Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Major Spyware Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Maxximiliann

Maxximiliann

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 26 May 2008 - 08:56 PM

Hi! I just removed 600+ pieces of spyware. Did I get them all? Anything else I should be worried about? Thanks in advance for all your help!


Deckard's System Scanner v20071014.68
Run by admin on 2008-05-26 21:48:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2008-05-27 01:48:50 UTC - RP618 - Deckard's System Scanner Restore Point
11: 2008-05-26 23:31:18 UTC - RP617 - ComboFix created restore point
10: 2008-05-26 15:10:32 UTC - RP616 - System Checkpoint
9: 2008-05-24 18:02:15 UTC - RP615 - System Checkpoint
8: 2008-05-23 13:11:00 UTC - RP614 - System Checkpoint


-- First Restore Point --
1: 2008-05-13 02:04:32 UTC - RP607 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:02 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Documents and Settings\admin\Desktop\Hardware Tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/games/chess
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/games/chess
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [M2WNotifierService] C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: FreePOPs (3).lnk = C:\Program Files\FreePOPs\freepopsd.exe
O4 - Global Startup: Mozilla Firefox Primary Profile (3).lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Global Startup: Mozilla Thunderbird (2).lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Global Startup: Outlook.lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Global Startup: Today.doc
O4 - Global Startup: Watchtower Library 2007 - Espaņol.lnk = C:\Program Files\Watchtower\Watchtower Library 2007\S\wtlibrary.exe
O4 - Global Startup: ~$Today.doc
O4 - Global Startup: ~WRL0001.tmp
O4 - Global Startup: ~WRL0536.tmp
O4 - Global Startup: ~WRL1339.tmp
O4 - Global Startup: ~WRL1782.tmp
O4 - Global Startup: ~WRL2439.tmp
O4 - Global Startup: ~WRL4051.tmp
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {1D95A7C7-3282-4DB7-9A48-7C39CE152A19} (TeamOn Import Object) - https://bis.na.blackberry.com/html/web/clie...ls/TOImport.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121033866146
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/heavy_w...aploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6253 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080128-111257-554 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20080128-111257-775 O4 - HKCU\..\Policies\Explorer\Run: [System Patcher] BTCPatcher.exe
backup-20080128-111257-857 O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe
backup-20080128-111258-593 O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) -
backup-20080128-111258-690 O21 - SSODL: ULBrEIuBH - {4C0D169B-E6A7-BC31-EEBB-C1266F9C8E1F} - (no file)
backup-20080128-111258-781 O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
backup-20080128-111258-806 O20 - Winlogon Notify: qomkife - qomkife.dll (file missing)
backup-20080128-111258-916 O20 - Winlogon Notify: khfddde - khfddde.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 cmpci (Turtle Beach Riviera) - c:\windows\system32\drivers\cmaudio.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 SBAPIFS - c:\windows\system32\drivers\sbapifs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-24 13:27:43 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 21:11:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 21:11:24 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 21:11:22 0 d-------- C:\WINDOWS\LastGood
2008-05-26 21:03:55 0 dr-h---c- C:\Documents and Settings\admin\Recent
2008-05-26 19:30:50 68096 --a------ C:\WINDOWS\zip.exe
2008-05-26 19:30:50 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-26 19:30:50 80412 --a------ C:\WINDOWS\grep.exe
2008-05-26 19:30:49 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-26 19:30:49 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-26 19:30:49 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-26 19:30:49 98816 --a------ C:\WINDOWS\sed.exe
2008-05-26 19:30:49 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-06 11:54:01 0 d------c- C:\temp
2008-05-05 11:49:05 0 d-------- C:\Program Files\Ringo
2008-04-28 17:00:03 0 d------c- C:\Documents and Settings\admin\Application Data\Axosoft
2008-04-28 16:59:18 0 d-------- C:\Program Files\TBFDropZone


-- Find3M Report ---------------------------------------------------------------

2008-05-26 21:16:32 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-26 20:07:09 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 16:23:18 0 d------c- C:\Documents and Settings\admin\Application Data\gtk-2.0
2008-05-18 18:48:50 0 d-------- C:\Documents and Settings\admin\Application Data\uTorrent
2008-05-17 11:22:15 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-11 14:32:09 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-07 09:33:44 0 d-------- C:\Program Files\AIM6
2008-05-04 12:33:19 0 d------c- C:\Documents and Settings\admin\Application Data\Real
2008-04-16 18:25:00 8135 --a----c- C:\WINDOWS\mozver.dat
2008-04-09 12:51:49 0 d-------- C:\Program Files\Investintech.com Inc
2008-04-09 12:46:13 0 d-------- C:\Program Files\PDF Editor 2
2008-03-30 11:38:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-30 11:35:28 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-30 11:14:04 0 d-------- C:\Program Files\M2W Notifier Service
2008-03-30 11:13:24 0 d-------- C:\Program Files\AIM
2008-03-30 11:12:56 0 d------c- C:\Documents and Settings\admin\Application Data\Aim
2008-03-28 16:45:40 0 d------c- C:\Documents and Settings\admin\Application Data\acccore
2008-03-28 16:44:52 0 d-------- C:\Program Files\Viewpoint
2008-03-28 16:44:16 0 d-------- C:\Program Files\Common Files\AOL
2008-03-28 15:14:55 0 d-------- C:\Program Files\AOD


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [06/08/2004 12:31 PM C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"M2WNotifierService"="C:\Program Files\M2W Notifier Service\M2W Notifier Service.exe" [12/27/2001 01:17 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe" [10/01/2006 02:03 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/06/2008 04:50 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/26/2008 08:07 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FreePOPs (3).lnk - C:\Program Files\FreePOPs\freepopsd.exe [11/17/2007 11:25:16 AM]
Mozilla Firefox Primary Profile (3).lnk - C:\Program Files\Mozilla Firefox\firefox.exe [9/13/2005 10:46:19 AM]
Mozilla Thunderbird (2).lnk - C:\Program Files\Mozilla Thunderbird\thunderbird.exe [10/16/2007 10:24:02 PM]
Outlook.lnk - C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE [7/14/2003 10:45:18 PM]
Today.doc [5/25/2008 3:05:51 PM]
Watchtower Library 2007 - Espa¤ol.lnk - C:\Program Files\Watchtower\Watchtower Library 2007\S\wtlibrary.exe [10/25/2007 9:35:38 AM]
~$Today.doc [2/5/2008 9:07:50 AM]
~WRL0001.tmp [3/29/2008 2:35:07 PM]
~WRL0536.tmp [5/19/2008 12:20:11 AM]
~WRL1339.tmp [2/19/2008 1:22:57 PM]
~WRL1782.tmp [2/19/2008 1:23:42 PM]
~WRL2439.tmp [2/18/2008 8:55:12 PM]
~WRL4051.tmp [2/4/2008 10:08:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/26/2008 08:07 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]

12210 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-26 21:52:02 ------------

BC AdBot (Login to Remove)

 


m

#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:55 AM

Posted 27 June 2008 - 07:28 AM

Hello JRAvery1

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post.

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:55 AM

Posted 07 July 2008 - 03:50 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users