PDA

View Full Version : infected by spyware



DrGiggles
2007-01-23, 04:03
Incident Status Location

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Michael Cho\.jpi_cache\file\1.0\Counter.class-4f780aa4-7da1291d.class
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Michael Cho\.jpi_cache\file\1.0\Gummy.class-421ef8d3-533b7ae6.class
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Michael Cho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-35851aee-1c411492.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Michael Cho\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-35851aee-1c411492.zip[NewURLClassLoader.class]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@adrevolver[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@adtech[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@as-eu.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@atwola[2].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@bfast[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@bluestreak[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@bravenet[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@casalemedia[1].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@citi.bridgetrack[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@com[2].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@counter.hitslink[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@ct.360i[1].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@data.coremetrics[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@did-it[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@doubleclick[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@drivecleaner[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@ehg-dig.hitbox[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@ehg.hitbox[2].txt

DrGiggles
2007-01-23, 04:04
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@fastclick[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@findwhat[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@fortunecity[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@go[1].txt
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@hc2.humanclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@hitbox[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@perf.overture[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@phg.hitbox[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@serving-sys[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@stats1.reliablestats[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@statse.webtrendslive[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@tribalfusion[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@winantivirus[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@www.burstbeacon[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@www.drivecleaner[2].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@www.web-stat[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@www.winantivirus[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@www48.seeq[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Michael Cho\Cookies\mdc@zedo[2].txt

DrGiggles
2007-01-23, 04:05
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\TpShocks.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\v6.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

DrGiggles
2007-01-23, 04:06
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\v6.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.ospraie.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.ospraie.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.ospraie.com
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

pskelley
2007-01-24, 16:32
Welcome to the forum, if you still need help and are not receiving it elsewhere, I need a little help from you as we proceed.

1) I am not seeing a lot in the HJT log, but I do see this item:
C:\WINDOWS\v6.exe
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\v6.exe
Do you know what this is? My information indicates it could be this:
http://www.liutilities.com/products/wintaskspro/processlibrary/syswin/
If you are unsure, use one or more of these free online scans and post the results:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html


2) Important information in the first four lines of the HJT log is cut off. Please click on Edit then Select All in notepad, then copy and paste everything highlited.

3) Follow the directions in this link, make sure you delete or at least quarantine anything located and save the scan results.
http://forums.security-central.us/showthread.php?t=3165

Restart the computer after the scan, then post the scan results from AVG Anti-Spyware, a new HJT log and any information I requested above. Please add any comments you think will help.

Thanks

DrGiggles
2007-01-24, 22:08
first four lines of hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 9:55:21 PM, on 1/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

tashi
2007-02-05, 17:37
As the information requested has not been provided, this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.