Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware/Hijacker Detector


  • This topic is locked This topic is locked
3 replies to this topic

#1 sidan

sidan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 21 September 2005 - 03:45 AM

Everytime I log on to bleeping computer, I keep getting this Spyware/Hijacker message, I've scanned with Spybot & Ad-aware, but both haven't detected anything , but my McAfee keeps popping up with the following kind of On Access Scan Messages quite frequently:

Exploit-MhtRedir.gen (Trojan)
9/19/2005 12:09:32 PM Script execution blocked MICHAELDAdministrator iexplore.exe Script executed by iexplore.exe VBS/Psyme (Trojan)
9/19/2005 12:09:42 PM Script execution blocked MICHAELDAdministrator iexplore.exe Script executed by iexplore.exe VBS/Psyme (Trojan)


9/21/2005 1:32:09 PM Deleted MICHAELDAdministrator Ad-Aware.exe C:Documents and SettingsAdministratorLocal SettingsTempAAWTMPC814281A66C8GetAccess.class Exploit-ByteVerify (Trojan)
9/21/2005 1:32:16 PM Deleted MICHAELDAdministrator Ad-Aware.exe C:Documents and SettingsAdministratorLocal SettingsTempAAWTMPC814281A66C8InsecureClassLoader.class Exploit-ByteVerify (Trojan)
9/21/2005 1:32:16 PM Deleted MICHAELDAdministrator Ad-Aware.exe C:Documents and SettingsAdministratorLocal SettingsTempAAWTMPC814281A66C8Dummy.class Exploit-ByteVerify (Trojan)
9/21/2005 1:32:16 PM Deleted MICHAELDAdministrator Ad-Aware.exe C:Documents and SettingsAdministratorLocal SettingsTempAAWTMPC814281A66C8Installer.class Exploit-ByteVerify (Trojan)


Here is my HJT Log,

Logfile of HijackThis v1.99.1
Scan saved at 2:00:59 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesNetwork AssociatesVirusScanSHSTAT.EXE
C:Program FilesNetwork AssociatesCommon FrameworkUpdaterUI.exe
C:Program FilesCommon FilesNetwork AssociatesTalkBackTBMon.exe
C:WINDOWSSystem32hkcmd.exe
C:WINDOWSSOUNDMAN.EXE
C:Program FilesJavaj2re1.4.2_04injusched.exe
C:Program FilesZone LabsZoneAlarmzlclient.exe
C:Program FilesMicrosoft AntiSpywaregcasServ.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesMicrosoft AntiSpywaregcasDtServ.exe
C:Program FilesNetwork AssociatesCommon FrameworkFrameworkService.exe
C:Program FilesNetwork AssociatesVirusScanMcshield.exe
C:Program FilesNetwork AssociatesVirusScanVsTskMgr.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:WINDOWSsystem32ZONELABSvsmon.exe
C:Program FilesBroadband PacenetPacenet DialerPaceDial.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:HJTHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:Program FilesYahoo!CommonYIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O4 - HKLM..Run: [ShStatEXE] "C:Program FilesNetwork AssociatesVirusScanSHSTAT.EXE" /STANDALONE
O4 - HKLM..Run: [McAfeeUpdaterUI] "C:Program FilesNetwork AssociatesCommon FrameworkUpdaterUI.exe" /StartedFromRunKey
O4 - HKLM..Run: [Network Associates Error Reporting Service] "C:Program FilesCommon FilesNetwork AssociatesTalkBackTBMon.exe"
O4 - HKLM..Run: [IgfxTray] C:WINDOWSSystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSSystem32hkcmd.exe
O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_04injusched.exe
O4 - HKLM..Run: [Zone Labs Client] C:Program FilesZone LabsZoneAlarmzlclient.exe
O4 - HKLM..Run: [gcasServ] "C:Program FilesMicrosoft AntiSpywaregcasServ.exe"
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [msnmsgr] "C:Program FilesMSN Messengermsnmsgr.exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:Program FilesYahoo!Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:Program FilesYahoo!Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:Program FilesYahoo!Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:Program FilesYahoo!Commonyinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124981279384
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLMSystemCCSServicesTcpip..{26A0D10B-9A77-4495-AB09-B1677829EF96}: NameServer = 203.115.71.66 203.115.81.38
O17 - HKLMSystemCCSServicesTcpip..{C73F7614-E779-4FBD-8396-454BB53A58D6}: NameServer = 203.115.71.66,202.255.1.18
O17 - HKLMSystemCCSServicesTcpip..{F16F66F1-D5B3-4EEC-86D8-A85DC5F7903F}: NameServer = 203.115.71.66,202.255.1.18
O17 - HKLMSystemCS1ServicesTcpip..{26A0D10B-9A77-4495-AB09-B1677829EF96}: NameServer = 203.115.71.66 203.115.81.38
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:PROGRA~1MSNMES~1msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:WINDOWSSYSTEM32igfxsrvc.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:Program FilesNetwork AssociatesCommon FrameworkFrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:Program FilesNetwork AssociatesVirusScanMcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:Program FilesNetwork AssociatesVirusScanVsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:WINDOWSsystem32ZONELABSvsmon.exe

Any help would be deeply appreciated.

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:26 AM

Posted 26 September 2005 - 09:13 AM

Hello sidan and welcome to the BC HijackThis forum. I do not see any problems in the log. It is clean. Since all of the McAfee examples deal with IE temporary files items I would suggest running a good cleaning program and clean out the system's temp folders.

Download CCleaner and install it. Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Other than that you should be good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 sidan

sidan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 28 September 2005 - 05:49 AM

I've installed CCleaner, thanks for your help.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:26 AM

Posted 28 September 2005 - 06:50 AM

You are welcome sidan.

This topic is now closed.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users