Major Spyware Problem [Archive] - Glock Talk

PDA

View Full Version : Major Spyware Problem


USMCsilver
12-03-2004, 16:15
I don't know what has gotten ahold of my PC, but it won't let go!

I've run SpyBot Search & Destroy, Ad-Aware, and SpySubtract and something is still giving me problems.

Every 10-15 minutes, I get a new browser window opening up on its own and going to this address: http://69.20.56.3/normal/yyy12.html . DO NOT CLICK LINK! It tosses an "exploit" virus onto my machine. Another address it keeps going to is: http://e.rn11.com/a/a174-admed-ron

What can I do besides switching browsers?

dgg9
12-03-2004, 16:31
You may have to reimage the PC.

hwyhobo
12-03-2004, 16:32
You could try Hijackthis:

http://www.tomcoyote.org/hjt/

t.

WFO2
12-03-2004, 16:36
I would suggest that you get a trail vesion of NOD32 it is a killer program and will find trojans and spywear like you wouold not beleive . For normal scanning I use the Lavasoft product Adaware......But to really scan NOD32 is hard to beat..........

USMCsilver
12-03-2004, 16:58
I ran a trial version of Spyware Doctor after running the other three, and it found 126 infections including whatever was hijacking my system. In order to "cure" it, I had to buy it. Oh well. $30 is not too much to gripe over with real-time protection; not to mention, it found everything that the others seemed to have missed.

0100010
12-03-2004, 21:39
A guy who sits 2 offices away from me has this same problem at work. He's been working on it trying to fix it for 2 days. I'll send him a link to this post - if he's figured out how to fix it, I'll post it here. He was comtemplating re-imaging his PC though.....

fastvfr
12-04-2004, 11:33
I have yet to find a browser hijacker or other exploit I couldn't remove from a client's PC. Maybe I'm just lucky.

HJT is good but you MUST install it to the root of the drive your OC is on...IOW, C:\HJT.exe...

Do a full registry backup, then toss everything that looks like, resembles, or rhymes with the URL's you are getting redirected to.

Then empty your Hosts and LMHosts files. Finally open Internet Options in the CP and, in the Security tab, click the Trusted Sites button and remove everything from within it.

THEN QUIT USING INTERNET EXPLODER FOR A BROWSER!!!!

Go like a man with a REAL Internet browser. (http://www.mozilla.org/)

Why on earth would anyone want to use a browser that even the Gub-ment claims is full of security holes?! Seriously, IE is dead and you are smeling its remains. Move on; you'll get used to Tabbed Browsing and freedom from popups in a biiig hurry, trust me!;b

Good luck,

FastVFR

0100010
12-04-2004, 12:23
I cleaned up my co-workers infected PC this morning, most of the files causing the issue were hidden in C:\Winnt\Downloaded Program Files\ (I just emptied the whole folder, he can re-download the IE plugins he wants) and there was a registry entry for jrrouw.class that kept creating one of two .exe files, either piitkg.exe in C:\Documents and Settings\All Users\Start Menu\Startup or obbpra.exe in C:\Winnt\System32\. Along with either of those .exe's being created were two .dll's, suuoip.dll and zqqola.dll both in C:\Winnt\System32\.

The interesting part was - when either of those .exe's were running, you could not see it as a process in task manager. Had to end task on them using Process Explorer (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml), and once they were stopped, then you could see and delete the files in explorer.

Once I got all the files deleted and the registry entries cleaned up, his system is back to normal.

10 Ring Tao
12-04-2004, 13:30
What operating systems are we talking about here?

0100010
12-04-2004, 15:28
The PC I cleaned this morning was Win2K SP4.

USMCsilver
12-04-2004, 17:15
I'm using XP w/ SP2.

After buying that software, I am still getting the problems that I thought it would cure. I just searched for the two files mentioned above, but neither turned up.

Damn PCs!

0100010
12-04-2004, 18:46
In my post above, the link for Process Explorer, download, extract and run it. It helps if you end task on all possible known processes first through task manager, then run it. Watch what extra processes are are running or show up, when you see one, highlight it, switch to track DLLs utilized - and start deleting them. Verify they are not needed DLLs first by checking out the properties tab (if they don't have one its probably malicious).

USMCsilver
12-04-2004, 19:11
0100010 - I downloaded, but almost everything I click on: Error opening process: access denied.

0100010
12-04-2004, 21:27
What OS? Do you have proper access rights (admin)?

0100010
12-04-2004, 21:29
Also - have you run HiJackThis?

USMCsilver
12-05-2004, 15:38
Here's my log. No one has gotten to me yet at the other forum:

Logfile of HijackThis v1.98.2
Scan saved at 6:12:57 PM, on 12/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\WINDOWS\System32\msvcmm32.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\eBay\eBay Toolbar\4.4.0.2\ebaytbar.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\System32\msvcmm32.exe
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.4.0.2\ebaytbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.2\eBayBand.dll
O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.2\eBayBand.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall....adp?clientId=2
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - http://redirect.hp.com/presario/hp.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7BA16120-B314-4EE4-A676-8B4B33909513} (Invoke Solutions MILive Participant Control(MR)) - http://online.invokesolutions.com/events/b...7203/MILive.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {91602283-B7B5-11D3-A32A-005004B0E00E} (DiscoverWhy Class) - http://216.132.173.29/CabFiles/dwInfo.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp...23/cpbrkpie.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2...yer5.2AxWin.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab

fastvfr
12-05-2004, 19:38
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

Oooh yeah, that IS some nasty Malware!! Don't believe me?! Try googling AOHell gripes once.

Is "http://searchmiracle dot com/sp.php" something you wanted?

I recommend to NEVER USE any kind of "search assistant", WeatherBug, E-Wallet, or toolbar-type addon BS in Internet Exploder, for obvious reasons.

If you want to block popups, enable that in Mozilla and toss IE. If you want to search, learn how to use Google properly.

Good luck; I know this stuff isn't easy for a layman to beat. I was one once myself, before my tenure in the trenches began.

Washington,D.C.
12-05-2004, 19:46
The ones that have worked for me are AdAware,Spybot,SpySweeper and CCleaner.SpySweeper is really powerful.Get the updates before running it.There have been recent updates for AdAware and Spybot.Trend Micro's online virus scan found infected files that Norton missed.Trend Micro also repaired/removed them.

0100010
12-05-2004, 22:30
Things that stand out on your list to me :

Running processes:
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\eBay\eBay Toolbar\4.4.0.2\ebaytbar.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.4.0.2\ebaytbar.exe

Ebay Toolbar is usually spyware - unless this is the real one and you use it. DataViz Messenger - if you know what this is keep it, I'm not familiar with it. RecGuard.exe and UpdReg.exe - find out what these are. Have you intentionally changed your default IE search page to searchmiracle.com?

WFO2
12-06-2004, 02:38
Iam telling you man give this a shoot.........

http://www.nod32.com/scriptless/download/trial.htm

WFO2
12-06-2004, 02:40
I run dataviz on my palm pilot..........

Washington,D.C.
12-06-2004, 13:22
http://majorgeeks.com/download4188.html

Sulaco
12-06-2004, 15:23
sterling just reformat your hard drive and start over. you have already spent more time and effort than you would have doing this to begin with. plus, it is the only sure fix.

Gecko10
12-08-2004, 07:08
I am not a computer expert in any way, shape or form. However, my browser has been hijacked two times in the last 30 days (RX Med Redirector), so I have been reading as much as I can about this. I have noted in every HiJack This log I have read that there appears to be some reference to the Google Tool Bar. I'm wondering if there is possibly some connection to this newest spate of hijacks?

BTW I'm running XP +SP2, IE 6, Ad-Watch, Ad-Aware SE, Spybot, Norton IS 2005. Nothing seems to detect this redirector.

Washington,D.C.
12-08-2004, 07:42
http://majorgeeks.com/download3019.html

Washington,D.C.
12-08-2004, 07:42
http://majorgeeks.com/download3263.html

10 Ring Tao
12-08-2004, 11:51
Originally posted by Sulaco
sterling just reformat your hard drive and start over. you have already spent more time and effort than you would have doing this to begin with. plus, it is the only sure fix.

Agreed.

pointman12
12-08-2004, 12:13
Silver

first, go here and look at this list...don't buy any of these so called spyware/adware finder programs...www.spywarewarrior.com/rogue_anti-spyware.htm

i think you need to find out how to get rid of the backweb that hijack this found...it's spyware...try searching the web on how to remove it and see if that helps with the pop ups...

USMCsilver
12-08-2004, 12:42
Originally posted by pointman12

i think you need to find out how to get rid of the backweb that hijack this found...it's spyware...

The backweb thing seems to be a part of my Charter Hi-Speed Security Suite offered by F-Secure. I am pretty positive it is harmless...