BleepingComputer.com: Spyware and lots of it

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Spyware and lots of it

#1 User is offline   RaxeN 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 31-May 05

Posted 31 May 2005 - 04:59 PM

Hi, can someone help me please i have no where else to look =D

when i scan with, Spybot and MSAnti Spyware i got many spyware, these include,

ISearchTech.PowerScan
ISearchTech.SideFindISearchTech.ISTToolbar
ISearchTech.ISTXXXToolbar
DyFuCa.InternetOptimizer
180SearchAssasitant
and a few more

no matter what i have done (removed them with all Adware removal programs such as AdAware) they still come back and i have random proccesses running up every often out of no where such as msnmssrg.exe etc and things like ftp.exe dwwin.exe - I dont know what else to do

Here is my hijacklog someone please help me and do you think it could of something to do with the network? like installed some secret firewall because whenever i try to do a newtwork i know get errors and it only just started when i got all this spyware,

i think its something like Win32.RBot something that installs things day after day because ive tried deleting regestry settings and the folders in the program files and it still doesnt work

so i come for some expert help =D

heres my HijackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 22:22:09, on 31/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\taskmngr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\program files\valve\steam\steam.exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\VentriloMIX\Ventrilo 2.1.3.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.359\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Main Board Boot] crsrr.exe
O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [ahOsWa] C:\WINDOWS\oxxmo.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [zuvqn] C:\WINDOWS\zuvqn.exe
O4 - HKLM\..\RunServices: [Main Board Boot] crsrr.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MessengerDiscovery] C:\Program Files\MessengerDiscovery\MessengerDiscovery.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKCU\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

Thanks

RaxeN

#2 User is offline   ddeerrff 

  • Retired
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,541
  • Joined: 13-September 04
  • Gender:Male
  • Location:Wisconsin, US

Posted 02 June 2005 - 12:45 PM

Hello RaxeN and welcome to BleepingComputer.

Your log shows that you are seriously behind on windows updates. It is essential that you update your operating system as otherwise any infections we remove could reoccur. After we get you all cleaned up, be sure to go to Windows Update and if it asks to install software, allow it to do so. Install the offered Critical and Security updates, reboot as requested and return until you have installed all available Critical and Security updates.


You have HijackThis running from a temporary or zip folder. Any backup files HJT creates during the repair process will not be secure if left in this folder.

Create a folder on the C: drive called "C:\HJT". You can do this by opening My Computer then double click on Local Disk (C:). In a clear area right click and select New then Folder and name it "HJT". Unzip HijackThis into this folder. Please delete any other copies of HijackThis and run HJT only from this new folder.


Open the Control Panel then double click on Add/Remove Programs. Look for the following and uninstall them if found:

- 180solutions
- InternetOptimizer
- IST Toolbar
- SideFind
- SideSearch
or anything named similar to what you have seen listed in other scans


Configure Windows to enable viewing of Hidden and System files.

Reboot into Safe Mode.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKLM\..\Run: [Main Board Boot] crsrr.exe
O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [ahOsWa] C:\WINDOWS\oxxmo.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [zuvqn] C:\WINDOWS\zuvqn.exe
O4 - HKLM\..\RunServices: [Main Board Boot] crsrr.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe
O4 - HKCU\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKCU\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINDOWS\zuvqn.exe <--Files
C:\WINDOWS\oxxmo.exe
C:\WINDOWS\crsrr.exe <--Caution, do not delete similarly named valid Windows file 'csrss.exe'
C:\WINDOWS\msnmssgr.exe <--Caution, do not delete similarly named valid Windows file 'msnmsgr.exe'
C:\WINDOWS\System32\taskmngr.exe <--Caution, do no delete similarly named valid Windows file 'taskmgr.exe'
C:\WINDOWS\System32\crsrr.exe <--Caution, do not delete similarly named valid Windows file 'csrss.exe'
C:\WINDOWS\System32\msnmssgr.exe <--Caution, do not delete similarly named valid Windows file 'msnmsgr.exe'

c:\program files\180solutions\ <--Folder


Reboot normally and post a fresh HJT log. How are things running?
Derfram
~~~~~~

#3 User is offline   ddeerrff 

  • Retired
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,541
  • Joined: 13-September 04
  • Gender:Male
  • Location:Wisconsin, US

Posted 16 June 2005 - 12:10 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users