2004-12-05, 17:53 | Link #1 |
Boobies˛ = Fun
|
Spyware Ident Help
So a friend of mind got some spyware recently. I did the whole boot into safe mode and run adaware and spybot, and cleaned everything up best I could. Must not of worked because the garbege was right back changeing his homepage, and making his right click blank the screen (too keep him from deleteling I guess).
So I got him to run hijackthis and he sent me the logfile. Code:
Platform: Windows XP SP1 (WinNT 5.01.2600)\par MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)\par \par Running processes:\par C:\\WINDOWS\\System32\\smss.exe\par C:\\WINDOWS\\system32\\winlogon.exe\par C:\\WINDOWS\\system32\\services.exe\par C:\\WINDOWS\\system32\\lsass.exe\par C:\\WINDOWS\\system32\\svchost.exe\par C:\\WINDOWS\\System32\\svchost.exe\par C:\\WINDOWS\\system32\\spoolsv.exe\par C:\\WINDOWS\\System32\\DSentry.exe\par C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe\par C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\par C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe\par C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\par C:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\par C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe\par C:\\Program Files\\Winamp3\\winampa.exe\par C:\\Program Files\\QuickTime\\qttask.exe\par C:\\WINDOWS\\inetm\\services.exe\par C:\\Program Files\\Messenger\\msmsgs.exe\par C:\\Program Files\\Digital Line Detect\\DLG.exe\par C:\\Program Files\\WinZip\\WZQKPICK.EXE\par C:\\WINDOWS\\System32\\Ati2evxx.exe\par C:\\WINDOWS\\system32\\cisvc.exe\par C:\\WINDOWS\\System32\\CTsvcCDA.exe\par c:\\PROGRA~1\\mcafee.com\\vso\\mcvsrte.exe\par C:\\Program Files\\Dell\\Support\\Alert\\bin\\NotifyAlert.exe\par C:\\WINDOWS\\System32\\svchost.exe\par C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\par C:\\WINDOWS\\System32\\MsPMSPSv.exe\par c:\\PROGRA~1\\mcafee.com\\vso\\mcshield.exe\par C:\\WINDOWS\\System32\\wuauclt.exe\par C:\\WINDOWS\\system32\\cidaemon.exe\par C:\\WINDOWS\\system32\\cidaemon.exe\par C:\\WINDOWS\\inetm\\explorer.exe\par C:\\WINDOWS\\System32\\SNDVOL32.EXE\par C:\\WINDOWS\\explorer.exe\par C:\\Program Files\\ATI Multimedia\\main\\ATIMMC.exe\par C:\\WINDOWS\\System32\\DllHost.exe\par C:\\Program Files\\Windows Media Player\\wmplayer.exe\par C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE\par C:\\Program Files\\Internet Explorer\\iexplore.exe\par C:\\WINDOWS\\System32\\SSSTARS.SCR\par C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe\par C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe\par C:\\Program Files\\Internet Explorer\\iexplore.exe\par C:\\PROGRA~1\\WINZIP\\winzip32.exe\par C:\\Documents and Settings\\Dean Jacobs\\Local Settings\\Temp\\HijackThis.exe\par \par R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://www.dellnet.com\par R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.onlygoodsearch.com/10040/\par R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://www.dellnet.com\par R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.dellnet.com\par R1 - HKCU\\Software\\Microsoft\\Internet Connection Wizard,ShellNext = http://www.dellnet.com/\par R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,ProxyOverride = http://localhost;\par F3 - REG:win.ini: run=C:\\WINDOWS\\inetm\\services.exe\par O2 - BHO: Yahoo! Companion BHO - \{02478D38-C3F9-4efb-9B51-7695ECA05670\} - C:\\PROGRA~1\\Yahoo!\\COMPAN~1\\Installs\\cpn\\ycomp5_3_12_0.dll\par O2 - BHO: (no name) - \{5321E378-FFAD-4999-8C62-03CA8155F0B3\} - (no file)\par O2 - BHO: (no name) - \{53707962-6F74-2D53-2644-206D7942484F\} - C:\\Program Files\\Spybot - Search & Destroy\\SDHelper.dll\par O3 - Toolbar: &Yahoo! Companion - \{EF99BD32-C1FB-11D2-892F-0090271D4F88\} - C:\\PROGRA~1\\Yahoo!\\COMPAN~1\\Installs\\cpn\\ycomp5_3_12_0.dll\par O3 - Toolbar: &Radio - \{8E718888-423F-11D2-876E-00A0C9082467\} - C:\\WINDOWS\\System32\\msdxm.ocx\par O4 - HKLM\\..\\Run: [ATIModeChange] Ati2mdxx.exe\par O4 - HKLM\\..\\Run: [ATIPTA] C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\par O4 - HKLM\\..\\Run: [diagent] "C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe" startup\par O4 - HKLM\\..\\Run: [UpdReg] C:\\WINDOWS\\UpdReg.EXE\par O4 - HKLM\\..\\Run: [DVDSentry] C:\\WINDOWS\\System32\\DSentry.exe\par O4 - HKLM\\..\\Run: [RealTray] C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER\par O4 - HKLM\\..\\Run: [MMTray] C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\par O4 - HKLM\\..\\Run: [MCAgentExe] C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe\par O4 - HKLM\\..\\Run: [MCUpdateExe] C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe\par O4 - HKLM\\..\\Run: [AdaptecDirectCD] "C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"\par O4 - HKLM\\..\\Run: [VirusScan Online] c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\par O4 - HKLM\\..\\Run: [NeroCheck] C:\\WINDOWS\\system32\\NeroCheck.exe\par O4 - HKLM\\..\\Run: [DwlClient] C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe\par O4 - HKLM\\..\\Run: [WinampAgent] "C:\\Program Files\\Winamp3\\winampa.exe"\par O4 - HKLM\\..\\Run: [QuickTime Task] "C:\\Program Files\\QuickTime\\qttask.exe" -atboottime\par O4 - HKLM\\..\\Run: [xp_system] C:\\WINDOWS\\inetm\\services.exe\par O4 - HKCU\\..\\Run: [MSMSGS] "C:\\Program Files\\Messenger\\msmsgs.exe" /background\par O4 - HKCU\\..\\Run: [Yahoo! Pager] C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet\par O4 - HKCU\\..\\Run: [xp_system] C:\\WINDOWS\\inetm\\services.exe\par O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\\Program Files\\AOL 7.0\\aoltray.exe\par O4 - Global Startup: Digital Line Detect.lnk = ?\par O4 - Global Startup: WinZip Quick Pick.lnk = C:\\Program Files\\WinZip\\WZQKPICK.EXE\par O8 - Extra context menu item: &Yahoo! Search - file:///C:\\Program Files\\Yahoo!\\Common/ycsrch.htm\par O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\\Program Files\\Yahoo!\\Common/ycdict.htm\par O8 - Extra context menu item: Yahoo! &Maps - file:///C:\\Program Files\\Yahoo!\\Common/ycdict.htm\par O9 - Extra button: ATI TV - \{44226DFF-747E-4edc-B30C-78752E50CD0C\} - C:\\Program Files\\ATI Multimedia\\tv\\EXPLBAR.DLL\par O9 - Extra button: Messenger - \{4528BBE0-4E08-11D5-AD55-00010333D0AD\} - C:\\Program Files\\Yahoo!\\Messenger\\yhexbmes0521.dll\par O9 - Extra 'Tools' menuitem: Yahoo! Messenger - \{4528BBE0-4E08-11D5-AD55-00010333D0AD\} - C:\\Program Files\\Yahoo!\\Messenger\\yhexbmes0521.dll\par O9 - Extra button: Real.com - \{CD67F990-D8E9-11d2-98FE-00C0F0318AFE\} - C:\\WINDOWS\\System32\\Shdocvw.dll\par O9 - Extra button: Ebates - \{6685509E-B47B-4f47-8E16-9A5F3A62F683\} - file://C:\\Program Files\\Ebates_MoeMoneyMaker\\Sy350\\Tp350\\scri350a.htm (file missing) (HKCU)\par O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab\par O16 - DPF: \{6414512B-B978-451D-A0D8-FCFDF33E833C\} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096235329703\par O16 - DPF: \{74D05D43-3236-11D4-BDCD-00C04F9A3B61\} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\par O16 - DPF: \{B9191F79-5613-4C76-AA2A-398534BB8999\} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\par \par } |
2004-12-05, 18:35 | Link #2 |
Raid-the-mods
Join Date: Nov 2003
Location: Sol System
|
He has a simple case of a adware server.
CWShredder can remove it. (Makers of hijackthis) http://www.intermute.com/spysubtract..._download.html or Download this tool: http://www.safer-networking.org/files/delcwssk.zip |
2004-12-05, 18:49 | Link #3 | |
Boobies˛ = Fun
|
Quote:
|
|
2004-12-05, 21:48 | Link #4 |
Raid-the-mods
Join Date: Nov 2003
Location: Sol System
|
The rest of the apps that are listed are basic windows and various system software.
The giveaway for major spyware type is the default IE startup page. In this case: www.onlygoodsearch.com. It's a very common adware site. |
2004-12-05, 22:51 | Link #5 | |
Senior Member
Join Date: Nov 2003
|
Quote:
|
|
2004-12-11, 10:01 | Link #7 |
Boobies˛ = Fun
|
Well the spyware seems to be on the run because his homepage no longer changes in IE. The big problem, right clicking causing programs to close and hhis desktop to refresh, is still there. Strangely enough he can right click in IE to open new windows and stuff but he cant do it on his desktop or in explorer.
Anyone care to take a shot at the prob? |
|
|