Options

More spyware problems

Unknown
edited May 2005 in Spyware & Virus Removal
I know that I just had a resolution to my previous problem, but this time it seems to be worse. I was instant messaged a random link by my roomate. Unknowingly it opened a pandora's box of spyware, and could have possibly compunded with what I have already had. Regardless things have gotten to the point where I can barely open my web browser. Here's my Hijack this after repeated attempts at cleaning everything myself without and results.

Logfile of HijackThis v1.99.1
Scan saved at 4:15:20 AM, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\safe.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\mskev.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\msdevctrl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\mskev.exe
C:\WINDOWS\System32\msdevctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Chris Zaragoza.SPIDER-X0U5IELS\Desktop\Spyware Killers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\\safe.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows kev Messenger] mskev.exe
O4 - HKLM\..\Run: [msdev control] msdevctrl.exe
O4 - HKLM\..\RunServices: [Windows kev Messenger] mskev.exe
O4 - HKLM\..\RunServices: [msdev control] msdevctrl.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows kev Messenger] mskev.exe
O4 - HKCU\..\Run: [msdev control] msdevctrl.exe
O4 - HKCU\..\RunServices: [Windows kev Messenger] mskev.exe
O4 - HKCU\..\RunServices: [msdev control] msdevctrl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112699594077
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited May 2005
    Kaneda Venamar,

    Hi! and welcome to the Short-Media forums :).

    ===============

    When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccuring in the future.

    ===============

    Go to www.trendmicro.com, and then:

    1. Click "Free Online Scan".
    2. Click "Scan now, it's free".

    It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

    1. Select all available drives.
    2. Check(tick) "Auto Clean".
    3. Click "Scan".

    When it completes, post back the full filename of any files that cannot be cleaned or deleted.

    ===============

    We need to see if there are any program segments (prefetches) that may be present and are connected with the problems you are having. To do that, please do the following:

    1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

    TBPS.exe*
    PIB.exe*
    mskev.exe*
    msdevctrl.exe*

    2) Then if any are found in the 'prefetch' folder, delete them.

    Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

    ===============

    Go to Add/Remove programs and remove(uninstall) the following, if present:

    TBPS

    The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

    ===============

    Next, Open a command prompt by:

    1. Clicking "Start", then "Run...".
    2. Enter "cmd" (without the quotes).
    3. Enter "services.msc" (without the quotes).

    -

    Now, locate and 'stop' the following services, if present:

    Windows kev Messenger ... (mskev.exe)
    msdev control ... (msdevctrl.exe)

    Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

    ===============

    Run HiJackThis then:

    1. Click "Open the Misc Tools Section"
    2. Click "Open Process manager"

    -

    Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\WINDOWS\System32\mskev.exe
    C:\WINDOWS\System32\msdevctrl.exe

    Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

    ===============

    Still in HiJackThis click "Scan", then check(tick) the following, if present:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)

    O4 - HKLM\..\Run: [Windows kev Messenger] mskev.exe
    O4 - HKLM\..\Run: [msdev control] msdevctrl.exe
    O4 - HKLM\..\RunServices: [Windows kev Messenger] mskev.exe
    O4 - HKLM\..\RunServices: [msdev control] msdevctrl.exe
    O4 - HKCU\..\Run: [Windows kev Messenger] mskev.exe
    O4 - HKCU\..\Run: [msdev control] msdevctrl.exe
    O4 - HKCU\..\RunServices: [Windows kev Messenger] mskev.exe
    O4 - HKCU\..\RunServices: [msdev control] msdevctrl.exe

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...iTunesSetup.exe


    Now, with all windows closed except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"

    folders...

    C:\PROGRA~1\Toolbar

    files...

    C:\WINDOWS\System32\mskev.exe
    C:\WINDOWS\System32\msdevctrl.exe

    -

    Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    To help protect your system from hostile ActiveX content, or special 'downloadable' files:

    Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

    1) Check for any available updates; if present, they'll be automatically downloaded and installed.
    2) Next, "Enable all protection".
    3) Exit the program.

    -

    Note: Remember to regularly check for updates.

    ===============

    After rebooting your PC, post back a new log and let me know how everything goes.
  • Kaneda Venamar
    edited May 2005
    Here's the list from Trend Micro so far. All are uncleanable.


    TROJ HIDEPROC.B
    TROJ SMALL.ID
    TROJ SMALL.ID
    TROJ ISTBAR.CL
    TROJ SILLYDL.LH
    WORM FRIENDGRT.B
    TROJ AGENT.ALL
    TROJ AGENT.BCA
    TROJ AGENT.KG
    TROJ SEARCHAID.A
    TROJ AGENT.KG
    TROJ AGENT.KE
    TROJ AGENT.BCA
    TROJ SUB722 P13
    TROJ AGENT.BCA
    TROJ AGENT.KE
    TROJ AGENT.QT
    TROJ AGENT.KE
    TROJ AGENT.QT
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited May 2005
    You need to locate those files on your PC and delete them manually. Continue with the fix as per my above post and show me another log after a reboot.
Sign In or Register to comment.