Possible Spyware? [Archive] - Wilders Security Forums

Comp01

November 14th, 2003, 10:30 PM

Ok, I let someone use my computer for 45 minutes, and they have it messed up already >:( I came back, ti find they enabled scripting, java, and activeX on IE! Now, I have some ActiveX Control called "ACTIMAGE" or something like that, not thinking, I deleted the control, then done a restore from my last snapshot with SpywareBlaster, I ran Adaware, Spybot, found nothing at all, also have up-to-date spyware blaster, and SpywareGaurd, (Also note, that adaware, and spybot are up to date) Heres a Hijack This log (Although I could not find anything)
Logfile of HijackThis v1.97.2
Scan saved at 10:29:33 PM, on 11/14/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\REGPROT\REGPROT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\ID-BLASTER PLUS\IDBLASTERPLUS.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
C:\PROGRAM FILES\MOZILLA\MOZILLAFIREBIRD\MOZILLAFIREBIRD.EXE
C:\PROGRAM FILES\MIRC\MIRC.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Spyware Gaurd] C:\Program Files\SpywareGuard\sgmain.exe
O4 - HKLM\..\Run: [IDblaster] C:\Program Files\ID-Blaster Plus\idblasterplus.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [RegProt] c:\program files\regprot\regprot.exe /start
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CC
O4 - HKLM\..\RunOnce: [SpiderBite] C:\MY DOCUMENTS\SPIDER\SpiderBite.exe -s -d
O5 - control.ini: inetcpl.cpl=no
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

snapdragin

November 14th, 2003, 11:53 PM

Hi Comp01,

Before having HijackThis fix anything, i would suggest you go to the post made by LowWaterMark, at the top of this forum, titled: "Posting Policy: Please read before posting your log!" and where the paragraph for HijackThis is, download the latest version, which is at 1.97.6.

The 3 items under 05 and 06 "may" need fixing, but first i would ask if you had SpybotS&D lock your homepage from any changes being made to it?

Your log also does not look complete. After you've downloaded the latest version of HJT, repost your log, and one of the HJT Experts will advise what, if anything, needs fixing.

regards,

snap

Comp01

November 15th, 2003, 12:14 AM

Okay, I downloaded the newest version of HJT (I didnt know it updated much :-\ ) But, still isnt much to it, and this is the complete log.. :-\ I try to keep my system very clean, just stuff like this is what usually happens, anyways, heres the HJT log:
Logfile of HijackThis v1.97.6
Scan saved at 12:08:24 AM, on 11/15/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\REGPROT\REGPROT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\ID-BLASTER PLUS\IDBLASTERPLUS.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
C:\PROGRAM FILES\MOZILLA\MOZILLAFIREBIRD\MOZILLAFIREBIRD.EXE
C:\PROGRAM FILES\MIRC\MIRC.EXE
C:\PROGRAM FILES\TRILLIAN\TRILLIAN.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Spyware Gaurd] C:\Program Files\SpywareGuard\sgmain.exe
O4 - HKLM\..\Run: [IDblaster] C:\Program Files\ID-Blaster Plus\idblasterplus.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [RegProt] c:\program files\regprot\regprot.exe /start
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CC
O4 - HKLM\..\RunOnce: [SpiderBite] C:\MY DOCUMENTS\SPIDER\SpiderBite.exe -s -d
O5 - control.ini: inetcpl.cpl=no
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Note, I do remember disabling Internet Control panel by using TweakUI (Felt it was useless, because I could access it through IE, and dont use IE that often) Bt I do not know if doing that is the result of what O6 is...

StAnger

November 15th, 2003, 03:50 AM

I can't find anything in there that is not accounted for in the list of software you have running, except:
O4 - HKLM\..\RunOnce: [SpiderBite] C:\MY DOCUMENTS\SPIDER\SpiderBite.exe -s -d
which is a index.dat cleaner, if I'm not mistaking.

Comp01

November 15th, 2003, 03:58 AM

Yeah, it is a index.dat cleaner, I haven restarted yet lol