Help! Nasty Spyware Problem

GEC: Discuss gaming, computers and electronics and venture into the bizarre world of STGODs.

Moderator: Thanas

Post Reply
User avatar
salm
Rabid Monkey
Posts: 10296
Joined: 2002-09-09 08:25pm

Post by salm »

phongn wrote:Run HijackThis! and post the log here.
here´s the log:

Logfile of HijackThis v1.97.7
Scan saved at 09:18:25, on 30.03.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMME\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAMME\INOCULATEIT PE\VETTRAY.EXE
C:\PROGRAMME\WIRELESS 4D MOUSE\4DMAIN.EXE
C:\WINDOWS\SYSTEM\HPZTSB09.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAMME\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\WINH.EXE
C:\WINDOWS\SYSTEM\TASKMON.EXE
C:\WINDOWS\SYSTEM\WUPDMGR.EXE
C:\PROGRAMME\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\FRITZ!\FRIWEB32.EXE
C:\PROGRAMME\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\ZOIX\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\INOCUL~1\VETTRAY.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\Wireless 4D Mouse\4DMAIN.EXE -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Programme\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\taskmon.exe
O4 - HKCU\..\Run: [System Update2] c:\windows\system\wupdmgr.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - User Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: Bild in &Microsoft PhotoDraw öffnen - res://C:\PROGRA~1\MICROS~1\OFFICE\1031\PHDINTL.DLL/phdContext.htm
O9 - Extra button: PhoenixNet (HKLM)
O12 - Plugin for .SWF: C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .wav: C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {67B15B0B-160C-4579-95AF-858169659092} (IELoaderCtl Class) - http://freeload.cc/secure/ieloader.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/ ... wmavax.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/ ... mv9VCM.CAB
Top
User avatar
salm
Rabid Monkey
Posts: 10296
Joined: 2002-09-09 08:25pm

Post by salm »

Einhander Sn0m4n wrote:http://www.spywareinfo.com/articles/hij ... revent.php

Read this. Then get Mozilla and KILL THE M$ JVM POS!
i got mozilla now and like it. built in pop up blocker, fresh design and esspecially the tabs are cool. and of course the fact that i won´t get spycrap on my computer that easily. :D
Top
User avatar
salm
Rabid Monkey
Posts: 10296
Joined: 2002-09-09 08:25pm

Post by salm »

Vertigo1 wrote: Well, you can actually delete the activex control located in %systemroot%\Downloaded Program Files (where %systemroot% = Where you installed Windows, such as C:\Windows or C:\WinNT). Then kill MSHTA.exe via task manager and re-name it to something else....like MSHTA2.exe or something like that.
i checked the folder /windows/downloaded program files but there´s no file with the nam mshta.exe in there. what is the activex control?
Top
User avatar
Crayz9000
Sith Apprentice
Posts: 7329
Joined: 2002-07-03 06:39pm
Location: Improbably superpositioned
Contact:
Contact Crayz9000

Post by Crayz9000 »

I've taken a quick hunt through it. Ein can probably give you a more detailed summary than this, but anyway. Boldface entries are almost certainly spyware. Underlined entries I'm not sure about. Italicized entries are harmless but basically useless.
salm wrote:here´s the log:

Logfile of HijackThis v1.97.7
Scan saved at 09:18:25, on 30.03.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMME\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAMME\INOCULATEIT PE\VETTRAY.EXE
C:\PROGRAMME\WIRELESS 4D MOUSE\4DMAIN.EXE
C:\WINDOWS\SYSTEM\HPZTSB09.EXE <-- Adware.Winshow
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAMME\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\WINH.EXE <-- Troj_Lolaweb.B
C:\WINDOWS\SYSTEM\TASKMON.EXE
C:\WINDOWS\SYSTEM\WUPDMGR.EXE
C:\PROGRAMME\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\FRITZ!\FRIWEB32.EXE
C:\PROGRAMME\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\ZOIX\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\INOCUL~1\VETTRAY.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\Wireless 4D Mouse\4DMAIN.EXE -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Programme\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\taskmon.exe
O4 - HKCU\..\Run: [System Update2] c:\windows\system\wupdmgr.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - User Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: Bild in &Microsoft PhotoDraw öffnen - res://C:\PROGRA~1\MICROS~1\OFFICE\1031\PHDINTL.DLL/phdContext.htm
O9 - Extra button: PhoenixNet (HKLM)
O12 - Plugin for .SWF: C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .wav: C:\PROGRAMME\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {67B15B0B-160C-4579-95AF-858169659092} (IELoaderCtl Class) - http://freeload.cc/secure/ieloader.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/ ... wmavax.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/ ... mv9VCM.CAB
A Tribute to Stupidity: The Robert Scott Anderson Archive (currently offline)
John Hansen - Slightly Insane Bounty Hunter - ASVS Vets' Assoc. Class of 2000
HAB Cryptanalyst | WG - Intergalactic Alliance and Spoof Author | BotM | Cybertron | SCEF
Top
User avatar
salm
Rabid Monkey
Posts: 10296
Joined: 2002-09-09 08:25pm

Post by salm »

Crayz9000 wrote:I've taken a quick hunt through it. Ein can probably give you a more detailed summary than this, but anyway. Boldface entries are almost certainly spyware. Underlined entries I'm not sure about. Italicized entries are harmless but basically useless.
thank´s, i appreciate your help very much. :D
C:\WINDOWS\SYSTEM\HPZTSB09.EXE <-- Adware.Winshow
are you sure about that one? i think it might have something to do with the HP printer?
C:\WINDOWS\WINH.EXE <--

deleted

C:\PROGRAMME\FRITZ!\FRIWEB32.EXE
that´s my ISDN connector.
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
where is this?
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
some realplayer stuff?
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
deleted
O16 - DPF: {67B15B0B-160C-4579-95AF-858169659092} (IELoaderCtl Class) - http://freeload.cc/secure/ieloader.cab
i don´t now where this is either.
Top
User avatar
Crayz9000
Sith Apprentice
Posts: 7329
Joined: 2002-07-03 06:39pm
Location: Improbably superpositioned
Contact:
Contact Crayz9000

Post by Crayz9000 »

You can just tell HijackThis! to remove the selected entries.

And, uh, yeah, I guess that thing I thought was Adware.Winshow is probably some piece of HP software. Damnit, I wish they wouldn't give their programs semi-random names...
A Tribute to Stupidity: The Robert Scott Anderson Archive (currently offline)
John Hansen - Slightly Insane Bounty Hunter - ASVS Vets' Assoc. Class of 2000
HAB Cryptanalyst | WG - Intergalactic Alliance and Spoof Author | BotM | Cybertron | SCEF
Top
User avatar
salm
Rabid Monkey
Posts: 10296
Joined: 2002-09-09 08:25pm

Post by salm »

Crayz9000 wrote:You can just tell HijackThis! to remove the selected entries.
dang! of course, didn´t think about that.

thank´s again for helping me out. :D
Top
User avatar
Captain tycho
Has Elected to Receive
Posts: 5039
Joined: 2002-12-04 06:35pm
Location: Jewy McJew Land

Post by Captain tycho »

Hmm. I'm having the same problem with 'Cool Web Search.'
Captain Tycho!
The worst fucker ever!
The Best reciever ever!
Top
User avatar
Crayz9000
Sith Apprentice
Posts: 7329
Joined: 2002-07-03 06:39pm
Location: Improbably superpositioned
Contact:
Contact Crayz9000

Post by Crayz9000 »

Get CWShredder pronto, and run it. That link hopefully should work if CoolWebSearch has blocked spywareinfo.com.

If you can't run that program, download and run theCoolWWWSearch.SmartKiller removal tool.
A Tribute to Stupidity: The Robert Scott Anderson Archive (currently offline)
John Hansen - Slightly Insane Bounty Hunter - ASVS Vets' Assoc. Class of 2000
HAB Cryptanalyst | WG - Intergalactic Alliance and Spoof Author | BotM | Cybertron | SCEF
Top
Post Reply

Return to “Gaming, Electronics and Computers”