• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
InTheCity

Can't kill this Spyware

8 posts in this topic

I'm having my second round with another cool-search trojan.

This one much trickier that the last;

 

Home page is set at; res://rtide.dll/index.html#96676

Call itself HomeSearch

 

Here's a log! Hope you can help

 

Logfile of HijackThis v1.97.7

Scan saved at 10:20:58 AM, on 6/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\d3kc32.exe

C:\Program Files\Spyware Doctor\spydoctor.exe

C:\WINDOWS\crkj32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\X\Desktop\etc\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rtide.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rtide.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rtide.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {DEAC95BA-B2B1-58A3-F1BA-F72755C50CEB} - C:\WINDOWS\system32\javaqg32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [d3kc32.exe] C:\WINDOWS\system32\d3kc32.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"

O4 - HKLM\..\RunOnce: [crkj32.exe] C:\WINDOWS\crkj32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8D53C7D0-5FE1-4D2B-B9CA-0232F4619BF3}: NameServer = 63.203.35.55 206.13.28.12

 

:ph34r:

also.

 

I've cleaned a thousand times with Spybot and Adaware

CWsShredder can't find it.

 

The problem file was something CWRC.exe, it wouldn't delete until I removed it's data in RegEdit Lite. So i'm led to believe there is a more problematic DLL lying around, but i'm yet to find it.

 

Again, Thank for your help.

Share this post


Link to post
Share on other sites

Not trying to bump my post here; I have a new log. Seems some things keep coming back.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:48:02 AM, on 6/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\d3kc32.exe

C:\WINDOWS\sdkeh32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\X\Desktop\etc\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rtide.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rtide.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rtide.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rtide.dll/sp.html#96676

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {DEAC95BA-B2B1-58A3-F1BA-F72755C50CEB} - C:\WINDOWS\system32\javaqg32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [d3kc32.exe] C:\WINDOWS\system32\d3kc32.exe

O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 3.9\THGuard.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"

O4 - HKLM\..\RunOnce: [sdkpe.exe] C:\WINDOWS\system32\sdkpe.exe

O4 - HKLM\..\RunOnce: [sdkeh32.exe] C:\WINDOWS\sdkeh32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8D53C7D0-5FE1-4D2B-B9CA-0232F4619BF3}: NameServer = 63.203.35.55 206.13.28.12

 

:whistle:

Share this post


Link to post
Share on other sites

somebody please, it doesn't have to be a moderator. I was told that people were ext' helpful here. I'm dying here, my machine is screwed.

 

A simple reg fix to get the mouse back.

Share this post


Link to post
Share on other sites

This site is useless. Go on, ignore me, refuse to help now won't you. Cheers guys, means a lot that the spyware creators are screwing me over, but the only people that could help refuse to.

 

Thanks a million. Of course, you never had any obligation did you?

Share this post


Link to post
Share on other sites
This site is useless. Go on, ignore me, refuse to help now won't you. Cheers guys, means a lot that the spyware creators are screwing me over, but the only people that could help refuse to.

 

Thanks a million. Of course, you never had any obligation did you?

I understand the frustration you feel, i have a spyware infection as well.

 

There is a common misconception of boards like these, that responses should come as fast as a IM message.

 

They just dont, people might check the forum a few times a day, but they have things to do in their lives and forums are sort of like a bulletin board, a slow, but consistent way to communicate with a large group of people.

 

For quicker reponses, try a chatroom or a IRC channel. Otherwise wait a day or so and you'll hear info from the the people here.

 

Good luck

Share this post


Link to post
Share on other sites
:grrr: After a reformat, the damn thing has come back. No porn sites, or anything suspicious, I refuse to go to them. I can't believe this crap.

Share this post


Link to post
Share on other sites

I know how u feel. i'm still waiting for a response for my problem...

 

Its so frustrating.. how did it comeback after a reformat?

 

U must be visiting some game site thats installing it?

 

Run spygrabber or whatever its called that blocks them from being installed.

 

Also disable all your active X, change everything to 'prompt'.

 

I swear i'm not gonna visit anything past cnn and Dark AGe of camelot site that I know are safe.

 

I'm gonna buy a HD today and reformat unless someone can help my WinTools problem.

 

BTW, wanna screw a company bad? send everyone a 'link' to a 'joke' site that installs wintools..jesus... u can collapse MS hq that way....

 

If we were in China, i'd order the exection of the person who made wintools.

I think Gates needs to fund a covert squad that goes around exexucting these types of people so they get the msg real fast.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0