Topic: Spyware/ its gotten resistant

[Reno]

I pretty much have this guys problem, i found a problem similar to this on a friends xp machine, and found a way to fix it using a run command, but for the life of me i can't remember the command. Well, anyway, i haven't been able to crack this one for 2 weeks and its getting really f*ckin annoying. Could someone give me a hand.

Could someone give me a hand? My IE6 on Windows 2000 is randomly displaying popups. Some sample URLs:

http://www.00z70az77mnsa-00swj1zzprh.com/go.php?l=0009

http://207.36.201.11/studiosoft.org/ad/ads...&qslot=2&vid=-1

Also, IE windows won't maximize properly anymore; they just move to another area on the screen.

I've tried running the latest Ad-Aware, Spybot, and CWShredder several times, and they removed some things, but not everything. Below are my logs from HijackThis.

Thank you very much,
Jacob

http://forums.spywareinfo.com/index.php?showtopic=7046



Logfile of HijackThis v1.97.7
Scan saved at 8:40:48 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\javaw.exe
C:\WINDOWS\System32\indowsLogonW.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob Scrachy\My Documents\Applications\Sypware and Virus Scanners\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [indowsLogonW] C:\WINDOWS\System32\indowsLogonW.exe
O4 - HKCU\..\Run: [twain_32] C:\WINDOWS\twain_32.exe
O4 - Global Startup: LimeWire 4.0.6 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.0.6 Pro\LimeWire.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run WinHTTrack (HKLM)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.7917939815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Simon]

Have you tried running the removal tools in Safe Mode, with System Restore switched off, Bob?

[Reno]

nah man one of the first things i tried was going in safemode. It had no effect

[Dack]

You are missing a few lines on this post (the hosts and search page ones, the sep.dll  etc.) BUT this should get you started.

O4 - HKLM\..\Run: [indowsLogonW] C:\WINDOWS\System32\indowsLogonW.exe

You can also delete the annoying java update scheduler and Nero Check.

Just make sure that when you have HJT running you have all the other file browser windows etc. closed down. You might also get some interesting results if you rename HijackThis in case anything is looking for the specific application running and hiding itself as a result. (Wot...me paranoid )

The other log requires these fixes for starters - even though you seem to be running a different virus scanner

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: [...]
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\system32\bridge.dll       win favourites
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll       Pepper trojan
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load
O4 - HKLM\..\Run: [2LCC6MH525LE@J] C:\WINNT\system32\Xkej.exe
O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msmc.exe Trojan
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/050c7490d73372...ip/RdxIE601.cab

Don't know what this one is though:
O4 - HKLM\..\Run: [SVPMSGR] C:\WINNT\system32\SVPMSGR.exe

If you Right click on it and do a properties then it should give some info.

You seem to have had several different problems between the HJT logs.

And do the Windows updates!

[Reno]

my machine doesn't seem to have thoughs same files in common yet im getting the same problem. Every third or so IE browser i exit out of popups come in from

http://www.00z70az77mnsa-00swj1zzprh.com/go.php?l=0009

http://207.36.201.11/studiosoft.org/ad/ads...&qslot=2&vid=-1

any other ideas. It doesn't seem to be another process running. It acts more like an plugin for the browser

[Reno]

i didn't get to record which file it was but the location was in the system32 folder in the win directory. 2 adwares were found by spysweeper. It was one of the new definition upgrades for it this week. I wasn't expecting it to take care of the problem but it did.

thank yall for taking a look, i guess i just had to deal with it for a 2 weeks before the upgrade definitions came out.