Been Hit With Brand New Spyware :-(

Pretty confident this is new, as neither SpyBot's Resident nor SpywareBlaster 3.0 (both with latest definitions) stopped it from automatically infecting my system while browsing with IE. This thing redirects me to http://www.smart-finder.biz/ whenever I click on certain links. Some of these links include the link to download the latest Norton AV definitions from Symantec's website and the link to download BHODemon, believe it or not. Any help getting rid of this sh!t would be welcome, as the instructions they give on their website at the bottom are invalid and completely useless. P.S.: Add this to the SpywareBlaster database ASAP!!

Spybot-S&D Browser helper object report, 4/7/2004 5:35:55 AM

{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880}
Class file: mshelper.dll
Attributes: archive
Date: 4/7/2004 2:46:02 AM
MD5: 68C0CD48C500A21BF01639CE8BB1E44A
Path: C:\WINDOWS\System32\
Short name:
Size: 28672 bytes
Version: 0.1.0.0
Class name: TestMyIE2 Class
Name: OsbornTech Popup Blocker

 

Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
Use the Fix button and follow the instructions you will receive.

If that does not help or you want the rest of your computer checked for (remains of) spyware and hijackers, follow the instructions posted here:
http://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

 

Thanks for your response. However, as I mentioned above, this is something new, and that's why I posted in the first place. CWShredder didn't detect anything. SpyBot and Ad-Aware, both with the latest definitions, reported there is no spyware. If someone knows how to deal with this, please let me know here.

 

As Pieter responded, go here:
https://www.wilderssecurity.com/showthread.php?t=15913

Posting an HJT log couldn't hurt, and ... was your version of CWSShredder the most recent? (There was an update yesterday.)

 

OK, as you can see, I disabled mshelper.dll with BHODemon. That's the culprit, now I can reach the links I mentioned above without being redirected to http://www.smart-finder.biz/. I'm not completely sure if I should let HijackThis fix it, though, because it might leave some traces behind. You think I should wait for SpyBot and Ad-Aware to catch up?

Logfile of HijackThis v1.97.7
Scan saved at 9:19:21 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBAgent.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Old\New Folder\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38010.9149421296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab

 

Hi fdskjelkfdf,

I would enable that BHO again and go to your Add or Remove Programs and remove Osborn Tech Popup Blocker. Then reboot and post a new HJT log.

Regards,
Kent

 

First, thanks for everyone's help here... However, there's no entry in the Add/Remove List for the OsbornTech Popup Blocker, that was actually the first thing I checked. And yes, when I ran CWShredder, I used the latest version (v1.56.0). Any ideas?

 

dvk01, as I mentioned, the instructions on their website (which are the ones you suggest) don't work. Perhaps it's a new variant. However, I just spent a couple of hours doing some detective work and I think I managed to remove most, if not all, traces of this cr@p.

First, I let HijackThis fix the bad BHO that I initially disabled with BHODemon (after re-enabling it). I then clicked Start, Run, and typed cmd. I closed the explorer.exe process with Task Manager, and navigated to C:\Windows\system32\ in the Command window. I typed "del mshelper.dll", and started explorer.exe again by clicking File, New Task, and typing explorer in Task Manager. Finally, I searched the Registry and deleted all the keys that contained any of the following:

{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880}

{129C733D-D07C-4E34-A5E6-D675A016CFAE}

{C19EB5B1-FC58-456E-8793-384532ED5970}

asd3

testmyie


After restarting, IE behaved regularly. I'll report here if I discover anything wrong in the following days. Thanks for everyone's time, really appreciate your help!!

 

For everyone struggling with this pest, here are the full steps I took to completely remove it (or so it seems...):

First, close all IE windows and let HijackThis fix the OsbornTech Popup Blocker BHO . Restart the computer in Safe Mode, navigate to C:\Windows\system32\, and delete the following files:

cidft.dll
cidpoq32.dll
gupd.dll
icnfe.dll
icqrt.dll
icvbr.dll
mshelper.dll
mtwirl.dll
nthst32.dll
sdfup.dll
wecxg32.dll
xcwer32.dll
zxmsn.dll

Now search the Registry and delete all the keys that contain any of the following:


{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880}

{129C733D-D07C-4E34-A5E6-D675A016CFAE}

{C19EB5B1-FC58-456E-8793-384532ED5970}

{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}

asd3

testmyie


Again, thanks for everyone who contributed!