hi,after scanning with pc tools spyware doc i`m getting a result of "known Bad site"in my temp internet files i remove it and its back again even after turning off system restore..the site seems to be www.yceml.net..
any help would be appreciated
hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 13:06:38, on 06/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.karoo.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C4EB11B-1C3B-4080-9AB5-EE840BAFFEB9}: NameServer = 194.152.64.34 194.152.64.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C4EB11B-1C3B-4080-9AB5-EE840BAFFEB9}: NameServer = 194.152.64.34 194.152.64.35
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
0
Browser Internet temp file-hijack
Started by Fluffy, Jul 06 2007 12:12 PM
3 replies to this topic
#2 OFFLINE
-
- Moderators
-
- 8,858 posts
I hate computers
- Gender:Male
Posted 09 July 2007 - 05:38 AM
It could be a false positive. Site advisor says its clean and the only comment is from a pctools user saying its bad:
http://www.siteadvis...sites/yceml.net
Running CCleaner should clear it out though.
You log looks good to me though. For a second opinion maybe try avg antispyware or superantispyware.
http://www.siteadvis...sites/yceml.net
Running CCleaner should clear it out though.
You log looks good to me though. For a second opinion maybe try avg antispyware or superantispyware.
#3 OFFLINE
-
- Members
-
- 314 posts
Advanced Member
- Location:Yorkshire
Posted 09 July 2007 - 08:15 AM
rridgely, on Jul 9 2007, 06:38 AM, said:
It could be a false positive. Site advisor says its clean and the only comment is from a pctools user saying its bad:
http://www.siteadvis...sites/yceml.net
Running CCleaner should clear it out though.
You log looks good to me though. For a second opinion maybe try avg antispyware or superantispyware.
http://www.siteadvis...sites/yceml.net
Running CCleaner should clear it out though.
You log looks good to me though. For a second opinion maybe try avg antispyware or superantispyware.
#4 OFFLINE
-
- Members
-
- 314 posts
Advanced Member
- Location:Yorkshire
Posted 09 July 2007 - 08:25 AM
Rridgley,thanks for that
Spyware doc scan said it was a known bad site,which could be used for phishing and redirection of say your bank etc,what annoyed me was everytime i took the file off my temp intternet files,next time i logged on it was back and then obviously the scan picked it up again,i noticed the file has an expiry date of 9/7/ 22.29. when i opened tthe file it said... e.bay.co.uk,so not sure if it was used by ebay or the site was trying to redirect me!
but i guess your right and its just freaked me!
I would have liked a way of making sure it doesn`t come back!
I do use trend micro house call,will try that as a second opinion1
Thanks again for your help,i bet i`m not the only one wanting to thank you guys for the help you give us on this forum
cheers
Spyware doc scan said it was a known bad site,which could be used for phishing and redirection of say your bank etc,what annoyed me was everytime i took the file off my temp intternet files,next time i logged on it was back and then obviously the scan picked it up again,i noticed the file has an expiry date of 9/7/ 22.29. when i opened tthe file it said... e.bay.co.uk,so not sure if it was used by ebay or the site was trying to redirect me!
but i guess your right and its just freaked me!
I would have liked a way of making sure it doesn`t come back!
I do use trend micro house call,will try that as a second opinion1
Thanks again for your help,i bet i`m not the only one wanting to thank you guys for the help you give us on this forum
cheers
