Jump to content


Photo

Strange Spyware


  • This topic is locked This topic is locked
4 replies to this topic

#1 [ITA]mich

[ITA]mich

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 June 2004 - 10:05 AM

Hi all, :wave:
I'm a new member of this forum and I have a little problem with a spyware I never heard of... (BTW, sorry for my bad english, I'm italian...)

I was playing an on-line game ("Hook Line & Sinker" from GameRival site) when suddenly a pop-up appeared (strange enough since I use Google Toolbar to kill them) and then disappeared (it was too quick for me to see something).
After that I couldn't play the game anymore and I closed IE.

I restarted the browser and I saw that my start page was redirected, so I used CWSshredder thinking it was another variant of CWS but it only restored my IE settings and did not find any CWS variant.
I noticed that a program bearing the Lycos icon and name was installed on my PC and I immediately de-installed it.

After that I tought everything was fine, tried to play again that game and succeeded (so it wasn't GameRival fault I think); BUT when I tried to make a search with my Google Toolbar I only got results linked to expedia... for example, searching for Gold Miner (another GameRival game) and expecting to see tons of results including GameRival one I only got Gold Miners Hotel Palmer - Expedia.com the site is (expedia.click-url.com). :scratchhead: :wtf:

I explain better, at first Google show me the correct search but after less than a second it switch to that page with the expedia result.....

It appens even if I perform a normal Google Search (not through the Toolbar) but it does not work on other search engines (I tried yahoo).

My HJT log is:

Logfile of HijackThis v1.97.7
Scan saved at 16.47.57, on 26/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\Pannello di controllo ATI\atiptaxx.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programmi\File comuni\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Programmi\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programmi\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SYSTEM32\CS4P028.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Outlook Express\msimn.exe
D:\anticws\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0614017A-760C-B4AC-999A-3A3F574C5EB1} - C:\WINDOWS\System32\moikdiea.dll
O2 - BHO: (no name) - {7EC6C6F4-0C1E-F4C1-313C-C367649F4D06} - C:\WINDOWS\System32\lrfkngbi.dll
O2 - BHO: (no name) - {8CF17FDF-9A45-AE0A-FE5A-68A80A1F905A} - C:\WINDOWS\System32\icegxksg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\Pannello di controllo ATI\atiptaxx.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Programmi\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Programmi\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Ricerche (HKLM)
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07B8210C-FF20-496D-B647-56B46D96B9FB}: NameServer = 195.130.224.18 195.130.225.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{07B8210C-FF20-496D-B647-56B46D96B9FB}: NameServer = 195.130.224.18 195.130.225.129

Can someone help me please???
Sorry for the lenght of this post.
Bye.
--
Michele. :wave:

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 26 June 2004 - 03:30 PM

Sorry for the lenght of this post.

A long post is more likely to give details of what is wrong!

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0614017A-760C-B4AC-999A-3A3F574C5EB1} - C:\WINDOWS\System32\moikdiea.dll
O2 - BHO: (no name) - {7EC6C6F4-0C1E-F4C1-313C-C367649F4D06} - C:\WINDOWS\System32\lrfkngbi.dll
O2 - BHO: (no name) - {8CF17FDF-9A45-AE0A-FE5A-68A80A1F905A} - C:\WINDOWS\System32\icegxksg.dll

O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

Reboot and delete

file
C:\WINDOWS\System32\IEXPLORE.EXE ( Don't worry, this is a bogus file!)

folder
c:\installer

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 [ITA]mich

[ITA]mich

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 June 2004 - 04:02 PM

Thank you so much... I solved the problem :bounce:

Here's the latest HJT log if you still need it:

Logfile of HijackThis v1.97.7
Scan saved at 22.58.48, on 26/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\Pannello di controllo ATI\atiptaxx.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Programmi\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programmi\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
D:\anticws\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\Pannello di controllo ATI\atiptaxx.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Programmi\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Programmi\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Ricerche (HKLM)
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

Bye. :wave:
--
Michele.

#4 [ITA]mich

[ITA]mich

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 June 2004 - 04:08 PM

Ah BTW, there was no file C:\WINDOWS\System32\IEXPLORE.EXE

Bye again.
--
Michele.

#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 26 June 2004 - 04:22 PM

Nice clean log! Well done.

Glad to help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button