Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This Needs To Stop!


  • This topic is locked This topic is locked
2 replies to this topic

#1 mannyguy1

mannyguy1

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 12 May 2006 - 02:57 AM

I have this spyware that I can't remove I keep on using ad-ware, and spybot, but it keeps returning..please help!


Logfile of HijackThis v1.99.1
Scan saved at 12:53:15 AM, on 5/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\vh4h.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\srwhost.exe
C:\WINDOWS\System32\ek7y.exe
C:\WINDOWS\System32\48f7979c.exe
C:\WINDOWS\System32\termcaps.exe
C:\WINDOWS\System32\6a2b4fd5.exe
C:\Program Files\paytime.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\srshost.exe
C:\winstall.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00029.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [Microsoft Windows System] srwhost.exe
O4 - HKLM\..\Run: [EK7Y] C:\WINDOWS\System32\ek7y.exe
O4 - HKLM\..\Run: [48f7979c.exe] C:\WINDOWS\System32\48f7979c.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [termcaps] C:\WINDOWS\System32\termcaps.exe
O4 - HKLM\..\Run: [flibud] C:\WINDOWS\System32\ixdpbbk.exe r
O4 - HKLM\..\Run: [6a2b4fd5.exe] C:\WINDOWS\System32\6a2b4fd5.exe
O4 - HKLM\..\Run: [ZPoint] C:\WINDOWS\System32\winmuse.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] srwhost.exe
O4 - HKLM\..\RunServices: [termcaps] C:\WINDOWS\System32\termcaps.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O4 - HKCU\..\Run: [48f7979c.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\48f7979c.exe
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\Owner\LOCALS~1\Temp\B.tmp
O4 - HKCU\..\Run: [termcaps] C:\WINDOWS\System32\termcaps.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [6a2b4fd5.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\6a2b4fd5.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00029.exe"
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://free.aol.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c9.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/235891937bae9a...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123974915140
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTSvcCDA.EXE (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\System32\FreezeScreenSaver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: VH4H - Unknown owner - C:\WINDOWS\vh4h.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:12 AM

Posted 12 May 2006 - 01:24 PM

Hi Mannyguy

Welcome to BC. :thumbsup:
It seems that in addition to several other baddies like CWS, haxdoor, backdoor trojans and several other trojans, you have a rather sinister keylogger on your machine as evidenced by these entries below :flowers: :

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00029.exe"
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00029.exe"

This is the standard warning for cases such as yours . . . .

You are strongly advised to do the following immediately (as they apply to your computer useage):

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

These trojans leave a backdoor open on the system that can allow hacker total & complete access to your computer. (Remote access trojan)
Hacker can operate your computer just as if he was sitting in front of it. They can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start & stop programs.

Depending on a few things, like if you always had a firewall; if you are using a router with Hardware firewall, etc. the chances the backdoor was used will be reduced. However, if firewall was installed after the attack...chances are pretty good they did use it.

Since I see no sign of either an antivirus or a firewall in your log, chances are that this system is seriously compromised.

If it were my computer and I just discovered this type of trojan .......I would be backing up my important stuff and re-installing everything from scratch.
There are so many changes that could have been done if that backdoor was used.

That being said...I will leave that decision up to you.

If you do decide to format/re-install and need some help; lots of people here who can help you thru it.

Here are some informative links below to use to help you make a decision:

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/securi...usrat.mspx

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/commun...t1005.mspx

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/commun...m0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/commun...m0704.mspx

http://www.eweek.com/article2/0,1895,1945808,00.asp

Edited by amateur, 12 May 2006 - 08:09 PM.


#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:12 AM

Posted 18 May 2006 - 02:17 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me or a moderator with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users