AnimeSuki Forums

Register Forum Rules FAQ Community Today's Posts Search

Go Back   AnimeSuki Forum > Support > Tech Support
Reload this Page Spyware Ident Help

Notices

Reply
 
Thread Tools
Old 2004-12-05, 17:53   Link #1
音楽は死んだ
Boobies˛ = Fun
 
Join Date: Oct 2004
Location: Newfoundland & Labrador
Age: 41
Send a message via Yahoo to 音楽は死んだ
Spyware Ident Help
So a friend of mind got some spyware recently. I did the whole boot into safe mode and run adaware and spybot, and cleaned everything up best I could. Must not of worked because the garbege was right back changeing his homepage, and making his right click blank the screen (too keep him from deleteling I guess).

So I got him to run hijackthis and he sent me the logfile.
Code:
 
Platform: Windows XP SP1 (WinNT 5.01.2600)\par
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)\par
\par
Running processes:\par
C:\\WINDOWS\\System32\\smss.exe\par
C:\\WINDOWS\\system32\\winlogon.exe\par
C:\\WINDOWS\\system32\\services.exe\par
C:\\WINDOWS\\system32\\lsass.exe\par
C:\\WINDOWS\\system32\\svchost.exe\par
C:\\WINDOWS\\System32\\svchost.exe\par
C:\\WINDOWS\\system32\\spoolsv.exe\par
C:\\WINDOWS\\System32\\DSentry.exe\par
C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe\par
C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\par
C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe\par
C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\par
C:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\par
C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe\par
C:\\Program Files\\Winamp3\\winampa.exe\par
C:\\Program Files\\QuickTime\\qttask.exe\par
C:\\WINDOWS\\inetm\\services.exe\par
C:\\Program Files\\Messenger\\msmsgs.exe\par
C:\\Program Files\\Digital Line Detect\\DLG.exe\par
C:\\Program Files\\WinZip\\WZQKPICK.EXE\par
C:\\WINDOWS\\System32\\Ati2evxx.exe\par
C:\\WINDOWS\\system32\\cisvc.exe\par
C:\\WINDOWS\\System32\\CTsvcCDA.exe\par
c:\\PROGRA~1\\mcafee.com\\vso\\mcvsrte.exe\par
C:\\Program Files\\Dell\\Support\\Alert\\bin\\NotifyAlert.exe\par
C:\\WINDOWS\\System32\\svchost.exe\par
C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\par
C:\\WINDOWS\\System32\\MsPMSPSv.exe\par
c:\\PROGRA~1\\mcafee.com\\vso\\mcshield.exe\par
C:\\WINDOWS\\System32\\wuauclt.exe\par
C:\\WINDOWS\\system32\\cidaemon.exe\par
C:\\WINDOWS\\system32\\cidaemon.exe\par
C:\\WINDOWS\\inetm\\explorer.exe\par
C:\\WINDOWS\\System32\\SNDVOL32.EXE\par
C:\\WINDOWS\\explorer.exe\par
C:\\Program Files\\ATI Multimedia\\main\\ATIMMC.exe\par
C:\\WINDOWS\\System32\\DllHost.exe\par
C:\\Program Files\\Windows Media Player\\wmplayer.exe\par
C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE\par
C:\\Program Files\\Internet Explorer\\iexplore.exe\par
C:\\WINDOWS\\System32\\SSSTARS.SCR\par
C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe\par
C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe\par
C:\\Program Files\\Internet Explorer\\iexplore.exe\par
C:\\PROGRA~1\\WINZIP\\winzip32.exe\par
C:\\Documents and Settings\\Dean Jacobs\\Local Settings\\Temp\\HijackThis.exe\par
\par
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://www.dellnet.com\par
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.onlygoodsearch.com/10040/\par
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://www.dellnet.com\par
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.dellnet.com\par
R1 - HKCU\\Software\\Microsoft\\Internet Connection Wizard,ShellNext = http://www.dellnet.com/\par
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,ProxyOverride = http://localhost;\par
F3 - REG:win.ini: run=C:\\WINDOWS\\inetm\\services.exe\par
O2 - BHO: Yahoo! Companion BHO - \{02478D38-C3F9-4efb-9B51-7695ECA05670\} - C:\\PROGRA~1\\Yahoo!\\COMPAN~1\\Installs\\cpn\\ycomp5_3_12_0.dll\par
O2 - BHO: (no name) - \{5321E378-FFAD-4999-8C62-03CA8155F0B3\} - (no file)\par
O2 - BHO: (no name) - \{53707962-6F74-2D53-2644-206D7942484F\} - C:\\Program Files\\Spybot - Search & Destroy\\SDHelper.dll\par
O3 - Toolbar: &Yahoo! Companion - \{EF99BD32-C1FB-11D2-892F-0090271D4F88\} - C:\\PROGRA~1\\Yahoo!\\COMPAN~1\\Installs\\cpn\\ycomp5_3_12_0.dll\par
O3 - Toolbar: &Radio - \{8E718888-423F-11D2-876E-00A0C9082467\} - C:\\WINDOWS\\System32\\msdxm.ocx\par
O4 - HKLM\\..\\Run: [ATIModeChange] Ati2mdxx.exe\par
O4 - HKLM\\..\\Run: [ATIPTA] C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\par
O4 - HKLM\\..\\Run: [diagent] "C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe" startup\par
O4 - HKLM\\..\\Run: [UpdReg] C:\\WINDOWS\\UpdReg.EXE\par
O4 - HKLM\\..\\Run: [DVDSentry] C:\\WINDOWS\\System32\\DSentry.exe\par
O4 - HKLM\\..\\Run: [RealTray] C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER\par
O4 - HKLM\\..\\Run: [MMTray] C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\par
O4 - HKLM\\..\\Run: [MCAgentExe] C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe\par
O4 - HKLM\\..\\Run: [MCUpdateExe] C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe\par
O4 - HKLM\\..\\Run: [AdaptecDirectCD] "C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"\par
O4 - HKLM\\..\\Run: [VirusScan Online] c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\par
O4 - HKLM\\..\\Run: [NeroCheck] C:\\WINDOWS\\system32\\NeroCheck.exe\par
O4 - HKLM\\..\\Run: [DwlClient] C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe\par
O4 - HKLM\\..\\Run: [WinampAgent] "C:\\Program Files\\Winamp3\\winampa.exe"\par
O4 - HKLM\\..\\Run: [QuickTime Task] "C:\\Program Files\\QuickTime\\qttask.exe" -atboottime\par
O4 - HKLM\\..\\Run: [xp_system] C:\\WINDOWS\\inetm\\services.exe\par
O4 - HKCU\\..\\Run: [MSMSGS] "C:\\Program Files\\Messenger\\msmsgs.exe" /background\par
O4 - HKCU\\..\\Run: [Yahoo! Pager] C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet\par
O4 - HKCU\\..\\Run: [xp_system] C:\\WINDOWS\\inetm\\services.exe\par
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\\Program Files\\AOL 7.0\\aoltray.exe\par
O4 - Global Startup: Digital Line Detect.lnk = ?\par
O4 - Global Startup: WinZip Quick Pick.lnk = C:\\Program Files\\WinZip\\WZQKPICK.EXE\par
O8 - Extra context menu item: &Yahoo! Search - file:///C:\\Program Files\\Yahoo!\\Common/ycsrch.htm\par
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\\Program Files\\Yahoo!\\Common/ycdict.htm\par
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\\Program Files\\Yahoo!\\Common/ycdict.htm\par
O9 - Extra button: ATI TV - \{44226DFF-747E-4edc-B30C-78752E50CD0C\} - C:\\Program Files\\ATI Multimedia\\tv\\EXPLBAR.DLL\par
O9 - Extra button: Messenger - \{4528BBE0-4E08-11D5-AD55-00010333D0AD\} - C:\\Program Files\\Yahoo!\\Messenger\\yhexbmes0521.dll\par
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - \{4528BBE0-4E08-11D5-AD55-00010333D0AD\} - C:\\Program Files\\Yahoo!\\Messenger\\yhexbmes0521.dll\par
O9 - Extra button: Real.com - \{CD67F990-D8E9-11d2-98FE-00C0F0318AFE\} - C:\\WINDOWS\\System32\\Shdocvw.dll\par
O9 - Extra button: Ebates - \{6685509E-B47B-4f47-8E16-9A5F3A62F683\} - file://C:\\Program Files\\Ebates_MoeMoneyMaker\\Sy350\\Tp350\\scri350a.htm (file missing) (HKCU)\par
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab\par
O16 - DPF: \{6414512B-B978-451D-A0D8-FCFDF33E833C\} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096235329703\par
O16 - DPF: \{74D05D43-3236-11D4-BDCD-00C04F9A3B61\} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\par
O16 - DPF: \{B9191F79-5613-4C76-AA2A-398534BB8999\} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\par
\par
}
lol, so anyone willing to look at that and give some removal help
音楽は死んだ is offline   Reply With Quote
Old 2004-12-05, 18:35   Link #2
AnimeOni
Raid-the-mods
 
 
Join Date: Nov 2003
Location: Sol System
He has a simple case of a adware server.

CWShredder can remove it. (Makers of hijackthis)
http://www.intermute.com/spysubtract..._download.html

or Download this tool:
http://www.safer-networking.org/files/delcwssk.zip
AnimeOni is offline   Reply With Quote
Old 2004-12-05, 18:49   Link #3
音楽は死んだ
Boobies˛ = Fun
 
Join Date: Oct 2004
Location: Newfoundland & Labrador
Age: 41
Send a message via Yahoo to 音楽は死んだ
Quote:
Originally Posted by AnimeOni
He has a simple case of a adware server.

CWShredder can remove it. (Makers of hijackthis)
http://www.intermute.com/spysubtract..._download.html

or Download this tool:
http://www.safer-networking.org/files/delcwssk.zip
humm, so thats all thats wrong? 0.o
音楽は死んだ is offline   Reply With Quote
Old 2004-12-05, 21:48   Link #4
AnimeOni
Raid-the-mods
 
 
Join Date: Nov 2003
Location: Sol System
The rest of the apps that are listed are basic windows and various system software.
The giveaway for major spyware type is the default IE startup page. In this case: www.onlygoodsearch.com. It's a very common adware site.
AnimeOni is offline   Reply With Quote
Old 2004-12-05, 22:51   Link #5
bayoab
Senior Member
 
Join Date: Nov 2003
Quote:
Originally Posted by 音楽は死んだ
So a friend of mind got some spyware recently. I did the whole boot into safe mode and run adaware and spybot, and cleaned everything up best I could. Must not of worked because the garbege was right back changeing his homepage, and making his right click blank the screen (too keep him from deleteling I guess).

So I got him to run hijackthis and he sent me the logfile.

C:\\WINDOWS\\System32\\DllHost.exe
C:\\WINDOWS\\System32\\SSSTARS.SCR
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.onlygood<break>search.com/10040/
F3 - REG:win.ini: run=C:\\WINDOWS\\inetm\\services.exe
O4 - HKLM\\..\\Run: [UpdReg] C:\\WINDOWS\\UpdReg.EXE
O4 - HKLM\\..\\Run: [xp_system] C:\\WINDOWS\\inetm\\services.exe
O4 - HKCU\\..\\Run: [xp_system] C:\\WINDOWS\\inetm\\services.exe
O9 - Extra button: Ebates - \{6685509E-B47B-4f47-8E16-9A5F3A62F683\} - file://C:\\Program Files\\Ebates_MoeMoneyMaker\\Sy350\\Tp350\\scri350 a.htm (file missing) (HKCU)\par

lol, so anyone willing to look at that and give some removal help
From the above, we also have something more. Those two xp_systems are either virus or some spyware. I see remnants of ebates. Dllhost.exe usually does not run on Sp1+ . (Normally, once you upgrade to XPSp1, this stops loading.) And I do not know what a .scr is doing running like that. Updreg.exe is sometimes legit, but ive seen fake cases of it. Might want to check that it is signed by creative labs. (I just checked a google search, and it appears that services is probably the spyware process.)
bayoab is offline   Reply With Quote
Old 2004-12-05, 23:15   Link #6
音楽は死んだ
Boobies˛ = Fun
 
Join Date: Oct 2004
Location: Newfoundland & Labrador
Age: 41
Send a message via Yahoo to 音楽は死んだ
Thanks for the info, I was hoping someone would notice that as well since I knew it was more than one prob in the first place. He does have a CL sound card though, you sure thats spyware?
音楽は死んだ is offline   Reply With Quote
Old 2004-12-11, 10:01   Link #7
音楽は死んだ
Boobies˛ = Fun
 
Join Date: Oct 2004
Location: Newfoundland & Labrador
Age: 41
Send a message via Yahoo to 音楽は死んだ
Well the spyware seems to be on the run because his homepage no longer changes in IE. The big problem, right clicking causing programs to close and hhis desktop to refresh, is still there. Strangely enough he can right click in IE to open new windows and stuff but he cant do it on his desktop or in explorer.

Anyone care to take a shot at the prob?
音楽は死んだ is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 10:41.

Contact Us - Support - AnimeSuki.com - Archive - Top

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
We use Silk.