close

Privacy guaranteed - Your email is not shared with anyone.

Welcome to Glock Talk

Why should YOU join our Glock forum?

  • Converse with other Glock Enthusiasts
  • Learn about the latest hunting products
  • Becoming a member is FREE and EASY

If you consider yourself a beginner or an avid shooter, the Glock Talk community is your place to discuss self defense, concealed carry, reloading, target shooting, and all things Glock.

Major Spyware Problem

Discussion in 'Tech Talk' started by USMCsilver, Dec 3, 2004.

  1. USMCsilver

    USMCsilver Boat Life ©

    12,899
    49
    Oct 8, 2001
    Middle of SC
    I don't know what has gotten ahold of my PC, but it won't let go!

    I've run SpyBot Search & Destroy, Ad-Aware, and SpySubtract and something is still giving me problems.

    Every 10-15 minutes, I get a new browser window opening up on its own and going to this address: http://69.20.56.3/normal/yyy12.html . DO NOT CLICK LINK! It tosses an "exploit" virus onto my machine. Another address it keeps going to is: http://e.rn11.com/a/a174-admed-ron

    What can I do besides switching browsers?
     

  2. WFO2

    WFO2

    296
    0
    May 12, 2004
    TX
    I would suggest that you get a trail vesion of NOD32 it is a killer program and will find trojans and spywear like you wouold not beleive . For normal scanning I use the Lavasoft product Adaware......But to really scan NOD32 is hard to beat..........
     
  3. USMCsilver

    USMCsilver Boat Life ©

    12,899
    49
    Oct 8, 2001
    Middle of SC
    I ran a trial version of Spyware Doctor after running the other three, and it found 126 infections including whatever was hijacking my system. In order to "cure" it, I had to buy it. Oh well. $30 is not too much to gripe over with real-time protection; not to mention, it found everything that the others seemed to have missed.
     
  4. 0100010

    0100010 Millennium Member

    562
    0
    Sep 15, 1999
    DFW
    A guy who sits 2 offices away from me has this same problem at work. He's been working on it trying to fix it for 2 days. I'll send him a link to this post - if he's figured out how to fix it, I'll post it here. He was comtemplating re-imaging his PC though.....
     
  5. fastvfr

    fastvfr Ancient Tech

    2,344
    0
    Mar 28, 2001
    SW Oregon
    I have yet to find a browser hijacker or other exploit I couldn't remove from a client's PC. Maybe I'm just lucky.

    HJT is good but you MUST install it to the root of the drive your OC is on...IOW, C:\HJT.exe...

    Do a full registry backup, then toss everything that looks like, resembles, or rhymes with the URL's you are getting redirected to.

    Then empty your Hosts and LMHosts files. Finally open Internet Options in the CP and, in the Security tab, click the Trusted Sites button and remove everything from within it.

    THEN QUIT USING INTERNET EXPLODER FOR A BROWSER!!!!

    Go like a man with a REAL Internet browser.

    Why on earth would anyone want to use a browser that even the Gub-ment claims is full of security holes?! Seriously, IE is dead and you are smeling its remains. Move on; you'll get used to Tabbed Browsing and freedom from popups in a biiig hurry, trust me!;b

    Good luck,

    FastVFR
     
  6. 0100010

    0100010 Millennium Member

    562
    0
    Sep 15, 1999
    DFW
    I cleaned up my co-workers infected PC this morning, most of the files causing the issue were hidden in C:\Winnt\Downloaded Program Files\ (I just emptied the whole folder, he can re-download the IE plugins he wants) and there was a registry entry for jrrouw.class that kept creating one of two .exe files, either piitkg.exe in C:\Documents and Settings\All Users\Start Menu\Startup or obbpra.exe in C:\Winnt\System32\. Along with either of those .exe's being created were two .dll's, suuoip.dll and zqqola.dll both in C:\Winnt\System32\.

    The interesting part was - when either of those .exe's were running, you could not see it as a process in task manager. Had to end task on them using Process Explorer, and once they were stopped, then you could see and delete the files in explorer.

    Once I got all the files deleted and the registry entries cleaned up, his system is back to normal.
     
  7. 10 Ring Tao

    10 Ring Tao Red White Blue

    860
    0
    Sep 18, 2003
    Southeast Michigan
    What operating systems are we talking about here?
     
  8. 0100010

    0100010 Millennium Member

    562
    0
    Sep 15, 1999
    DFW
    The PC I cleaned this morning was Win2K SP4.
     
  9. USMCsilver

    USMCsilver Boat Life ©

    12,899
    49
    Oct 8, 2001
    Middle of SC
    I'm using XP w/ SP2.

    After buying that software, I am still getting the problems that I thought it would cure. I just searched for the two files mentioned above, but neither turned up.

    Damn PCs!
     
  10. 0100010

    0100010 Millennium Member

    562
    0
    Sep 15, 1999
    DFW
    In my post above, the link for Process Explorer, download, extract and run it. It helps if you end task on all possible known processes first through task manager, then run it. Watch what extra processes are are running or show up, when you see one, highlight it, switch to track DLLs utilized - and start deleting them. Verify they are not needed DLLs first by checking out the properties tab (if they don't have one its probably malicious).
     
  11. USMCsilver

    USMCsilver Boat Life ©

    12,899
    49
    Oct 8, 2001
    Middle of SC
    0100010 - I downloaded, but almost everything I click on: Error opening process: access denied.
     
  12. 0100010

    0100010 Millennium Member

    562
    0
    Sep 15, 1999
    DFW
    What OS? Do you have proper access rights (admin)?
     
  13. 0100010

    0100010 Millennium Member

    562
    0
    Sep 15, 1999
    DFW
  14. USMCsilver

    USMCsilver Boat Life ©

    12,899
    49
    Oct 8, 2001
    Middle of SC
    Here's my log. No one has gotten to me yet at the other forum:

    Logfile of HijackThis v1.98.2
    Scan saved at 6:12:57 PM, on 12/4/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
    C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
    C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
    C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
    C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
    C:\WINDOWS\System32\msvcmm32.exe
    C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    C:\Program Files\America Online 9.0a\waol.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Program Files\eBay\eBay Toolbar\4.4.0.2\ebaytbar.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hjc\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\System32\msvcmm32.exe
    O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
    O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.4.0.2\ebaytbar.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.2\eBayBand.dll
    O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\Program Files\eBay\eBay Toolbar\4.4.0.2\eBayBand.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall....adp?clientId=2
    O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - http://redirect.hp.com/presario/hp.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
    O16 - DPF: {7BA16120-B314-4EE4-A676-8B4B33909513} (Invoke Solutions MILive Participant Control(MR)) - http://online.invokesolutions.com/events/b...7203/MILive.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {91602283-B7B5-11D3-A32A-005004B0E00E} (DiscoverWhy Class) - http://216.132.173.29/CabFiles/dwInfo.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp...23/cpbrkpie.cab
    O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2...yer5.2AxWin.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/install/gtdownls.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab
     
  15. fastvfr

    fastvfr Ancient Tech

    2,344
    0
    Mar 28, 2001
    SW Oregon
    Oooh yeah, that IS some nasty Malware!! Don't believe me?! Try googling AOHell gripes once.

    Is "http://searchmiracle dot com/sp.php" something you wanted?

    I recommend to NEVER USE any kind of "search assistant", WeatherBug, E-Wallet, or toolbar-type addon BS in Internet Exploder, for obvious reasons.

    If you want to block popups, enable that in Mozilla and toss IE. If you want to search, learn how to use Google properly.

    Good luck; I know this stuff isn't easy for a layman to beat. I was one once myself, before my tenure in the trenches began.
     
  16. The ones that have worked for me are AdAware,Spybot,SpySweeper and CCleaner.SpySweeper is really powerful.Get the updates before running it.There have been recent updates for AdAware and Spybot.Trend Micro's online virus scan found infected files that Norton missed.Trend Micro also repaired/removed them.
     
  17. 0100010

    0100010 Millennium Member

    562
    0
    Sep 15, 1999
    DFW
    Things that stand out on your list to me :

    Running processes:
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\WINDOWS\DvzCommon\DvzMsgr.exe
    C:\Program Files\eBay\eBay Toolbar\4.4.0.2\ebaytbar.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.4.0.2\ebaytbar.exe

    Ebay Toolbar is usually spyware - unless this is the real one and you use it. DataViz Messenger - if you know what this is keep it, I'm not familiar with it. RecGuard.exe and UpdReg.exe - find out what these are. Have you intentionally changed your default IE search page to searchmiracle.com?