Jump to content


Photo

Spyware infestation on laptop


  • This topic is locked This topic is locked
3 replies to this topic

#1 jayber

jayber

    Member

  • Full Member
  • Pip
  • 1 posts

Posted 14 January 2008 - 10:15 AM

Hi, I have a spyware/malware problem with my laptop. My IE start page occasionally gets hijacked and redirected to a Chinese website; other times, an IE dialog box pops up and asks if I want to keep working offline or to connect to the Internet (even when I'm using Firefox, not IE). My attempts at removing the spyware with AVG and Spyware Terminator have failed. I'd really appreciate any help with this.

Below are the logs from running the AVG scan in safe mode, then HijackThis in normal mode.

The AVG log file (in safe mode):

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:46:24 14/01/2007

+ Scan result:



C:\WINDOWS\system32\drivers\4fr7i63w.sys -> Downloader.Hmir.lx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fl2m0ghu.dll -> Downloader.Hmir.lx : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.124:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.126:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.107:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.153:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.154:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.47:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.33:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.63:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.64:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.73:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.113:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.114:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.115:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.116:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.117:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.118:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.119:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.120:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.149:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.150:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.198:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.68:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.69:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.70:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.71:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.72:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.15:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.17:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.18:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.8:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.100:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.101:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.102:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.103:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.98:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.99:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Sulin\Local Settings\Temporary Internet Files\Content.IE5\Y1JW987I\cs0619[1].exe -> Trojan.OnLineGames.hfr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\k116870233220.exe -> Trojan.OnLineGames.hfr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\k116871315820.exe -> Trojan.OnLineGames.hfr : Cleaned with backup (quarantined).
C:\WINDOWS\853957WL.DLL -> Trojan.OnLineGames.hlt : Cleaned with backup (quarantined).


::Report end

The HijackThis log (normal mode):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:53:34, on 14/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\ticw.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\d94b1.exe
C:\WINDOWS\system32\dvdplays.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
c:\documents and settings\sulin\my documents\lin\hijackthis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zhaodao123.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: Shell=Explorer.exe dvdhelp.exe
O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\abskey.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (file missing)
O2 - BHO: Invoke Class - {5FB8C5D4-929F-4870-89E2-7E3EE26EE701} - C:\WINDOWS\system32\9d91.dll
O2 - BHO: Adobe Common Objects - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\dwFnm6sZ4r.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [epm-dm] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Microsoft Autorun5] C:\WINDOWS\system32\mosou.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [MsPrint32D] C:\WINDOWS\hpuwrf.exe
O4 - HKLM\..\Run: [WSockDrv32] C:\WINDOWS\upplbb.exe
O4 - HKLM\..\Run: [NVDispDrv] C:\WINDOWS\upplbb.exe
O4 - HKLM\..\Run: [NAVMon32] C:\WINDOWS\NAVMon32.exE
O4 - HKLM\..\Run: [SHAProc] C:\WINDOWS\SHAProc.exe
O4 - HKLM\..\Run: [PTSShell] C:\WINDOWS\PTSShell.exe
O4 - HKLM\..\Run: [LotusHlp] C:\WINDOWS\LotusHlp.exe
O4 - HKLM\..\Run: [RegSrv64D] C:\WINDOWS\khhdea.exe
O4 - HKLM\..\Run: [Vmlist] regsvr32 /s apphelps.dll
O4 - HKLM\..\Run: [WinForm] C:\WINDOWS\WinForm.exE
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [DbgHlp32] C:\WINDOWS\DbgHlp32.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [WinSysM] C:\WINDOWS\853957M.exe
O4 - HKLM\..\Run: [WinSysW] C:\WINDOWS\853957L.exe
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exE
O4 - HKLM\..\Run: [Kvsc3] C:\WINDOWS\Kvsc3.exE
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [MsIMMs32] C:\WINDOWS\MsIMMs32.exE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [elqw34kt] rundll32 "C:\WINDOWS\Downlo~1\elqw34kt.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [byfvz] rundll32 "C:\WINDOWS\Downlo~1\byfvz.dll",Run
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: 一起来音乐社区 - {7DBC6ADB-5788-4FB9-AEC3-B40A58AC11DF} - http://www.yiqilai.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mscomm.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mscomm.dll
O20 - AppInit_DLLs: rsjzapm.dll
O23 - Service: 23749C71 - Unknown owner - C:\WINDOWS\system32\8C39A411.EXE (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: ED787CB9 - Unknown owner - C:\WINDOWS\system32\8AAA1EE1.EXE
O23 - Service: ServicedvdHelp (Servicedvdhelp) - Unknown owner - C:\WINDOWS\system32\dvdplays.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: 一起来音乐助手 (Yiqilai) - Unknown owner - C:\Program Files\Yiqilai\wmp\YiqilaiLyrics.exe (file missing)
O24 - Desktop Component 0: (no name) - http://l.yimg.com/ww...s/spaceball.gif

--
End of file - 7435 bytes

Should I post the Spyware Terminator log as well? Thanks again for any help with this problem :)


Edited to remove quote boxes

Edited by Indrid_Cold, 14 January 2008 - 02:50 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 17 January 2008 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 18 January 2008 - 08:54 PM

jayber,

Thanks for your patience. Our volunteers are very busy. Your log indicates that you have Malware on your system. Let's get started.

Your log reveals a backdoor bot. These can severely compromise personal information which could lead to identity theft.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Should you have any questions, please feel free to ask.

Please download Combofix by sUBs. Or, you may download it from here. Place it on your Desktop.

Execute Combofix as follows:
  • Click Start > Run
  • Copy/paste or type the following into the Run box:
    • "c:\documents and settings\sulin\desktop\combofix.exe" /killall
  • Click OK.
  • Follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

Please post the Combofix log and a new HijackThis log in your next reply. Please also say how your computer is running now. :)
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 05 February 2008 - 02:15 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button