Spyware infestation.

[The Last Conformist]

I seem to've got a fast nasty spyware infestation - errorsafe. Thought that maybe someone here could help me. Provided below is a HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:08:21, on 2006-05-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
C:\Program\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\Program\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\Program\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SCURIT~1\csrss.exe
C:\Program\F?nts\s?ool32.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe
C:\Program\Winamp\winamp.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\DC++\DCPlusPlus.exe
C:\Program\Miranda IM\miranda32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nTrayFw] C:\Program\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Asep] "C:\WINDOWS\SCURIT~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Hkztv] C:\Program\F?nts\s?ool32.exe
O4 - Startup: Reboot.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O23 - Service: app_filter - Unknown owner - C:\Program\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

[Andu Indorin]

Just out of curiousity, is the "HijackThis" the spyware or the spyware removal program?

 

[The Last Conformist]

HijackThis is a scanning program identifying potentially troublesome stuff in the registry and in certain parts of the harddrive.

 

[Genocidicbunny]

Holy mother of mary thats a long log. What i would do if i were you, is look throught these carefully, and any that seem suspicious, google, and remove as ncessary.

 

[Comraddict]

it is long because he doesn't take out unnecessary stuff from loading with machine. Every program that automatically load itself by default is on that list (qtask, jusched, etc)

 

[Grisu]

most of these there look ok, though a few are just resource-wasters, but this one looks a bit fishy

C:\Program\F?nts\s?ool32.exe

also this

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

webhancer is a well known adware

just out of curiosity. why are you running an apache webserver inside the Nvidia folder? do nvidia drivers nowadays need a local webserver? :crazy:

 

[The Last Conformist]

most of these there look ok, though a few are just resource-wasters, but this one looks a bit fishy


also this

webhancer is a well known adware

Deleted those already - the guys at 'Poly responded quicker. The problem seems to've gone away.

just out of curiosity. why are you running an apache webserver inside the Nvidia folder? do nvidia drivers nowadays need a local webserver? :crazy:

Damned if I know. I would guess its for the Nvidia firewall.

 

[AL_DA_GREAT]

Download addaware! It is free and deletes spyware. Everybodyshould get it.
google it.

 

[Chukchi Husky]

I don't think Ad Aware can find errorsafe. I don't think it could find Winfixer, which appears the same way as errorsafe.

 

[Prometheus1992]

try sophos.com, it helps a lot, if you can't find it, just delete all files with the word "Hijacker" in it