-
December 23rd, 2004, 08:19 PM
#1
Member
Persistant Spyware
So I've come back home from college and the family computer is INFESTED with spyware. Now usually I wouldn't care, I built my own computer a few months ago and its running smoothly. But now SBC Yahoo has made it rather difficult to use a router with their DSL service so my only outlet to the internet is through my family's computer. I could just hook up my computer to the internet but I don't want to risk my computer's health, my family is the type to click those goofy ads and I don't want the hassle of cleaning the computer everyday. So anyways, I looked and found that the computer had wintoolsa the works on there. So I'm thinking "no biggie", I'll just install the new spybot and the new AVG and it'll be done. I eventually used a combination of KillBox, HiJackThis, and LSPfix. Spybot was absoulutely useless. But I still have some shady processes on the computer such as:
tbpssvc.exe
spoolsv.exe
packethsvc.exe
wmiprvse.exe
userinit.exe
fxssvc.exe
now I realize that wmiprvse, userinit, and fxssvc are potentially legit processes but I don't understand why they would all of a sudden "turn on". These processes were not active last time I checked. I would appreciate it if someone would take a look at my HijackThis log and tell me if anything looks shady and what to do. This has gotten a little more in depth than what I'm used to dealing with.
Logfile of HijackThis v1.97.7
Scan saved at 2:18:37 PM, on 12/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {1EA46121-BC32-78EA-8476-64550A81736B} - C:\WINDOWS\System32\qqrrv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...3a4ca9d760ebbd
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/ga...mmon/ieell.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...924.8587268519
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/expre...iewerSetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{829F502E-12E6-465A-AF1D-4F539CE36922}: NameServer = 204.60.203.179 66.73.20.40
thanks in advance
sorry
-
December 23rd, 2004, 08:45 PM
#2
greeting's
first thing you should do is to update your Hijackthis to the latest version it is (v1.99.0.)
(http://www.hijackthis.de/downloads/hijackthis_199.zip)
After you update your version scan again and copy past the log here : http://www.hijackthis.de/index.php it will give analysis of your log (you can also past it here)
Next try running all the anti-spyware tool's like (spy-bot, ad-aware) in SAFE MODE.
All your anti-spyware tool's should be of latest version and with latest definition.
clear your TEMP directort and also clear all but most recent restore point.
you can also use features like immunise and host file entries in spy-bot to improve your protection.
I also recommend you donwloading and installing
spywareblaster from : www.javacoolsoftware.com/spywareblaster.htm
and
spywareguard from :www.javacoolsoftware.com/spywareguard.htm
Hope this help's.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
December 23rd, 2004, 08:48 PM
#3
Senior Member
my opinion is simple. If you run a program such as EndItAll2 and it kills those processes than they arn't needed. Of course you would need to weed out processes like virus scan and such but the program has the ability to do that. It basically comes up with all processes that are required for your OS to run. Pretty nifty tool.
If it kills those processes, than I find out what they belong to, and kill that.
-
December 23rd, 2004, 09:26 PM
#4
I notice that you have 2 antivirus prgrams running at the same time - symantecs and AVG. This could be causing some conflicts. I would suggest dissabling on or the other and only run one at a time.
If you want to check up on what ever virus engine you are running, then use an online scan like 'Housecall' from Trend. http://housecall.trendmicro.com/hous...start_corp.asp
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
Author Unknown
-
December 24th, 2004, 01:23 AM
#5
Originally posted here by ByTeWrangler
After you update your version scan again and copy past the log here : http://www.hijackthis.de/index.php it will give analysis of your log (you can also past it here)
Please use extreme caution when relying on this tool.
It has been known to tell people to "fix" things they actually need while missing the malware they want to remove. If you have any doubt about what it's telling you please post your log here and wait for someone with some experience to assist you.
-
December 24th, 2004, 07:28 AM
#6
Another thing, the TBPS.exe is the executable for the WebSearch toolbar, and that is something you will want to get rid of. First, right-click My Computer, Properties, System Restore, and turn off system restore. Then, try to remove WebSearch from Control Panel/Add-Remove Programs. This might not work, but it is worth a shot. Next, try the same thing, but from a Safe Mode with Networking boot. Once you get it out, you can turn System Restore back on.
As Moxnix said, not a good idea to try to run two AV's at the same time.
-
December 24th, 2004, 03:15 PM
#7
Member
Hi there,
1. Spoolsv.exe is the Windows spooler, this is a genuine Windows process, although there are malware versions of this one too.
2. packethsvc.exe is a process installed by Compuserve
3. wmiprvse.exe is a Windows Instrumentation process, also genuine
4. fxssvc.exe is from the Microsoft Fax.
5. userinit.exe is normally also a genuine process
Grtz,
-
December 24th, 2004, 03:35 PM
#8
Member
yea def turn off system restore before doing any repair, remove any crap you can from the add/remove programs that you dont want, then start in safe mode with networking support so you can update definitions for removers, i use spybot, ad-aware, giant antispyware, and websweeper, if you remove everything and restart and still get more persistant stuff google searches for removers for that kind of spy ware, if you are gonna get rid of norton make sure you get their removal tool off of their website. after you are disinfected then turn back on system restore, also some helpful ideas for future use, in ad-ware options use the custom scan and go to safety options, turn on to read only host files, also giant spyware and websweeper by webroot have active monitoring kind of like antivirus but for spyware, alerts you of activity, keep in mind that when you install stuff it may still alert you of legit stuff like if you change your homepage, plus i use a different browser, ive been using mozilla firefox and have been spyware free, spybot has a free monitor thats called tea timer that comes as an option when you install spybot. good luck
-incideagent
-
December 24th, 2004, 03:44 PM
#9
A little note about determined Spyware.
There is one spyware called VX2 that is also difficult to remove. It seems that even after removal it'll replicate itself back on.
Ad-aware has a tool to remove it for good, but it's a seperate download (VX2 Plug-in) Available on their site.
-
December 24th, 2004, 04:12 PM
#10
Hey Hey,
I have seen userinit.exe as a virus in the past.... It was one of the SpyBot/SDBot/RBot variants.
What you may want to try is the TrendMicro System Cleaner.... It works amazingly well against those types of problems.
Sysclean.com
Latest pattern file
Just unzip lpt$319 from lpt319.zip and put it in the same directory as sysclean.com. Run sysclean.com and you're off to the races. As somone else has pointed out... A lot of those services are standard windows services. If you don't have a good handle on the services and what should/shouldn't be running you may want to consider using someone elses startup list. The Sysinfo.org Startuplist is one that we use quite frequently.
Anyways...
Happy Holidays... and Peace,
HT
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|