Jump to content


Photo

Please Help-hidden spyware?


  • This topic is locked This topic is locked
10 replies to this topic

#1 bigcedar6

bigcedar6

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 14 July 2004 - 10:37 AM

Hello to all, and thank you for reading this and possibly responding, I have been actively preventing and removing spyware from mine and my friends computers for some time with (so far ) great success. But now I have a problem with my laptop that I can't figure out. If any body has information that could help me solve this problem it would be greatly apprecaited. Symptoms: Everytime I direct IE to Yahoo or Google, a new window pops open that says installdollars.com on the title bar and then it turns to one of a few gambling sites and prompts for a software download. It just started about a week ago. I ran Ad-aware, and Spy Sweeper, found a few relativly harmless cookies and got rid of them but I still have the problem. I blocked cookies from the address and restricted the site and it still pops up a blank page. This does not happen on other accounts on this computer. Anybody have any ideas? Thanks Alot. Bigcedar6

#2 bigcedar6

bigcedar6

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 14 July 2004 - 11:03 PM

Hello, well I was wondering if anybobdy knows what's going on with my problem?

#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 15 July 2004 - 02:55 AM

Hi,
Looks like you visited an "Adult" sites that is now trying to hijack you with an install.

From "installdollars.com": We pay 15 cents for every USA install that you bring us.

Imagine that! you're getting hijacked for $0.15, makes you feel special doesn't it ...

Download Posted Image HijackThis! 1.98

Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

Double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click: "Save Log" (generates: "hijackthis.log")

Copy and Paste the entire log into your next post.

Note: do not attempt to "Fix" anything, as we need to see the entire log.
Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#4 bigcedar6

bigcedar6

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 16 July 2004 - 10:43 PM

Thanks for the helpful info, here is th log


Logfile of HijackThis v1.98.0
Scan saved at 11:36:03 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\documents and settings\jf\local settings\temp\Spw.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Documents and Settings\JF\Desktop\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...&c=3c01&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrh.noaa....t WR ID 007 049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Spw] C:\documents and settings\jf\local settings\temp\Spw.exe
O4 - HKCU\..\Run: [lfeps11n667t.exe] "C:\WINDOWS\System32\lfeps11n667t.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {4D2222B2-AE9B-490B-AACB-D8BCD6D6C58D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O9 - Extra button: (no name) - {CC034D06-E1A1-4622-9012-ADEC5D9BCDDD} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O20 - AppInit_DLLs: C:\WINDOWS\System32\SCARDSSP1095q.dll

#5 bigcedar6

bigcedar6

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 17 July 2004 - 08:35 AM

Hello and good day, Just wondering if somebody can tell me what's up with this log file

#6 bigcedar6

bigcedar6

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 July 2004 - 10:40 PM

bump

#7 bigcedar6

bigcedar6

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 July 2004 - 09:49 AM

bump

#8 bigcedar6

bigcedar6

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 July 2004 - 11:41 PM

This forum sucks.

#9 bigcedar6

bigcedar6

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 July 2004 - 11:43 PM

See ya again,...........never

#10 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 23 July 2004 - 01:02 PM

Sorry no one got to your problem, bigcedar6.

These both look very suspicious.
O4 - HKLM\..\Run: [Spw] C:\documents and settings\jf\local settings\temp\Spw.exe
O4 - HKCU\..\Run: [lfeps11n667t.exe] "C:\WINDOWS\System32\lfeps11n667t.exe"

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#11 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 16 November 2004 - 06:24 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button