Jump to content


Photo

Can't kill this Spyware


  • Please log in to reply
7 replies to this topic

#1 InTheCity

InTheCity

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 June 2004 - 12:54 PM

I'm having my second round with another cool-search trojan.
This one much trickier that the last;

Home page is set at; res://rtide.dll/index.html#96676
Call itself HomeSearch

Here's a log! Hope you can help

Logfile of HijackThis v1.97.7
Scan saved at 10:20:58 AM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\d3kc32.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\crkj32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\X\Desktop\etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rtide.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rtide.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rtide.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DEAC95BA-B2B1-58A3-F1BA-F72755C50CEB} - C:\WINDOWS\system32\javaqg32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [d3kc32.exe] C:\WINDOWS\system32\d3kc32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [crkj32.exe] C:\WINDOWS\crkj32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D53C7D0-5FE1-4D2B-B9CA-0232F4619BF3}: NameServer = 63.203.35.55 206.13.28.12

:ph34r:
also.

I've cleaned a thousand times with Spybot and Adaware
CWsShredder can't find it.

The problem file was something CWRC.exe, it wouldn't delete until I removed it's data in RegEdit Lite. So i'm led to believe there is a more problematic DLL lying around, but i'm yet to find it.

Again, Thank for your help.

#2 InTheCity

InTheCity

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 June 2004 - 01:51 PM

Not trying to bump my post here; I have a new log. Seems some things keep coming back.

Logfile of HijackThis v1.97.7
Scan saved at 11:48:02 AM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\d3kc32.exe
C:\WINDOWS\sdkeh32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\X\Desktop\etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rtide.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rtide.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rtide.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DEAC95BA-B2B1-58A3-F1BA-F72755C50CEB} - C:\WINDOWS\system32\javaqg32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [d3kc32.exe] C:\WINDOWS\system32\d3kc32.exe
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 3.9\THGuard.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [sdkpe.exe] C:\WINDOWS\system32\sdkpe.exe
O4 - HKLM\..\RunOnce: [sdkeh32.exe] C:\WINDOWS\sdkeh32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D53C7D0-5FE1-4D2B-B9CA-0232F4619BF3}: NameServer = 63.203.35.55 206.13.28.12

:whistle:

#3 InTheCity

InTheCity

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 June 2004 - 04:13 PM

I followed instructions here,
http://www.pchell.co...lythebest.shtml
killed the damn spyware
But now my right click functionality is dead, also bookmarking is crashing IE now.

Please guys, please help me out here.
It won't take you a minute surely!

Edited by InTheCity, 29 June 2004 - 04:13 PM.


#4 InTheCity

InTheCity

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 June 2004 - 04:16 PM

somebody please, it doesn't have to be a moderator. I was told that people were ext' helpful here. I'm dying here, my machine is screwed.

A simple reg fix to get the mouse back.

#5 InTheCity

InTheCity

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 June 2004 - 04:21 PM

This site is useless. Go on, ignore me, refuse to help now won't you. Cheers guys, means a lot that the spyware creators are screwing me over, but the only people that could help refuse to.

Thanks a million. Of course, you never had any obligation did you?

#6 Random

Random

    Member

  • New Member
  • Pip
  • 1 posts

Posted 29 June 2004 - 04:29 PM

This site is useless. Go on, ignore me, refuse to help now won't you. Cheers guys, means a lot that the spyware creators are screwing me over, but the only people that could help refuse to.

Thanks a million. Of course, you never had any obligation did you?

I understand the frustration you feel, i have a spyware infection as well.

There is a common misconception of boards like these, that responses should come as fast as a IM message.

They just dont, people might check the forum a few times a day, but they have things to do in their lives and forums are sort of like a bulletin board, a slow, but consistent way to communicate with a large group of people.

For quicker reponses, try a chatroom or a IRC channel. Otherwise wait a day or so and you'll hear info from the the people here.

Good luck

#7 InTheCity

InTheCity

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 04 July 2004 - 02:37 AM

:grrr: After a reformat, the damn thing has come back. No porn sites, or anything suspicious, I refuse to go to them. I can't believe this crap.

#8 reef

reef

    Member

  • New Member
  • Pip
  • 3 posts

Posted 04 July 2004 - 08:25 AM

I know how u feel. i'm still waiting for a response for my problem...

Its so frustrating.. how did it comeback after a reformat?

U must be visiting some game site thats installing it?

Run spygrabber or whatever its called that blocks them from being installed.

Also disable all your active X, change everything to 'prompt'.

I swear i'm not gonna visit anything past cnn and Dark AGe of camelot site that I know are safe.

I'm gonna buy a HD today and reformat unless someone can help my WinTools problem.

BTW, wanna screw a company bad? send everyone a 'link' to a 'joke' site that installs wintools..jesus... u can collapse MS hq that way....

If we were in China, i'd order the exection of the person who made wintools.
I think Gates needs to fund a covert squad that goes around exexucting these types of people so they get the msg real fast.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button