• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jayber

Spyware infestation on laptop

4 posts in this topic

Hi, I have a spyware/malware problem with my laptop. My IE start page occasionally gets hijacked and redirected to a Chinese website; other times, an IE dialog box pops up and asks if I want to keep working offline or to connect to the Internet (even when I'm using Firefox, not IE). My attempts at removing the spyware with AVG and Spyware Terminator have failed. I'd really appreciate any help with this.

 

Below are the logs from running the AVG scan in safe mode, then HijackThis in normal mode.

 

The AVG log file (in safe mode):

 

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 22:46:24 14/01/2007

 

+ Scan result:

 

 

 

C:\WINDOWS\system32\drivers\4fr7i63w.sys -> Downloader.Hmir.lx : Cleaned with backup (quarantined).

C:\WINDOWS\system32\fl2m0ghu.dll -> Downloader.Hmir.lx : Cleaned with backup (quarantined).

:mozilla.123:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.

:mozilla.124:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.

:mozilla.125:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.

:mozilla.126:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.

:mozilla.107:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.

:mozilla.153:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.154:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.47:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.

:mozilla.33:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.

:mozilla.63:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.

:mozilla.64:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.

:mozilla.73:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Overture : Cleaned.

:mozilla.113:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.114:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.115:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.116:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.117:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.118:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.119:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.120:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.149:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.

:mozilla.150:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.

:mozilla.198:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

:mozilla.68:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

:mozilla.69:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

:mozilla.70:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

:mozilla.71:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

:mozilla.72:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

:mozilla.15:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.

:mozilla.17:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.

:mozilla.18:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.

:mozilla.8:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.

:mozilla.100:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.101:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.102:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.103:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.98:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.99:C:\Documents and Settings\Sulin\Application Data\Mozilla\Firefox\Profiles\wp4h9r1g.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

C:\Documents and Settings\Sulin\Local Settings\Temporary Internet Files\Content.IE5\Y1JW987I\cs0619[1].exe -> Trojan.OnLineGames.hfr : Cleaned with backup (quarantined).

C:\WINDOWS\system32\k116870233220.exe -> Trojan.OnLineGames.hfr : Cleaned with backup (quarantined).

C:\WINDOWS\system32\k116871315820.exe -> Trojan.OnLineGames.hfr : Cleaned with backup (quarantined).

C:\WINDOWS\853957WL.DLL -> Trojan.OnLineGames.hlt : Cleaned with backup (quarantined).

 

 

::Report end

 

The HijackThis log (normal mode):

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:53:34, on 14/01/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\System32\ticw.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Acer\Empowering Technology\admServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\d94b1.exe

C:\WINDOWS\system32\dvdplays.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\acer\Empowering Technology\ePower\epm-dm.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\Empowering Technology\admtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wuauclt.exe

c:\documents and settings\sulin\my documents\lin\hijackthis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zhaodao123.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/

F2 - REG:system.ini: Shell=Explorer.exe dvdhelp.exe

O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\abskey.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (file missing)

O2 - BHO: Invoke Class - {5FB8C5D4-929F-4870-89E2-7E3EE26EE701} - C:\WINDOWS\system32\9d91.dll

O2 - BHO: Adobe Common Objects - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\dwFnm6sZ4r.dll

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [epm-dm] c:\acer\Empowering Technology\ePower\epm-dm.exe

O4 - HKLM\..\Run: [spywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [Microsoft Autorun5] C:\WINDOWS\system32\mosou.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"

O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot

O4 - HKLM\..\Run: [MsPrint32D] C:\WINDOWS\hpuwrf.exe

O4 - HKLM\..\Run: [WSockDrv32] C:\WINDOWS\upplbb.exe

O4 - HKLM\..\Run: [NVDispDrv] C:\WINDOWS\upplbb.exe

O4 - HKLM\..\Run: [NAVMon32] C:\WINDOWS\NAVMon32.exE

O4 - HKLM\..\Run: [sHAProc] C:\WINDOWS\SHAProc.exe

O4 - HKLM\..\Run: [PTSShell] C:\WINDOWS\PTSShell.exe

O4 - HKLM\..\Run: [LotusHlp] C:\WINDOWS\LotusHlp.exe

O4 - HKLM\..\Run: [RegSrv64D] C:\WINDOWS\khhdea.exe

O4 - HKLM\..\Run: [Vmlist] regsvr32 /s apphelps.dll

O4 - HKLM\..\Run: [WinForm] C:\WINDOWS\WinForm.exE

O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe

O4 - HKLM\..\Run: [DbgHlp32] C:\WINDOWS\DbgHlp32.exe

O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe

O4 - HKLM\..\Run: [WinSysM] C:\WINDOWS\853957M.exe

O4 - HKLM\..\Run: [WinSysW] C:\WINDOWS\853957L.exe

O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exE

O4 - HKLM\..\Run: [Kvsc3] C:\WINDOWS\Kvsc3.exE

O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe

O4 - HKLM\..\Run: [MsIMMs32] C:\WINDOWS\MsIMMs32.exE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKLM\..\Policies\Explorer\Run: [elqw34kt] rundll32 "C:\WINDOWS\Downlo~1\elqw34kt.dll",start

O4 - HKLM\..\Policies\Explorer\Run: [byfvz] rundll32 "C:\WINDOWS\Downlo~1\byfvz.dll",Run

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Ò»ÆðÀ´ÒôÀÖÉçÇø - {7DBC6ADB-5788-4FB9-AEC3-B40A58AC11DF} - http://www.yiqilai.com (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\mscomm.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\mscomm.dll

O20 - AppInit_DLLs: rsjzapm.dll

O23 - Service: 23749C71 - Unknown owner - C:\WINDOWS\system32\8C39A411.EXE (file missing)

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe

O23 - Service: ED787CB9 - Unknown owner - C:\WINDOWS\system32\8AAA1EE1.EXE

O23 - Service: ServicedvdHelp (Servicedvdhelp) - Unknown owner - C:\WINDOWS\system32\dvdplays.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O23 - Service: Ò»ÆðÀ´ÒôÀÖÖúÊÖ (Yiqilai) - Unknown owner - C:\Program Files\Yiqilai\wmp\YiqilaiLyrics.exe (file missing)

O24 - Desktop Component 0: (no name) - http://l.yimg.com/www.flickr.com/images/spaceball.gif

 

--

End of file - 7435 bytes

 

Should I post the Spyware Terminator log as well? Thanks again for any help with this problem :)

 

 

Edited to remove quote boxes

Edited by Indrid_Cold

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

jayber,

 

Thanks for your patience. Our volunteers are very busy. Your log indicates that you have Malware on your system. Let's get started.

 

Your log reveals a backdoor bot. These can severely compromise personal information which could lead to identity theft.

 

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

 

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

 

Should you have any questions, please feel free to ask.

 

Please download Combofix by sUBs. Or, you may download it from here. Place it on your Desktop.

 

Execute Combofix as follows:

  • Click Start > Run
  • Copy/paste or type the following into the Run box:
    • "c:\documents and settings\sulin\desktop\combofix.exe" /killall

    [*]Click OK.

    [*]Follow the prompts.

    [*]When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

 

Please post the Combofix log and a new HijackThis log in your next reply. Please also say how your computer is running now. :)

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0