Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware attack?


  • This topic is locked This topic is locked
2 replies to this topic

#1 imrahil388

imrahil388

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 30 December 2008 - 12:50 AM

Hey all,

Recently been having some trouble with spyware.

Symptoms include:
1) Desktop background a black background with flashing warning to fix spyware, I cannot change the background as it is disabled
2) Internet explorer visual runtime C++ error (not sure if this is spyware related, but Mozilla works fine!)
3) pop ups in task bar and in internet explorer

I think its a spyware virus or two, nothing TOO extreme or catastrophic yet...

Here is my log:


DDS (Version 1.1.0) - NTFSx86
Run by Jerry at 0:43:19.78 on Tue 12/30/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1918.1285 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated)
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\userinit.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntdll64.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\WINDOWS\system32\ntdll64.exe
C:\Documents and Settings\Jerry\Desktop\dds.scr
C:\Documents and Settings\Jerry\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080405
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Framework Windows] frmwrk32.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\docume~1\jerry\locals~1\temp\ntdll64.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jerry\applic~1\mozilla\firefox\profiles\luc63yir.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-4-5 3456]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-29 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-29 324872]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-29 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-29 107272]
R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-29 298264]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2008-4-14 104000]
R2 McShield;McAfee McShield;"c:\program files\mcafee\virusscan enterprise\Mcshield.exe" [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe" [2006-11-30 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-4-14 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-4-14 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-4-14 168776]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2008-12-30 00:18 <DIR> --d----- c:\program files\VideoLAN
2008-12-29 12:05 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-29 12:03 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-29 12:03 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-29 12:03 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2008-12-29 12:03 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-29 12:03 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-29 12:02 <DIR> --d----- c:\program files\AVG
2008-12-29 12:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-29 11:55 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-29 10:26 664 a------- c:\windows\system32\d3d9caps.dat
2008-12-28 23:44 111,616 a------- c:\windows\system32\ntdll64.exe
2008-12-28 23:14 111,616 a------- c:\windows\system32\dllcache\userinit.exe
2008-12-28 23:14 502 a------- c:\windows\system32\win32hlp.cnf
2008-12-28 23:14 1 a------- c:\windows\system32\uniq.tll
2008-12-28 23:14 1 a------- c:\windows\system32\test.ttt
2008-12-28 23:14 31,744 a------- c:\windows\system32\frmwrk32.exe
2008-12-25 11:56 <DIR> --d----- c:\docume~1\jerry\applic~1\ICAClient
2008-12-25 11:56 <DIR> --d----- c:\windows\system32\Resource
2008-12-23 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2008-12-23 12:15 <DIR> --d----- c:\program files\Citrix
2008-12-23 12:15 61,224 a------- c:\documents and settings\jerry\GoToAssistDownloadHelper.exe
2008-12-15 18:48 <DIR> --d----- c:\program files\MSXML 4.0
2008-12-15 11:37 16,496 a----r-- c:\windows\system32\drivers\HPZipr12.sys
2008-12-15 11:37 49,920 a----r-- c:\windows\system32\drivers\HPZid412.sys
2008-12-15 11:36 118,272 a------- c:\windows\system32\hpz3l5mu.dll
2008-12-15 11:36 271,704 a----r-- c:\windows\system32\hpzids01.dll
2008-12-15 11:36 21,568 a----r-- c:\windows\system32\drivers\HPZius12.sys
2008-12-15 11:36 729,088 a----r-- c:\windows\system32\hpwwiax4.dll
2008-12-15 11:36 593,920 a----r-- c:\windows\system32\hpwtscl3.dll
2008-12-15 11:36 364,544 a----r-- c:\windows\system32\hppldcoi.dll
2008-12-15 11:36 309,760 a----r-- c:\windows\system32\difxapi.dll
2008-12-15 11:36 294,912 a----r-- c:\windows\system32\hpovst11.dll
2008-12-15 11:35 <DIR> --d----- c:\program files\Yahoo!
2008-12-15 11:29 <DIR> --d----- c:\program files\common files\HP
2008-12-15 11:29 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2008-12-15 11:27 1,373,528 a----r-- c:\windows\hpzshl01.exe
2008-12-15 11:27 1,140,056 a----r-- c:\windows\hpzmsi01.exe
2008-12-15 11:27 10,563 a----r-- c:\windows\hpwscr19.dat
2008-12-15 11:27 <DIR> --d----- c:\windows\yellowtail
2008-12-15 11:26 <DIR> --d----- c:\program files\HP
2008-12-15 11:26 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2008-12-15 11:26 25,856 a------- c:\windows\system32\dllcache\usbprint.sys
2008-12-15 11:24 997 a----r-- c:\windows\hpwmdl19.dat
2008-12-15 11:24 176,705 a------- c:\windows\hpwins19.dat

==================== Find3M ====================

2008-12-28 23:14 111,616 a------- c:\windows\system32\userinit.exe
2008-12-12 12:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-07 18:32 2,109,440 -------- c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 04:45 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2008-10-03 05:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:15 247,326 -------- c:\windows\system32\dllcache\strmdll.dll

============= FINISH: 0:43:53.04 ===============


Thanks everyone!!

Attached Files



BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 10 January 2009 - 08:09 AM

Hello imrahil388,

I apologise for the delay, the forum is extremely busy.
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 15 January 2009 - 01:35 PM

Due to the lack of feedback, this Topic is now closed and will not be reopened.
If you still need help, begin a new topic.

Applies only to the original poster, anyone else with similar problems please start a new topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users