Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

IE Spyware

Started by davetr57 , Jun 23 2005 10:24 PM

  • Please log in to reply

#1
davetr57
Posted 23 June 2005 - 10:24 PM

davetr57

    Member

  • Member
  • PipPip
  • 17 posts
Please help me with this. I'll try & explain as best I can. First, what is happening & Second, what I've done.
1. Whenever I open IE a second session will open to [bleep] sites. It also loads [bleep] sites to My Favorites & to my kids also. I've had to ban the computer in our house till I can get rid of this crap.
2. I added McAfee Antispyware but, it is still there. I didn't try CleanUp. I updated to Ad-aware SE & still no luck. I didn't run CWShredder & Spybot didn't help. I did run Ewido & will attach log. I didn't run Trend Housecall. I didn't run Windows Update yet. I ran Hijack this & will show log. I been trying for over a week without any luck. My computer is starting to bog down from scans I've been running.
Any help will be GREATLY APPRECIATED!!!

-----------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:48:44 PM, 6/23/2005
+ Report-Checksum: E09462F4

+ Date of database: 6/24/2005
+ Version of scan engine: v3.0

+ Duration: 56 min
+ Scanned Files: 182964
+ Speed: 53.75 Files/Second
+ Infected files: 10
+ Removed files: 10
+ Files put in quarantine: 10
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\David\Cookies\david@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\David\Cookies\david@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\David\Cookies\david@S153583[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Patrick\Cookies\patrick@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Patrick\Cookies\patrick@S126436[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Tiffany\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Downloads\Wcbowl-dm[1].exe -> Spyware.Trymedia.a -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000572.exe -> Spyware.P2PNetworking -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0000573.DLL -> Spyware.P2PNetworking -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0000618.dll -> TrojanDownloader.QDown.t -> Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:35:33 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nova Development\Greeting Card Factory\ReminderApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\David\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ohb - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - C:\WINDOWS\system32\siq.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory\ReminderApp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} (iiittt Class) - http://tb.searchitqu...com/v30/siq.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

Advertisements

#2
Wizard
Posted 24 June 2005 - 05:02 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hello davetr57 and Welcome!

We need to get HijackThis into a Permanent folder!

To do this>"Right Click" the Desktop>Select "New">Select "Folder">Name it whatever you like!

Now locate the original Zip file for HijackThis and place it in the new folder!

Unzip and "Extract All Files"

Be sure to follow this process for each User Account!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Right Click the TaskBar,near the clock,select Task Manager>> Click Processes

Locate and Instances of Rundll32.exe>> Highlight and Select End Process!

Locate and Delete these

C:\WINDOWS\system32\siq.dll<< File Only!

C:\Program Files\Toolbar<< Folder!

Click Start>> Click Run>> Type in the Bold Commands below and Click OK!

regsvr32 /u siq.dll
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\system32\siq.dll

regsvr32 /u toolbar.dll
or
regsvr32 /u C:\Program Files\Toolbar\toolbar.dll

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: ohb - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - C:\WINDOWS\system32\siq.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with a fresh HijackThis log and the reults from Panda!
  • 0

#3
davetr57
Posted 29 June 2005 - 10:43 PM

davetr57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
sorry i took so long. very busy. things not going right. not sure how i did with your instructions. i tried. attached panda scan & hijack logs for all accounts

daveAttached File  Activescan.txt   5.59KB   105 downloadsAttached File  nan.txt   7.5KB   158 downloadsAttached File  patr.txt   7.09KB   140 downloadsAttached File  tiffr.txt   7.05KB   121 downloadsAttached File  zac.txt   7.36KB   102 downloadsAttached File  dave.txt   7.11KB   155 downloads
  • 0

#4
Wizard
Posted 30 June 2005 - 02:11 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Wow,Excellent job my friend!!! :tazz:

Lets see if I can do as well as you have!

Follow these Instructions for each User name!

For all Users run this removal tool first
http://www.microsoft...&displaylang=en

Then go to Add\Remove Programs and Remove any Instances of

TV Media
Lycos\Side Search
P2P Networking
Kazza
Fun Web Products
ZSearch

Check each User Name for the follownig Files and Delete if Found

C:\WINDOWS\smdat32m.sys<< File

C:\WINDOWS\smdat32a.sys<< File

C:\WINDOWS\artmmp.ini<< File

C:\WINDOWS\SYSTEM32\xmltok.dll<< File

C:\WINDOWS\SYSTEM32\xmlparse.dll<< File

C:\WINDOWS\SYSTEM32\cd_clint.dll<< File

C:\WINDOWS\system32\P2P Networking<< Folder

C:\Program Files\Kazaa<< Folder

C:\Program Files\TV Media<< Folder

C:\Program Files\zSearch<< Folder

C:\Documents and Settings\Tiffany\Local Settings\Temp<< Find that folder for each user and delete the entire contents inside the folder!

C:\Documents and Settings\David\Application Data\tvmknwrd.dll<< File

C:\Documents and Settings\David\Application Data\Lycos<< Folder

For each User Remove with HijackThis if found

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} (iiittt Class) - http://tb.searchitqu...com/v30/siq.cab

Make sure all Windows and Browsers are Closed before hitting "Fix Checked"

I think I got it all!!!

Scan the System with Ad Aware or Microsoft Antispyware or Spybot!

Install these 2 programs

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC

Go back and Renable System Restore by Unchecking the Box and Moving the Slider to the Half Way Position!

Let me know how things go!

Edited by Cretemonster, 30 June 2005 - 02:12 AM.

  • 0

#5
davetr57
Posted 20 July 2005 - 10:32 PM

davetr57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
It seemed to do the job. Thanks alot :tazz: sorry for late reply
  • 0

#6
Wizard
Posted 21 July 2005 - 06:48 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
So is all seem well??

Lets see a fresh HijackThis log and let me know how the machine is acting?
  • 0

#7
davetr57
Posted 23 July 2005 - 02:39 AM

davetr57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ya know, since i been asking you for help, i've started to get junk email.
THANKS ALOT!!!!!! :tazz: i appreciated the help but, not thanks for the junk email.


CONSIDER THIS CONVERSATION TERMINATED!!!!!!!!!!!!!!!!!!!!!!!!!!!
  • 0

#8
Wizard
Posted 23 July 2005 - 03:59 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
LMFAO!!!!

If you associate the 2 together,then you need far more than help with the PC! :tazz:
  • 0

#9
davetr57
Posted 23 July 2005 - 12:50 PM

davetr57

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
both happened about the same time. sometimes it's hard to trust people. if you know what i mean. :tazz: sorry but, it's very frustrating getting that junk.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP