Spyware, Spyware Removers, Arrgh

Discussion in 'Spyware' started by I am me, May 25, 2004.

  1. I am me

    I am me Guest

    The other day, I noticed some of my icons were missing, and replaced with ones
    from spyware. The missing ones were accounted for, but the new ones, I don't
    know what they're from. Ran Ad-Aware. Found nothing. Ran Spybot S+D, found a
    ton of stuff, got rid of it. That and some subsequent programs took care of the
    extra weird toolbars and the desktop icons, but also got rid of Notepad and
    reinstalled Windows Messenger. WTF? It also takes me to a stupid search engine
    everytime I went on to I.E.and I got 5 pop-ups. I tried downloading Netscape
    Navigator, and the download and subsequent install was successful, but when I
    tried to open it, it didn't work. Today, after my classes, I tried going onto
    my computer, got to the XP login screen, clicked my name, all was fine until I
    got two "blablabla has an error and needs to quit" messages, and then the
    computer self-restarted. I let it restart, waited a few minutes, clicked on my
    username, and it began loading. Then it just kept restarting. It did this five
    more times. What's wrong with my computer?

    REPLY THROUGH EMAIL...thanks.


    -----------------------------------------------
    and the music turned to swing
    and the tall handsome wonderful person
    spun me around
    and we made beautiful music
    with our laughter
    -----------------------------------------------
     
    I am me, May 25, 2004
    #1
    1. Advertisements

  2. I am me

    Mike Guest

    The Sasser worm that circulated around the internet a couple of weeks ago
    causes computers to constantly reboot. Perhaps that's what you have
    infecting your system.
     
    Mike, May 26, 2004
    #2
    1. Advertisements

  3. I am me

    Chuck Guest

    Asked here, answered here. For everybody's benefit.

    Apparently, your computer is now infected with the W32.Blaster or W32.Sasser
    Worm, or one of its variants. This happened because you have not been using an
    internet connection firewall and have apparently neglected to install the
    critical updates available from Microsoft.

    If your computer is constantly attempting to shutdown or reboot:
    Start - Run, type "shutdown -a", and hit Enter.
    That should halt the reboot. Now fix the problem.

    Immediately turn-on Windows XP's built-in Firewall:
    http://www.microsoft.com/security/protect/

    Download and install Security patch KB824146:
    http://support.microsoft.com/?kbid=824146

    What you need to know about the Blaster Worm:
    <http://www.microsoft.com/security/incident/blast.asp>
    http://support.microsoft.com/?id=826955
    <http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html>

    What you need to know about the Sasser worm:
    http://www.microsoft.com/security/incident/sasser.asp
    http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
    http://www3.telus.net/dandemar/sasser.htm

    And about the Nachi / Welchia worm:
    http://support.microsoft.com/?id=826234
    <http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html>

    Download and run the Blaster and Welchia worm removal tool (Windows 2K/XP):
    <http://support.microsoft.com/default.aspx?scid=833330>

    "Get Help with Security and Virus-related Issues"
    "Get free help by phone: 1 (866) 727-2338 (Toll free; US and Canada only)"
    http://www.microsoft.com/security/protect/support.asp

    After you deal with Blaster / Sasser / whatever...

    Try these free online virus scans:
    <http://www.bitdefender.com/scan/license.php>
    <http://www.pandasoftware.com/activescan/com/activescan_principal.htm>
    <http://www.ravantivirus.com/scan/>
    <http://security.symantec.com/ssc/home.asp>
    <http://housecall.trendmicro.com/housecall/start_corp.asp>

    Now check for, and learn to defend against, additional carriers of infection.
    Have you downloaded these programs before? Download them again, as many are
    revised frequently, to keep up with the current level of malware being attempted
    constantly - get the absolutely most current version of each product listed.
    They're all free - and most pretty small, so they download quickly enough.

    First, download LSP-Fix and WinsockXPFIx from <http://www.cexx.org/lspfix.htm>,
    and CWShredder from <http://www.majorgeeks.com/download4086.html>. All are
    free.

    Next, close all Internet Explorer and Outlook windows, then run CWShredder.
    Have it fix all variants.

    Now check for, and remove, spyware. Get HijackThis
    <http://www.majorgeeks.com/download.php?det=3155> and Spybot S&D
    <http://www.safer-networking.org/index.php?page=download>. Both free.
    1) Install and run Spybot. First update it ("Search for updates"), then run a
    scan ("Check for problems"). Trust Spybot, and make all recommended deletions.
    2) Install and run HijackThis. Do NOT make any changes immediately. Save the
    HJT Log.
    3) Have your HJT log interpreted by experts at one or more of the following
    forums (and post it, or a link to your forum post, here):
    <http://forums.net-integration.net/>
    <http://forums.spywareinfo.com/>
    <http://forums.tomcoyote.org/>
    <http://www.wilderssecurity.com/>

    If removal of any spyware affects your ability to access the internet (some
    spyware builds itself into the network software, and its removal may damage your
    network), run LSP-Fix and / or WinsockXPFIx.

    And please don't contribute to the spread and success of email address mining
    viruses. Learn to munge your email address properly, to keep yourself a bit
    safer when posting to open forums. Protect yourself and the rest of the
    internet - never post your address unmunged.
    http://www.mailmsg.com/SPAM_munging.htm

    Cheers,
    Chuck
    Paranoia comes from experience - and is not necessarily a bad thing.
     
    Chuck, May 27, 2004
    #3
  4. I am me

    I am me Guest

    My log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:32:32 PM, on 5/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SOFTGR~1\livecool.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\WINDOWS\webshots.scr
    C:\WINDOWS\System32\PackethSvc.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\PROGRA~1\AMERIC~2.0A\waol.exe
    C:\PROGRA~1\AMERIC~2.0A\shellmon.exe
    C:\PROGRA~1\AMERIC~2.0A\aolwbspd.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\lliadaa.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\System32\lliadaa.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.search-internet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    http://www.search-internet.net/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\System32\lliadaa.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\lliadaa.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\System32\lliadaa.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    http://www.search-internet.net/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://C:\WINDOWS\System32\lliadaa.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
    Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    http://www.websearch.com/ie.aspx?tb_id=50032
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
    C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts: 207.36.196.189 #eautosearch
    O1 - Hosts: 207.36.196.189 #eautosearch
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: ChinCopy - {C5F6E920-9CE2-6D2C-4C7C-72356DEDE0DE} -
    C:\PROGRA~1\SECOND~1\Face Online.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
    -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
    SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
    Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [sysdll32.dll] C:\WINDOWS\system\sysdll32.exe
    O4 - HKLM\..\Run: [xor] C:\WINDOWS\System32\x0r\svshost.exe
    O4 - HKLM\..\Run: [mail curb] C:\PROGRA~1\SOFTGR~1\livecool.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32
    C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program
    Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
    Office\Office\FINDFAST.EXE
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program
    Files\America Online 9.0a\aoltray.exe
    O8 - Extra context menu item: =>&Español -
    http:\\wordreference.com\es\j\iees69.htm
    O8 - Extra context menu item: =>English -
    http:\\wordreference.com\es\en\j\iespen109.htm
    O8 - Extra context menu item: Web Savings - file://C:\Program
    Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: ChatSpace Full Java Client 2.1.0.84 -
    http://about.chatspace.com/Java/cs4fs084.cab
    O16 - DPF: Yahoo! Chat -
    http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
    http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901
    338C922/wmv9VCM.CAB
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) -
    http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37982.7120
    486111
    O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} -
    http://wordreference.com/Install/Spanish%20to%20English.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -
    http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{85A239FB-58BC-4A94-B99E-28C7A3180787}:
    NameServer = 205.188.146.146
    O19 - User stylesheet: C:\WINDOWS\winstyle.css
    O19 - User stylesheet: C:\WINDOWS\winstyle.css (HKLM)



    -----------------------------------------------
    and the music turned to swing
    and the tall handsome wonderful person
    spun me around
    and we made beautiful music
    with our laughter
    -----------------------------------------------
     
    I am me, May 29, 2004
    #4
  5. I am me

    Chuck Guest

    On 29 May 2004 18:34:33 GMT, (I am me) wrote:

    OK, Me,

    I haven't looked at your log in detail - the database I need is very busy right
    now, and I can't get in. Later tonite hopefully.

    HOWEVER, I did find one baddie. LiveCool. I've only found a TOTAL of 4
    discussions about that on the ENTIRE web, and none of them know how to kill it
    easily.
    C:\PROGRA~1\SOFTGR~1\livecool.exe
    O4 - HKLM\..\Run: [mail curb] C:\PROGRA~1\SOFTGR~1\livecool.exe

    From what I've read, you won't be able to kill it by just stopping the process
    and deleting the executable livecool.exe. Modern spyware contains multiple
    components - livecool.exe is the one you see, but there are quite likely others
    that you don't see. If you don't kill them all at the same time, the ones left
    will resurrect the others as you watch. :(

    Watch this space.

    Cheers,
    Chuck
    Paranoia comes from experience - and is not necessarily a bad thing.
     
    Chuck, May 30, 2004
    #5
  6. I am me

    CalamityKen Guest

    I am me typed:
    <snip>

    You have lots of infections.

    First uninstall NewDotNet.
    http://www.newdotnet.com/#remove

    * Download Ad-aware from here: http://www.lavasoftusa.com/software/adaware
    * Install by double-clicking on the downloaded file.
    * After installing but before running, update Ad-aware by using its
    Globe icon.
    * After updating, shutdown and restart Ad-aware.

    Ad-aware is ready to scan and clean your system following these steps:

    * Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning
    Engine:
    "Unload recognized processes during scanning."
    * Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning
    Engine:
    "Let Windows remove files in use after reboot."
    * Press "Scan Now"
    * Check option "Use Custom scanning options"
    * Check option "Activate In-Depth Scan"
    * Press "Select drives\folders to scan"
    * Select the active partition which is usually C:
    * Press "Next" to let Ad-aware scan your drives...
    * If it finds "bad" files and registry keys, press "Next" again
    * Right-click in that pane and choose "select all"
    * Press "next"
    * When it asks to remove all checked items, Press "OK"

    Close Ad-aware and reboot your system.
     
    CalamityKen, May 30, 2004
    #6
  7. I am me

    BoB Guest

    Better place for HJT log analysis:

    http://forums.tomcoyote.com/index.php?s=82117c0133a77f75b84955c189b141d7&showforum=27

    BoB
     
    BoB, May 30, 2004
    #7
  8. I am me

    I am me Guest

    I did the New.net remover, as well as Adaware. I even ran a Norton Virus Scan.
    My computer is functional now, but the popups are still there and my front page
    is still being redirected, and Notepad is still gone.


    -----------------------------------------------
    and the music turned to swing
    and the tall handsome wonderful person
    spun me around
    and we made beautiful music
    with our laughter
    -----------------------------------------------
     
    I am me, May 30, 2004
    #8
  9. I am me

    Mike Guest


    This page from Merijn.org may have some info regarding your problem:
    http://www.spywareinfo.com/~merijn/winfiles.html

    --Mike
     
    Mike, May 31, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.