PDA

View Full Version : Undetectable Spy ................ So Bad :(


SpyReporter
2006-04-03, 13:50
There is a spy ? I can't reset my homepage

There's hijack log file

Logfile of HijackThis v1.99.1
Scan saved at 6:43:09 PM, on 4/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Bkav2006\Bkav2006.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\Spyware Doctor\Update.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.016\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: Shell=Explorer.exe %SystemRoot%\inf\systemboot.js
O1 - Hosts: 203.161.78.58 viethacker.org # thang nay thuong hack website nguoi khac
O1 - Hosts: 203.161.78.58 www.viethacker.org
O1 - Hosts: 203.161.78.58 www.huyenanh.ws # thang nay thuong hack website nguoi khac
O1 - Hosts: 203.161.78.58 huyenanh.ws
O1 - Hosts: 203.161.78.58 huexua.net # thang nay tha virus an cap pass cua yahoo
O1 - Hosts: 203.161.78.58 www.huexua.net
O1 - Hosts: 203.161.78.58 haibatrung.info # thang nay tha virus an cap pass cua yahoo
O1 - Hosts: 203.161.78.58 www.haibatrung.info
O1 - Hosts: 203.161.78.58 prompt.zangocash.com # thang nay thuong hack website nguoi khac va chen virus
O1 - Hosts: 203.161.78.58 dongdat.com # thang nay co hang lo website sexy va thuong DDoS nguoi khac, co lan da tan cong DDoS hvaonline.net
O1 - Hosts: 203.161.78.58 www.dongdat.com
O1 - Hosts: 203.161.78.58 thu-dam.net #thang nay khoi can noi cung biet la sexy roi
O1 - Hosts: 203.161.78.58 www.thu-dam.net
O1 - Hosts: 203.161.78.58 thudam.net #thang nay khoi can noi cung biet la sexy roi
O1 - Hosts: 203.161.78.58 giacmongdem.com #Website sexy, chu nhan cua no la www.dongdat.com
O1 - Hosts: 203.161.78.58 www.giacmongdem.com
O1 - Hosts: 203.161.78.58 giacmongdem.net #Website sexy, chu nhan cua no la www.dongdat.com
O1 - Hosts: 203.161.78.58 www.giacmongdem.net
O1 - Hosts: 203.161.78.58 phimvn.net.ms #Website sexy, chu nhan cua no la www.dongdat.com
O1 - Hosts: 203.161.78.58 www.phimvn.net.ms
O1 - Hosts: 203.161.78.58 cakhuc.net.tf
O1 - Hosts: 203.161.78.58 www.cakhuc.net.tf
O1 - Hosts: 203.161.78.58 belood.com
O1 - Hosts: 203.161.78.58 www.belood.com
O1 - Hosts: 203.161.78.58 91daklak.com
O1 - Hosts: 203.161.78.58 www.91daklak.com
O1 - Hosts: 203.161.78.58 songdong.net
O1 - Hosts: 203.161.78.58 www.songdong.net
O1 - Hosts: 203.161.78.58 dantruongx.info
O1 - Hosts: 203.161.78.58 www.dantruongx.info
O1 - Hosts: 203.161.78.58 diachi.int.tl
O1 - Hosts: 203.161.78.58 www.diachi.int.tl
O1 - Hosts: 203.161.78.58 timdiachi.net
O1 - Hosts: 203.161.78.58 www.timdiachi.net
O1 - Hosts: 203.161.78.58 mynhanquan.com
O1 - Hosts: 203.161.78.58 www.mynhanquan.com
O1 - Hosts: 203.161.78.58 viemarket.com
O1 - Hosts: 203.161.78.58 www.viemarket.com
O1 - Hosts: 203.161.78.58 joyiex.com
O1 - Hosts: 203.161.78.58 www.joyiex.com
O1 - Hosts: 203.161.78.58 amnhaclove.us.tc
O1 - Hosts: 203.161.78.58 www.amnhaclove.us.tc
O1 - Hosts: 203.161.78.58 vuonnhac.net.tc
O1 - Hosts: 203.161.78.58 www.vuonnhac.net.tc
O1 - Hosts: 203.161.78.58 girlxinh.uni.cc
O1 - Hosts: 203.161.78.58 nhac.4all.cc
O1 - Hosts: 203.161.78.58 mynhan.com
O1 - Hosts: 203.161.78.58 www.mynhan.com
O1 - Hosts: 203.161.78.58 mynhan.net
O1 - Hosts: 203.161.78.58 www.mynhan.net
O1 - Hosts: 203.161.78.58 baihathay.net.tf
O1 - Hosts: 203.161.78.58 www.baihathay.net.tf
O1 - Hosts: 203.161.78.58 freecardvn.us
O1 - Hosts: 203.161.78.58 www.freecardvn.us
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_6_2_0.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BkavFw] D:\Program Files\Bkav2006\Bkav2006.exe TASKBAR
O4 - HKLM\..\Run: [zzzz] D:\WINDOWS\inf\systemboot.js
O4 - HKLM\..\Run: [dksystem] D:\WINDOWS\inf\systemboot.js
O4 - HKLM\..\RunOnce: [zzzoom] D:\WINDOWS\inf\systemboot.js
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [zzzoom] D:\WINDOWS\inf\systemboot.js
O4 - HKCU\..\Run: [System32] D:\WINDOWS\inf\systemboot.js
O4 - HKCU\..\Run: [zzzzoom] D:\WINDOWS\inf\booter.js
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [zzzoom] D:\WINDOWS\inf\systemboot.js
O4 - HKCU\..\RunOnce: [Windows] D:\WINDOWS\inf\systemboot.js
O4 - HKCU\..\RunOnce: [zzzzoom] D:\WINDOWS\inf\booter.js
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmesaa.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmesaa.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = may20
O17 - HKLM\Software\..\Telephony: DomainName = may20
O17 - HKLM\System\CCS\Services\Tcpip\..\{A557EFAD-2AD9-4AF3-B615-54EA53D4CFA1}: NameServer = 203.162.4.190,203.162.4.191
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = may20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = may20
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - D:\Program Files\Spyware Doctor\sdhelp.exe

and infected files :

Please help me

Hello.
Please send infected files to detections(AT)spybot.info
I removed from your post so that other members don't get infected by clicking on them by mistake.
Also read:
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)
You have hjt this running from a rar & temp folder.
tashi
2006-04-07, 19:08
Hello and sorry for the wait.
Please go here and post a link back to this topic to flag a helper.

If you have waited three days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

It would help to expedite matters if hjt was ran from the correct folder as helpers cannot work the log from a temp/rar.
tashi
2006-04-13, 17:26
This topic will be archived to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.