PDA

View Full Version : Help! Spyware found in registry...



Yevon
2006-04-06, 06:22
Hello all. I looked through my friend's Hijack This log and she has some nasty stuff. Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 18:52:04, on 03.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ismyjk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Marisa Roberts\My Documents\download\lilfluffball07\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [MS Updates] C:\WINDOWS\mscache.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gmeovn] C:\WINDOWS\system32\ismyjk.exe r
O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: SpeedUpMyPC.lnk = C:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF}
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Yevon
2006-04-07, 06:47
:confused: Anybody there?

illukka
2006-04-08, 23:55
hi
Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido security suite (http://www.ewido.net/en/download/) it is a free version of the program.
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu

Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Don't run it yet!

Please download this file: Nailfix Utility (http://www.noidea.us/easyfile/file.php?download=20050711214630636)
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip (http://www.atribune.org/downloads/dsrfix.zip)
Save it to your desktop.
Unzip dsrfix.zip and extract it to your desktop.
This will create a new folder on your desktop named dsrfix.
Do Not open that folder yet.
Please download APT (http://www.diamondcs.com.au/index.php?page=apt) and unzip the contents to a new folder on your desktop.
Open the folder you just created and click on apt.exe and search in the window for
C:\WINDOWS\system32\ismyjk.exe.
Open your C:\Windows\system32 folder and search for
C:\WINDOWS\system32\ismyjk.exe.
Don't delete it yet, just leave the system32 folder open so you can see the bad file.
In APT again, Select
C:\WINDOWS\system32\ismyjk.exe and Click Kill3

Then immediately delete
C:\WINDOWS\system32\ismyjk.exe from your system32 folder.
Close APT.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft (http://support.microsoft.com/default.aspx?kbid=315222):

Next, please reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now open Ewido and do a scan of your system.
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Now scan with HJT and place a checkmark next to each of the following items:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - SOFTWARE - (no file)


Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.
Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.


Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

Yevon
2006-04-09, 08:16
I recently ran Panda ActiveScan and it came back with these results. Now, my only concern is the object in my registry, which I've gone looking for and can't find. Can someone please help?? Here's my scan results:


Incident Status Location

Spyware:spyware/cws.olehelp Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\April\Cookies\april@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\April\Cookies\april@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\April\Cookies\april@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\April\Cookies\april@adrevolver[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\April\Cookies\april@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\April\Cookies\april@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\April\Cookies\april@belnk[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\April\Cookies\april@casalemedia[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\April\Cookies\april@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\April\Cookies\april@dist.belnk[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\April\Cookies\april@fastclick[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\April\Cookies\april@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\April\Cookies\april@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\April\Cookies\april@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\April\Cookies\april@realmedia[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\April\Cookies\april@statcounter[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\April\Cookies\april@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\April\Cookies\april@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\April\Cookies\april@zedo[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\April\Application Data\Mozilla\Firefox\Profiles\b5drmuwv.default\cookies.txt[]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\April\Cookies\april@adrevolver[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\April\Cookies\april@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\April\Cookies\april@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\April\Cookies\april@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\April\Cookies\april@dist.belnk[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\April\Cookies\april@maxserving[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\April\Cookies\april@realmedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\NPROTECT\00000103.MOZ[]

Yevon please use the add reply button

illukka
2006-04-09, 15:37
how about the hiajckthis log?
AND the ewido scan report that i asked for ?

illukka
2006-04-11, 15:47
Yevon, still with us ?

tashi
2006-04-17, 23:54
This topic is closed.



BEFORE you post a log, and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279 )