Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware and lots of it


  • This topic is locked This topic is locked
2 replies to this topic

#1 RaxeN

RaxeN

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 31 May 2005 - 04:59 PM

Hi, can someone help me please i have no where else to look =D

when i scan with, Spybot and MSAnti Spyware i got many spyware, these include,

ISearchTech.PowerScan
ISearchTech.SideFindISearchTech.ISTToolbar
ISearchTech.ISTXXXToolbar
DyFuCa.InternetOptimizer
180SearchAssasitant
and a few more

no matter what i have done (removed them with all Adware removal programs such as AdAware) they still come back and i have random proccesses running up every often out of no where such as msnmssrg.exe etc and things like ftp.exe dwwin.exe - I dont know what else to do

Here is my hijacklog someone please help me and do you think it could of something to do with the network? like installed some secret firewall because whenever i try to do a newtwork i know get errors and it only just started when i got all this spyware,

i think its something like Win32.RBot something that installs things day after day because ive tried deleting regestry settings and the folders in the program files and it still doesnt work

so i come for some expert help =D

heres my HijackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 22:22:09, on 31/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\taskmngr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\program files\valve\steam\steam.exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\VentriloMIX\Ventrilo 2.1.3.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.359\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Main Board Boot] crsrr.exe
O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [ahOsWa] C:\WINDOWS\oxxmo.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [zuvqn] C:\WINDOWS\zuvqn.exe
O4 - HKLM\..\RunServices: [Main Board Boot] crsrr.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MessengerDiscovery] C:\Program Files\MessengerDiscovery\MessengerDiscovery.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKCU\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

Thanks

RaxeN

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:00 AM

Posted 02 June 2005 - 12:45 PM

Hello RaxeN and welcome to BleepingComputer.

Your log shows that you are seriously behind on windows updates. It is essential that you update your operating system as otherwise any infections we remove could reoccur. After we get you all cleaned up, be sure to go to Windows Update and if it asks to install software, allow it to do so. Install the offered Critical and Security updates, reboot as requested and return until you have installed all available Critical and Security updates.


You have HijackThis running from a temporary or zip folder. Any backup files HJT creates during the repair process will not be secure if left in this folder.

Create a folder on the C: drive called "C:\HJT". You can do this by opening My Computer then double click on Local Disk (C:). In a clear area right click and select New then Folder and name it "HJT". Unzip HijackThis into this folder. Please delete any other copies of HijackThis and run HJT only from this new folder.


Open the Control Panel then double click on Add/Remove Programs. Look for the following and uninstall them if found:

- 180solutions
- InternetOptimizer
- IST Toolbar
- SideFind
- SideSearch
or anything named similar to what you have seen listed in other scans


Configure Windows to enable viewing of Hidden and System files.

Reboot into Safe Mode.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKLM\..\Run: [Main Board Boot] crsrr.exe
O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [ahOsWa] C:\WINDOWS\oxxmo.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [zuvqn] C:\WINDOWS\zuvqn.exe
O4 - HKLM\..\RunServices: [Main Board Boot] crsrr.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe
O4 - HKCU\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKCU\..\RunOnce: [sysPersonalFirewall] msnmssgr.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINDOWS\zuvqn.exe <--Files
C:\WINDOWS\oxxmo.exe
C:\WINDOWS\crsrr.exe <--Caution, do not delete similarly named valid Windows file 'csrss.exe'
C:\WINDOWS\msnmssgr.exe <--Caution, do not delete similarly named valid Windows file 'msnmsgr.exe'
C:\WINDOWS\System32\taskmngr.exe <--Caution, do no delete similarly named valid Windows file 'taskmgr.exe'
C:\WINDOWS\System32\crsrr.exe <--Caution, do not delete similarly named valid Windows file 'csrss.exe'
C:\WINDOWS\System32\msnmssgr.exe <--Caution, do not delete similarly named valid Windows file 'msnmsgr.exe'

c:\program files\180solutions\ <--Folder


Reboot normally and post a fresh HJT log. How are things running?
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:11:00 AM

Posted 16 June 2005 - 12:10 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users