Persistant Spyware
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Persistant Spyware

  1. #1
    Member
    Join Date
    Apr 2002
    Posts
    45

    Persistant Spyware

    So I've come back home from college and the family computer is INFESTED with spyware. Now usually I wouldn't care, I built my own computer a few months ago and its running smoothly. But now SBC Yahoo has made it rather difficult to use a router with their DSL service so my only outlet to the internet is through my family's computer. I could just hook up my computer to the internet but I don't want to risk my computer's health, my family is the type to click those goofy ads and I don't want the hassle of cleaning the computer everyday. So anyways, I looked and found that the computer had wintoolsa the works on there. So I'm thinking "no biggie", I'll just install the new spybot and the new AVG and it'll be done. I eventually used a combination of KillBox, HiJackThis, and LSPfix. Spybot was absoulutely useless. But I still have some shady processes on the computer such as:

    tbpssvc.exe
    spoolsv.exe
    packethsvc.exe
    wmiprvse.exe
    userinit.exe
    fxssvc.exe

    now I realize that wmiprvse, userinit, and fxssvc are potentially legit processes but I don't understand why they would all of a sudden "turn on". These processes were not active last time I checked. I would appreciate it if someone would take a look at my HijackThis log and tell me if anything looks shady and what to do. This has gotten a little more in depth than what I'm used to dealing with.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:18:37 PM, on 12/23/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Toolbar\TBPSSvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
    O2 - BHO: (no name) - {1EA46121-BC32-78EA-8476-64550A81736B} - C:\WINDOWS\System32\qqrrv.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...3a4ca9d760ebbd
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/ga...mmon/ieell.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...924.8587268519
    O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/expre...iewerSetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{829F502E-12E6-465A-AF1D-4F539CE36922}: NameServer = 204.60.203.179 66.73.20.40

    thanks in advance
    sorry

  2. #2
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    greeting's

    first thing you should do is to update your Hijackthis to the latest version it is (v1.99.0.)
    (http://www.hijackthis.de/downloads/hijackthis_199.zip)

    After you update your version scan again and copy past the log here : http://www.hijackthis.de/index.php it will give analysis of your log (you can also past it here)

    Next try running all the anti-spyware tool's like (spy-bot, ad-aware) in SAFE MODE.
    All your anti-spyware tool's should be of latest version and with latest definition.
    clear your TEMP directort and also clear all but most recent restore point.

    you can also use features like immunise and host file entries in spy-bot to improve your protection.
    I also recommend you donwloading and installing
    spywareblaster from : www.javacoolsoftware.com/spywareblaster.htm
    and
    spywareguard from :www.javacoolsoftware.com/spywareguard.htm

    Hope this help's.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #3
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    my opinion is simple. If you run a program such as EndItAll2 and it kills those processes than they arn't needed. Of course you would need to weed out processes like virus scan and such but the program has the ability to do that. It basically comes up with all processes that are required for your OS to run. Pretty nifty tool.

    If it kills those processes, than I find out what they belong to, and kill that.

  4. #4
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    I notice that you have 2 antivirus prgrams running at the same time - symantecs and AVG. This could be causing some conflicts. I would suggest dissabling on or the other and only run one at a time.

    If you want to check up on what ever virus engine you are running, then use an online scan like 'Housecall' from Trend. http://housecall.trendmicro.com/hous...start_corp.asp
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  5. #5
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Originally posted here by ByTeWrangler

    After you update your version scan again and copy past the log here : http://www.hijackthis.de/index.php it will give analysis of your log (you can also past it here)

    Please use extreme caution when relying on this tool.

    It has been known to tell people to "fix" things they actually need while missing the malware they want to remove. If you have any doubt about what it's telling you please post your log here and wait for someone with some experience to assist you.

  6. #6
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    Another thing, the TBPS.exe is the executable for the WebSearch toolbar, and that is something you will want to get rid of. First, right-click My Computer, Properties, System Restore, and turn off system restore. Then, try to remove WebSearch from Control Panel/Add-Remove Programs. This might not work, but it is worth a shot. Next, try the same thing, but from a Safe Mode with Networking boot. Once you get it out, you can turn System Restore back on.

    As Moxnix said, not a good idea to try to run two AV's at the same time.

  7. #7
    Member
    Join Date
    Sep 2001
    Location
    Belgium
    Posts
    95

    Post

    Hi there,

    1. Spoolsv.exe is the Windows spooler, this is a genuine Windows process, although there are malware versions of this one too.

    2. packethsvc.exe is a process installed by Compuserve

    3. wmiprvse.exe is a Windows Instrumentation process, also genuine

    4. fxssvc.exe is from the Microsoft Fax.

    5. userinit.exe is normally also a genuine process

    Grtz,

  8. #8
    yea def turn off system restore before doing any repair, remove any crap you can from the add/remove programs that you dont want, then start in safe mode with networking support so you can update definitions for removers, i use spybot, ad-aware, giant antispyware, and websweeper, if you remove everything and restart and still get more persistant stuff google searches for removers for that kind of spy ware, if you are gonna get rid of norton make sure you get their removal tool off of their website. after you are disinfected then turn back on system restore, also some helpful ideas for future use, in ad-ware options use the custom scan and go to safety options, turn on to read only host files, also giant spyware and websweeper by webroot have active monitoring kind of like antivirus but for spyware, alerts you of activity, keep in mind that when you install stuff it may still alert you of legit stuff like if you change your homepage, plus i use a different browser, ive been using mozilla firefox and have been spyware free, spybot has a free monitor thats called tea timer that comes as an option when you install spybot. good luck
    -incideagent

  9. #9
    Banned
    Join Date
    Mar 2002
    Posts
    968
    A little note about determined Spyware.

    There is one spyware called VX2 that is also difficult to remove. It seems that even after removal it'll replicate itself back on.
    Ad-aware has a tool to remove it for good, but it's a seperate download (VX2 Plug-in) Available on their site.

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I have seen userinit.exe as a virus in the past.... It was one of the SpyBot/SDBot/RBot variants.

    What you may want to try is the TrendMicro System Cleaner.... It works amazingly well against those types of problems.

    Sysclean.com
    Latest pattern file

    Just unzip lpt$319 from lpt319.zip and put it in the same directory as sysclean.com. Run sysclean.com and you're off to the races. As somone else has pointed out... A lot of those services are standard windows services. If you don't have a good handle on the services and what should/shouldn't be running you may want to consider using someone elses startup list. The Sysinfo.org Startuplist is one that we use quite frequently.

    Anyways...

    Happy Holidays... and Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •