Jump to content


Need Some Advice

Started by Mike Rochip, Sep 04 2005 11:26 PM

  • You cannot reply to this topic
5 replies to this topic

#1 OFFLINE   Mike Rochip

    Power Member

  • Members
  • PipPipPipPip
  • 844 posts

Posted 04 September 2005 - 11:26 PM

Hello-

I started getting weird popups when visiting the LA Times website. They were blocked before I could see what they were but they are a pain in the arse.

Ad-Aware dies at "Browser Cache"

SpyBot found a DSO Exploit, which I removed.

Ad-Aware still stops ( 0% CPU usage in TaskManager) in the same place.

MSAS asked if I wanted to allow a ShellBrowser to be installed, I Googled "ShellBrowser" and it said "allows programmers easy access to IE or Explorer" so I blocked it.

Ran SpyBot again and it's OK.

According to some info I found, I believe the malware either came with PCTools Spyware Doctor or when I downloaded Macromedia Flashplayer.

I looked around the forums here and looks like others are getting this too, even if their HJT looks OK.

I think I need to delete the bold faced line in my HJT log. I uninstalled PCTools SW Doctor but I can't delete "klg.DAT" in the SpyWare Doctor/tools folder which also has "swpg.DAT."

My questions are:

Should I delete the line in HJT and then try to remove the DAT files?

I just looked in Add/Remove Programs and I have "Macromedia Shockwave Player" AND "Shockwave" but neither entry has any Size, Used, or Last Used On info at all. There is no listing for Flashplayer. Seems strange to me...

Logfile of HijackThis v1.99.1
Scan saved at 4:30:42 PM, on 9/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\cisvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Prevx Home\PXAgent.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\abelhadigital.com\HostsMan\hm.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Prevx Home\SAGUI.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\UPHClean\uphclean.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
D:\Program Files\NetZero\exec.exe
D:\Program Files\NetZero\exec.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\WINDOWS\Explorer.EXE
D:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HostsMan] D:\Program Files\abelhadigital.com\HostsMan\hm.exe -s
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PrevxHome] D:\Program Files\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: Download all by Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://D:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Open Link Target in Firefox - file://D:\Documents and Settings\Dave.DAVE-SKZW26X5BR\Application Data\Mozilla\Firefox\Profiles\gke2nsex.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://D:\Documents and Settings\Dave.DAVE-SKZW26X5BR\Application Data\Mozilla\Firefox\Profiles\gke2nsex.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102734175719
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A216813-6827-4A16-B128-84DE5A8E923A}: NameServer = 64.136.28.120 64.136.20.120
O23 - Service: AMLKQR - Unknown owner - D:\DOCUME~1\DAVE~1.DAV\LOCALS~1\Temp\AMLKQR.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - D:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

Also, I'm pretty sure I had removed the "Yahoo Companion" BHO. Should I nuke it again?

AND! Finally my last qustion! Do you have any idea what a service named SNEIBO refers to. It's listed in Services in MsConfig with an Unknown Owner and Stopped. I Googled it and it wasn't pretty.


Thanks Cyber-Dudes!

#2 OFFLINE   rridgely

    I hate computers

  • Moderators
  • 8,858 posts
  • Gender:Male

Posted 05 September 2005 - 02:23 AM

Well I know for a fact that spyware doctor dosent install malware. I have it installed myself and it didnt come bundled with any crap. I see that you have ewido installed try running that (you didnt mention it.) Also do a spyware scan with trend micro's online scanner too.

You should also remove the following things:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} -

O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -

O23 - Service: AMLKQR - Unknown owner - D:\DOCUME~1\DAVE~1.DAV\LOCALS~1\Temp\AMLKQR.exe (file missing)


Let me know what the scanners find and put up a new log when finished.

#3 OFFLINE   Andavari

    Captain Spectacular

  • Moderators
  • 13,328 posts
  • Gender:Male
  • Location:Shadow Moses

Posted 05 September 2005 - 06:41 AM

Mike Rochip, on Sep 4 2005, 06:26 PM, said:

SpyBot found a DSO Exploit, which I removed.
DSOStop can permanently fix the DSO Exploit in Internet Explorer until Microsoft addresses the issue and fixes it, however they haven't fixed it for years hence the reason for DSOStop. I'd recommend applying DSOStop to Internet Explorer, and then stop using IE, and only use it if absolutely necessary.

Edit: For added protection use your firewall to make it prompt/ask you to allow IE to connect to the web, e.g.; don't give IE full access without confirmation.

Mike Rochip, on Sep 4 2005, 06:26 PM, said:

According to some info I found, I believe the malware either came with PCTools Spyware Doctor or when I downloaded Macromedia Flashplayer.

I think I need to delete the bold faced line in my HJT log. I uninstalled PCTools SW Doctor but I can't delete "klg.DAT" in the SpyWare Doctor/tools folder which also has "swpg.DAT."
Macromedia Flashplayer doesn't install any malware, however like any other web development program that allows people to create content it can be abused by a malware writer to infect a system.

Macromedia ShockWave, actually ShockWave Player I don't know about since in the past it started off as clean freeware and then was updated and released with adware in it, e.g.; it showed ad's.
Complexity of incoherent design.

#4 OFFLINE   Mike Rochip

    Power Member

  • Members
  • PipPipPipPip
  • 844 posts

Posted 05 September 2005 - 07:10 AM

Thanks You Guys

I'll let you know.

#5 OFFLINE   Mike Rochip

    Power Member

  • Members
  • PipPipPipPip
  • 844 posts

Posted 10 September 2005 - 10:30 AM

Hello-

New HJT file

Logfile of HijackThis v1.99.1
Scan saved at 4:21:45 AM, on 9/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\cisvc.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\Program Files\UPHClean\uphclean.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
D:\WINDOWS\system32\cidaemon.exe
D:\Program Files\NetZero\exec.exe
D:\Program Files\NetZero\exec.exe
D:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: Open Link Target in Firefox - file://D:\Documents and Settings\Dave.DAVE-SKZW26X5BR\Application Data\Mozilla\Firefox\Profiles\gke2nsex.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://D:\Documents and Settings\Dave.DAVE-SKZW26X5BR\Application Data\Mozilla\Firefox\Profiles\gke2nsex.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102734175719
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A216813-6827-4A16-B128-84DE5A8E923A}: NameServer = 64.136.28.120 64.136.20.120
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks

#6 OFFLINE   rridgely

    I hate computers

  • Moderators
  • 8,858 posts
  • Gender:Male

Posted 10 September 2005 - 03:33 PM

Remove these:

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_04) -

O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

Also you dont have an antivirus installed. You really should either go get AVG, or Avast.

Are you still getting pop ups?
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell