to them, after all, this is an Avast Support Forum. I did find
 the following; have you read it !?

 www.telewest.co.uk/html/internet/pcguard.html 

 There is nothing on this page suggesting it "controls" cookies; for that you should be using a
 "cookie manager", such as the good & FREE "CookieWall", best downloaded from :
  www.spychecker.com/program/cookiewall.html . Info about the program is there AND on
  the Author's site at www.analogx.com .

  It is a bad idea to use ANYTHING "OFFERED" by an ISP other than connecting to the internet
  and possibly email "service"; you never know the QUALITY of WHAT is in their nebulous
 "Security Suite" and no info was forthcoming while I was there .