Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ads1.revenue.net


  • This topic is locked This topic is locked
5 replies to this topic

#1 arttimm

arttimm

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 02 August 2004 - 01:36 PM

I believe this spyware was downloaded when someone accessed Kazza and now I can't get rid of it.

I've tried Ad-Aware, Hijack Blaster, CWShredder, Pop-Up Stopper, RegClean, Restrictions, Spy Sweeper, Spybot Search & Destroy, Spyware Eliminator, Spyware Nuker, and Xoftspy to no avail.

I've edited the Hosts file to delete all references other than to localhost but about ten others keep coming back.

I've run Hijack this and compared my log to other that have been posted in this forum but haven't found any like entries.

Art Timm

BC AdBot (Login to Remove)

 


m

#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:21 PM

Posted 02 August 2004 - 03:35 PM

It would be helpful if we could see what your log looked like. Then we will be able to recommend a course of action.

#3 arttimm

arttimm
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 04 August 2004 - 05:42 PM

How do I post a log?

I will be running Hijack This on another computer and accessing the log on my computer using a floppy.

Edited by arttimm, 04 August 2004 - 05:43 PM.


#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:21 PM

Posted 04 August 2004 - 05:53 PM

When you press the scan button, the button will change to 'save log'. It will save it as a text file on your desktop.

#5 arttimm

arttimm
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 12 August 2004 - 06:56 PM

Log attached.

Attached Files



#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:21 PM

Posted 12 August 2004 - 07:43 PM

I'm going to go ahead and paste your log in here:

Logfile of HijackThis v1.97.7
Scan saved at 3:51:01 PM, on 8/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = acsalaska
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 209.193.30.245,209.193.30.248


*********************************************************************


Please run SpyBot and Adaware
.

Download the latest versions here:
* Adaware
* Spybot

Click on the globe icons, and make sure they are both fully updated.

Boot into SAFE MODE by tapping the f8 key during boot up.


Run Spybot.

Then run Adaware with the following options selected:

  • Configure Ad-aware
    • Click on the Gear-shaped icon at the top to open the Settings window.
    • All of the following settings I mention should be enabled (green checkmark). Some settings cannot be enabled in certain versions of Windows. If a setting I mention is grey and can't be enabled, skip it.
    • General Settings - Automatically save log-file, Automatically quarantine objects prior to removal, and Safe Mode (always request confirmation)
    • Scanning Settings
      • Scan Within Archives
      • Click on 'Click here to select drives + folders' and check next to each hard drive then hit ok.
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
    • Advanced Settings - Enable all four options under 'Log-file Detail level'
    • Tweak Settings
      • Under 'Scanning Engine' - Enable 'Unload recognized processes during scanning', 'Include basic Ad-aware settings in logfile', and 'Include additional Ad-aware settings in logfile'
      • Under ‘Cleaning Engine’ - Enable 'Let Windows remove files in use at next reboot'
    • Click Proceed
  • Click on the 'Start' button in the lower right.

  • Select 'Use custom scanning options', enable 'Activate in-depth scanning', and click Next. The scan will take several minutes to complete. When the scan is complete click Next.

  • Right click on the list of items and click 'Select all items' then click Next. Press Yes to confirm. The detected items are now quarantined.

  • Close Ad-aware

==========================

Please use one/all of these free online scans. Let them fix everything they find.[b]***********************************************************************


Reboot.

Update your version of HJT:
http://www.downloads.subratam.org/hijackthis.zip

Then post a new log. Go ahead and paste it in to your next response.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users