Jump to content


Recurring problem with spyware

  • This topic is locked This topic is locked
3 replies to this topic

#1 Paul G.

Paul G.


  • New Member
  • Pip
  • 1 posts

Posted 01 June 2007 - 12:15 PM

Dear All,

I'm struggling with my parents' PC -- just came down for a few days to visit them and I'm wasting all my time trying to make their computer usable again... it was totally infected with all kinds of viruses, without recent system updates etc. I've already managed to get rid of most of the malicious software, but there's still one nasty bug that I'm unable to remove. Here are some details:

1) OS is Win XP with all updated installed (by now)

2) It uses built-in Win Firewall, Clam Win antivirus with updated virus database, and Spybot S&D with an updated database as well.

3) It connects to the Internet via WAN modem. Default browser is Firefox, and default mail software is Thunderbird. Yahoo! taskbars have been removed.

4) Multiple scans performed with Ad-Aware, Spybot and Ewido don't seem to be any helpful. Hijackthis indicates that the registry entries are clean:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:10:38, on 2007-06-01
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe
C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
C:\Program Files\Labtec\Desktop\V5.1\MOUSE32A.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ScanPanel\ScnPanel.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Piotr\Moje dokumenty\W?nSxS\w?auclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1978B8A4-47E3-4C4B-A35A-BBB13ACCFF04} - C:\WINDOWS\system32\geede.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\qymvjaxh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {709AFF26-6BB0-4AD3-A3A3-1286592465D6} - C:\WINDOWS\system32\ssqonkj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Desktop\V5.1\moffice.exe
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Labtec\Desktop\V5.1\kbdap32a.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DelPnPDirver] C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe" "ZTE Corporation\ZXDSL852"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-21-1614895754-261478967-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Paweł')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ScanPanel\ScnPanel.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1152381963343
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E9F172A-83A0-40AF-97AC-2B066A1EF9CD}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E9F172A-83A0-40AF-97AC-2B066A1EF9CD}: NameServer =
O20 - Winlogon Notify: geede - C:\WINDOWS\system32\geede.dll (file missing)
O20 - Winlogon Notify: ssqonkj - ssqonkj.dll (file missing)
O20 - Winlogon Notify: winodn32 - C:\WINDOWS\SYSTEM32\winodn32.dll
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

End of file - 7140 bytes

Cleaning registers with Smitfraudfix didn't solve the problem. Before posting here I followed the instructions from FAQ, and here's the outcome:

(a) Ad-Aware found and removed PurityScan. Detailed log available on request.

(b) Spybot found and removed Smitfraud-C.Toolbar and Microsoft.WindowsSecurityCenter.AntivirusOverride. Detailed log available on request.

© AVG Anti-Spyware run in SafeMode found and removed Trojan.Dialer.pz. Here's the report:

AVG Anti-Spyware - Scan Report

+ Created at: 14:48:26 2007-06-01

+ Scan result:

C:\Documents and Settings\Piotr\Ustawienia lokalne\Temporary Internet Files\Content.IE5\6KQN0EZA\q3q99[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).

::Report end

(d) While in SafeMode, I deleted the 'Temp' and 'Temporary Internet Files' directories in user's home directory, as well as windows/temp directory.

(e) 'System Restore' is turned off, and so are cookies in the browser. Security level for the Internet zone is set to 'custom' according to the guidelines from FAQ. Privacy settings are set so that all files are supposed to be blocked.

(f) After restarting and establishing a connection to the Internet, the connection is dropped after a few minutes -- new connection named user-SOME_RANDOM_NUMBER is being created, and Spybot is reporting an attempt to change a registry key:

2007-06-01 16:41:28 Denied value "Biit" (new data: ""C:\WINDOWS\system32\CROSOF~1.NET\logonui.exe" -vt yazb") added in System Startup user entry!
2007-06-01 18:22:20 Denied value "Zfarnn" (new data: ""C:\Documents and Settings\Piotr\Moje dokumenty\W?nSxS\w?auclt.exe"") added in System Startup user entry!
2007-06-01 18:22:30 Denied value "{C80A4D6B-AEA2-D177-887F-88ADDDE82593}" (new data: "") added in Browser Helper Object!

This new connection isn't used, though. If one needs to connect to the Internet, one can do that using the 'regular' connection. The whole situation repeats every few minutes.

(g) A firewall exception for a file named winSOME_RANDOM_NUMBER is automatically created from time to time.

5) I've repeated the steps (a) - (d) many times in the last few days, with similar scan results each time. The situation decribed in (f) - (g) is still unresolved.

Any help would be greately appreciated -- I'm sick and tired of this whole business already, but 'format and reinstall' is not an option in this case...


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,522 posts

Posted 04 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Chancellor


    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 16 June 2007 - 03:38 AM


Sorry you’ve had to wait for a few days but all of the helpers here are volunteers and we’ve been really busy recently.

If you still need help, please post a fresh HijackThis log into this thread so I can make sure nothing has changed and I will be happy to review it for you.


Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

#4 Chancellor


    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 3,020 posts

Posted 27 June 2007 - 12:55 PM

Due to the lack of feedback, this topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Please consider a donation to help Support SWI
Malware Complaints - Report them here and fight back!
Member of ASAP Since 2006 (Alliance of Security Analysis Professionals)
Please read the FAQ and the article "So how did I get infected in the first place?".

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button