Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spylocked Spyware


  • Please log in to reply
3 replies to this topic

#1 TheSeXpeRT

TheSeXpeRT

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 28 April 2007 - 12:14 PM

Hi everyone this is my first time posting in this forum, i've read through some of the other posts and realize you got some smart people posting and helping here. I found many posts about spylocked but maybe its just me, because im still absolutely befuddled as to what i can do to remove this vicious rogue anti-spyware. i have downloaded HiJackThis and followed the steps as best as i could and you will find my log posted at the end of this message. If anyone could help me remove this it would be Greatly appreciated. I am using Windows Millennium Edition, and the problem occured while i was no where near the computer, it seems that every time my Parents go on the computer something like this happens. I wouldnt be able to tell you what they wre doing on the internet when this happened. well this is my log and i would appreciate if someone could help.

Thanking you all in advance,

Francesco :thumbsup: :flowers:

Logfile of HijackThis v1.99.1
Scan saved at 12:50:29 PM, on 28/04/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: ProxyReset Class - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\SYSTEM\RESTORE\RSTRUI.EXE /f
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_11\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_11\BIN\SSV.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: @Home - {B6AFDEBB-EA41-4190-82D8-B36F907C7E01} - http://home.excite.ca (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.ca/
O21 - SSODL: bedstead - {b23dc537-3e13-44c7-bf67-d8405eb377f7} - (no file)

Edited by TheSeXpeRT, 28 April 2007 - 12:17 PM.


BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 03 May 2007 - 08:43 PM

Howdy TheSeXpeRT,


A belated welcome to Bleeping Computer. Infection is showing here, but as some time has passed since you posted the log and with the possibility you have made some changes since then, let's start afresh by you running and posting back a new HijackThis log.


Also Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here, along with the new HijackThis scan please. You can use separate posts here if needed.
Ad eundum quo no duck ante iit

#3 TheSeXpeRT

TheSeXpeRT
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 05 May 2007 - 08:36 AM

Hi JinTan i thank you very much for the warm welcome! :flowers: I have to say im a tiny bit dissappointed by the way it took pretty long for a response, not that im ragging on you guys im sure you were very busy, but in the wait time i decided to try a system restore, and it was a success, i've had no problems since then i thank you very much for everything though, your hospitality was much appreciated, now im gonna go and look through other posts see if theres anything I can do to help others! :thumbsup:

Yours Truly,

TheSeXpeRT

Edited by TheSeXpeRT, 05 May 2007 - 08:37 AM.


#4 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 05 May 2007 - 03:17 PM

Picture the line there would be if they gave away free hamburgers at the local eatery. But yes, all volunteers here and many, many new requests for what is often a complex repair process. Good you got your system where you want it, and thanks for posting back the update.
Ad eundum quo no duck ante iit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users