Jump to content


Photo

Spyware just won't stay removed


  • Please log in to reply
7 replies to this topic

#1 papazeb

papazeb

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 June 2004 - 07:51 PM

Been dealing with a coworker's machine for a few days now.
Removed Wintools and a good chunk of unknown randomly named .exe files from the system and now I've come up to something I just can't fix.

I run HJT most recent version, remove the obvious things which need to be removed, run CWShredder's latest version, watch it remove CWS.Bootconf and fix the hosts file.
Reboot, it's all come back

Here's the log - it's on a work network so O17's are setup for DNS addresses
Cheers in advance for any solution to this.


Logfile of HijackThis v1.97.7
Scan saved at 4:59:24 PM, on 6/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\system32\zstatus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\administrator.SNGDOMAIN\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sngdomain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{81E3E9E1-F3AC-4740-8C52-ACCB1296F4D9}: NameServer = 192.168.2.180,192.168.2.200
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sngdomain.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{81E3E9E1-F3AC-4740-8C52-ACCB1296F4D9}: NameServer = 192.168.2.180,192.168.2.200
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sngdomain.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{81E3E9E1-F3AC-4740-8C52-ACCB1296F4D9}: NameServer = 192.168.2.180,192.168.2.200

#2 papazeb

papazeb

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 June 2004 - 08:04 PM

Should probably add that I

Go into Safe Mode
Run HJT
Fix

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com

and run CWShredder whilst in Safe Mode.
Still to no avail.

#3 papazeb

papazeb

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 June 2004 - 10:45 AM

*bump*

#4 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 17 June 2004 - 07:26 PM

Hi papazeb

First go here and download http://tools.zerosrealm.com/dllfix.exe
Save it to your desktop and double click dllfix.exe . Follow the prompts-
Now go to the dllfix folder and double click the start.bat and choose option #1
This will search for the “bad” file and create a report in Notepad. Copy and paste that report back into this thread. Also post a new HJT log.

#5 papazeb

papazeb

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 June 2004 - 07:28 PM

Thanks for replying OT, I'll get back to y'all tomorrow afternoon

#6 papazeb

papazeb

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 18 June 2004 - 01:58 PM

Anyone got another URL for dllfix.exe asides from the subratam one and zerosrealm one?

Tried a google search, but only the two probably overloaded/taken offline links show up.

Cheers

#7 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 18 June 2004 - 06:40 PM

Seems as tho' the fix has been removed due to problems with it. Here is an alternative fix at Zerosrealm-
http://www.zerosreal...php?page=dllfix

#8 papazeb

papazeb

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 18 June 2004 - 07:16 PM

Thanks much, it's the weekend now, so I'll hit her machine with it come Monday morning and see what happens.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button