Viscious Spyware

Please Respond
cdd
Posts: 2622
Joined: Fri 15 Aug, 2003 14.05

Hi Guys

I'm in a little bit of a pickle.

I've tried about 30,000 different spyware softwares, and it still won't get rid of it. The thing is, it's nice and discrete - so I can't just go and find a website to help me.

Below is a pic of the thing

Image

It's a toolbar identifying itself as "Search Assistant"; its initial text is "Search the Web".

Unfortunately it (APPEARS!) to just search straight through google (or whatever search engine you choose -- how handy! who cares? -- but, of course, none of those engines are anything out of the ordinary, just rubbish like Yahoo, MSN Search, Google, Blazefind...

So my question is WHAT THE HELL IS THIS MYSTERIOUS PIECE OF RUBBISH! It reappears every time I turn on my computer, and, as it turns out, it also reinserts my *lovely* Quick Launch toolbar for me. Each time I start up.

Now if ti would just tell me its bloody name I'd be able to scrap it - but no, it's nice and discrete - which is why I'm calling on "human" support!

Thanks

C
Top
Chris
Posts: 845
Joined: Fri 15 Aug, 2003 19.03
Location: Surrey

Use Hijack this and post the log here.

As an aside, did you install Exeem by any chance?
Top
User avatar
Pete
Posts: 7631
Joined: Fri 15 Aug, 2003 13.36
Location: Dundee

I thought you were far too clever to get spyware/viruses Denman?
Top
User avatar
Bail
Posts: 1142
Joined: Fri 15 Aug, 2003 21.41
Location: UK

Did you recently install msn plus? That looks like the "spyware" that it puts on if you let it.
Image
Top
cdd
Posts: 2622
Joined: Fri 15 Aug, 2003 14.05

Bail wrote:Did you recently install msn plus? That looks like the "spyware" that it puts on if you let it.
def. not from that. I did manage to end up with that at some point, some rubbish from C2Media.

And I don't think I got the spyware... someone else using my computer did!! (yeah yeah yeah)
Logfile of HijackThis v1.99.0
Scan saved at 20.21.04, on 24/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\netclnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\SYSTEM32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\wisptis.exe
C:\Documents and Settings\Chris D\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/segmentation/welcome.adp
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CDnsRepObj Object - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Update] windoc.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Windows Service Pack2] win43.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] msupdatem.exe
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: TTK.lnk = C:\Program Files\Talking Time Keeper\TalkingTimeKeeper.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/Clien ... /setup.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Network Client - Unknown - C:\WINDOWS\system32\netclnd.exe



And no idea if I installed Exeem or not... so basically no, not willfully.

Thx

Chris
Top
User avatar
Pete
Posts: 7631
Joined: Fri 15 Aug, 2003 13.36
Location: Dundee

cdd wrote:And I don't think I got the spyware... someone else using my computer did!! (yeah yeah yeah)
Well you should have them executed right away in that case

I've installed exeem, has it got any muck in it like?
Top
Chris
Posts: 845
Joined: Fri 15 Aug, 2003 19.03
Location: Surrey

OK ...
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
This according to Google is Blazefind. Instructions to remove it are here - be very careful how you go about it as you could potentially not be able to log back onto your computer.
netclnd.exe
More information on it and how to get rid of it is available here

PS. It is a virus.
O2 - BHO: CDnsRepObj Object - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif
This is something dodgy. Again, get rid of it.
O4 - HKLM\..\RunServices: [Microsoft Update] windoc.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Windows Service Pack2] win43.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] msupdatem.exe
These are a bit hooky if you ask me. I would suggest getting rid of them as I've never had such thing appear on my computer after applying a service pack.
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
Get rid of this.

I would also recommend running a full virus scan using one of the online ones and also downloading and running some malware detection tools like MS Anti Spyware, Spybot etc.

On a final note, I would also get rid of this too. Looks a bit hooky.
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
I've installed exeem, has it got any muck in it like?
Mixed bag from what I can gather. Some people say it hasn't got anything bundled with it, and some say it has Cydoor adware bundled with it.

Clicky, Clicky Clicky
Top
cdd
Posts: 2622
Joined: Fri 15 Aug, 2003 14.05

Chris wrote:OK ...
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
This according to Google is Blazefind. Instructions to remove it are here - be very careful how you go about it as you could potentially not be able to log back onto your computer.
netclnd.exe
More information on it and how to get rid of it is available here

PS. It is a virus.
O2 - BHO: CDnsRepObj Object - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif
This is something dodgy. Again, get rid of it.
O4 - HKLM\..\RunServices: [Microsoft Update] windoc.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunServices: [Windows Service Pack2] win43.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] msupdatem.exe
These are a bit hooky if you ask me. I would suggest getting rid of them as I've never had such thing appear on my computer after applying a service pack.
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
Get rid of this.

I would also recommend running a full virus scan using one of the online ones and also downloading and running some malware detection tools like MS Anti Spyware, Spybot etc.

On a final note, I would also get rid of this too. Looks a bit hooky.
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
How yichhy! I can see something's had a field day on my computer.

I think I'll just format... don't fancy the job of going through all that and deleting it, and my computer is long-overdue one!

And that virus... I think a cliché about a certain high horse springs to mind!

Anyway thanks very much for your help :)

C
Top
Big Brother
Posts: 184
Joined: Fri 15 Aug, 2003 13.21

Something amazes me about people who often ask questions about this and it often comes with the most simple of answers.

Open up Add/Remove Software and look at what's installed and I bet that a lot of these "Search" toolbars are there. WebSearch. SaveSearch. WebAssistant. They come under various alias.

I did myself have a bar similar to this after installed a new version of Morpheus ages ago. Uninstalling Morpheus helped.

Another solution is to go to your Program Files folder and look for unusually named folders. Folders that appear as Save or IE Tools, Donkey, NewSoft or whatever. If it's a reputable piece of software it will most likely be in a folder under it's company name. i.e Microsoft. If you go into any of these wierdly named folders you can probably find an uninstaller. If you follow the directions even it tries to load the net etc and gets you to input codes it will uninstall on restart.

Editing your registries startup list can also help prevent these things loading up.

Most people will agree with me that you generally get such spyware in programs or off website which aren't quite legitimate or reputable. The latest crack for the latest Adobe software is obviously going to carry a virus or spyware. You have to get real with it, if your going to do it you have to accept the consequences.
Top
User avatar
marksi
Posts: 1892
Joined: Wed 07 Jan, 2004 05.38
Location: Donaghadee

If anyone can help me get rid of Cydoor, I'd be grateful. AdAware finds it each time I do a scan. I'm pretty certain it's been disabled but I can't seem to remove the last traces of it - when I follow any of the online instructions about registry editing I find nothing in any of the places it says it can hide...
Top
Please Respond

Return to “The Lounge”