Gladiator Security Forum > spyware everywhere

Full Version: spyware everywhere - PLEASE HELP!

Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?

cherylv

Oct 8 2004, 02:19 PM

I hav been having problems with spyware for ages - have run all the necessary programs - Spybot has a problem dealing with something called VX2/F - also get a regular pop up called moneya3h.exe but seems like anti-keylogger has exluded it - please can you help me make my computer a happy place - would be very thankful

tx

cheryl

here is my log

Logfile of HijackThis v1.98.2
Scan saved at 16:15:47, on 08/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-za\msnappau.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\desksite\bin\cma.exe
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\WINDOWS\System32\ceozkz.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\regmir32a.exe
C:\WINDOWS\System32\6wud.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\huieegh.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-za\msntb.dll
O2 - BHO: (no name) - {D5BBD2BD-4C97-44FF-86DC-95C3A6874FF1} - C:\WINDOWS\system32\v8xug.dll
O2 - BHO: (no name) - {E4BB1F44-AA36-4D4D-8B3A-BEB4469400A0} - C:\WINDOWS\system32\zfru4.dll
O2 - BHO: SDWin32 Class - {F3B2590A-A79E-41B9-82C9-6D5BA625394A} - C:\WINDOWS\System32\uvdnk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-za\msntb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-za\msnappau.exe"
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int113780.exe -auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [ukdboozvo] C:\WINDOWS\System32\ceozkz.exe
O4 - HKLM\..\Run: [Anti-keylogger 5.3] C:\Program Files\Anti-keylogger\ak5_load.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [l4oiu6.exe] C:\WINDOWS\System32\l4oiu6.exe /k
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\RunOnce: [l4oiu6.exe] C:\WINDOWS\System32\l4oiu6.exe /k
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097244460218
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC0DAF74-4C00-47B9-B35C-F07DD178D385}: NameServer = 196.25.1.1,196.25.1.9

LoPhatPhuud

Oct 8 2004, 07:20 PM

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)

O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\huieegh.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {D5BBD2BD-4C97-44FF-86DC-95C3A6874FF1} - C:\WINDOWS\system32\v8xug.dll
O2 - BHO: (no name) - {E4BB1F44-AA36-4D4D-8B3A-BEB4469400A0} - C:\WINDOWS\system32\zfru4.dll
O2 - BHO: SDWin32 Class - {F3B2590A-A79E-41B9-82C9-6D5BA625394A} - C:\WINDOWS\System32\uvdnk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int113780.exe -auto
O4 - HKLM\..\Run: [ukdboozvo] C:\WINDOWS\System32\ceozkz.exe
O4 - HKLM\..\RunOnce: [l4oiu6.exe] C:\WINDOWS\System32\l4oiu6.exe /k
O4 - HKCU\..\RunOnce: [l4oiu6.exe] C:\WINDOWS\System32\l4oiu6.exe /k

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Program Files\websx\ <-- delete entire folder
C:\WINDOWS\System32\ceozkz.exe
C:\WINDOWS\System32\l4oiu6.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Run HiJackThis again and post a new log in this thread.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.