Help! Computer with possible spyware infection

President Sharky · Post by **President Sharky** » 2004-07-23 10:39pm

I decided to downloaded "Hijackthis", a free spyware removal program, based on a tip from the virus thread on this board. I just did a scan, and it found some programs that may be spyware, could someone with good computer knowledge here tell me what exactly I should delete, and what are simply customizations?

Logfile of HijackThis v1.97.7
Scan saved at 10:35:12 PM, on 7/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\WINDOWS\System32\enbiei.exe
C:\WINDOWS\System32\teekids.exe
C:\documents and settings\dani\local settings\temp\fsg_tmp\ginst_001_1234_4201.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Documents and Settings\Danny\Desktop\HijackThis.exe

Stuff listed in the scan

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theforce.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com
O1 - Hosts: 3466709097 your.com
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\StopzillaBH0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\dani\local settings\temp\fsg_tmp\ginst_001_1234_4201.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: ClockDown (Star Wars Episode 3) 1.0.lnk = C:\Program Files\ClockDown\ClockDown.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://205.252.249.254:80/iex/ofile.exe ... CA1077.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01b31300866 ... xIE601.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://encarta.msn.com/encnet/external/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C ... 0232407407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD3963E-CA96-418A-80DB-046283F0473F}: NameServer = 206.47.244.101 206.47.244.61

EmperorMing · Post by **EmperorMing** » 2004-07-24 12:38am

Run Spybot SD 1.3 and then see what's left.

Ma Deuce · Post by **Ma Deuce** » 2004-07-24 12:44am

I use Spybot S&D most of the time, but you may also want to look into Ad-Aware

GoldenFalcon · Post by **GoldenFalcon** » 2004-07-24 10:02am

Running processes:
C:\WINDOWS\system32\services.exe (?)
C:\WINDOWS\System32\enbiei.exe
C:\WINDOWS\System32\teekids.exe
C:\documents and settings\dani\local settings\temp\fsg_tmp\ginst_001_1234_4201.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com
O1 - Hosts: 3466709097 your.com
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\StopzillaBH0.dll
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\dani\local settings\temp\fsg_tmp\ginst_001_1234_4201.exe"
O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set (?)
O4 - Startup: ClockDown (Star Wars Episode 3) 1.0.lnk = C:\Program Files\ClockDown\ClockDown.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://205.252.249.254:80/iex/ofile.exe ... CA1077.exe
HKLM\System\CCS\Services\Tcpip\..\{5AD3963E-CA96-418A-80DB-046283F0473F}: NameServer = 206.47.244.101 206.47.244.61 (?)

These I am real suspicious of. The ones I mark with (?) are possibly WinXP components, so I'll leave them up to the others.

President Sharky · Post by **President Sharky** » 2004-07-24 05:30pm

Ok thanks a lot, I will now proceed to purge my computer of the evil spyware.

GoldenFalcon · Post by **GoldenFalcon** » 2004-07-24 05:53pm

DO NOT REMOVE SERVICES.EXE IT IS A CRITICAL XP COMPONENT DO NOT!!!

Thank you.

President Sharky · Post by **President Sharky** » 2004-07-24 05:56pm

Thanks for the tip there! That would have been a disaster.

Datana · Post by **Datana** » 2004-07-24 06:02pm

GoldenFalcon wrote:
Running processes:
C:\WINDOWS\system32\services.exe (?)
These I am real suspicious of. The ones I mark with (?) are possibly WinXP components, so I'll leave them up to the others.

services.exe is actually a Windows XP component. It's supposed to handle system services, including Windows Messenger. Pretty critical, so you shouldn't disable it completely. Better to just selectively disable services you don't need from Administrative Tools->Services in the Control Panel.