Detected SPYware!

Discussion in 'adware, spyware & hijack cleaning' started by FerrisBueller, Apr 5, 2004.

Thread Status:
Not open for further replies.
  1. FerrisBueller

    FerrisBueller Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    1
    Hi there, I wonder if anyone can help me? My logfile is slightly different, so I don't know if I ought to follow the same instructions as some of the others were given- please could someone let me know? I'd be really grateful if you could! Unwanted websites are added to my favourites list also. I don't know if it's the same virus that's affecting my mouse- the mouse suddenly freezes and then moves all around the screen closing some applications, and then an error log is generated. And one last question- how to remove the messenger service on Windows? Please help! : o )

    Logfile of HijackThis v1.97.7
    Scan saved at 19:48:16, on 05/04/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\drivers\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\enbiei.exe
    C:\WINNT\system32\mslaugh.exe
    C:\WINNT\reg32.exe
    C:\WINNT\system32\msblast.exe
    C:\WINNT\system32\internat.exe
    C:\saved from win98 install 1\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\BTopenworld\DialBTIAnytime.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\GENERA~1\LOCALS~1\Temp\Rar$EX00.712\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allneedsearch.com/spm.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

    http://allneedsearch.com/spm.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://allneedsearch.com/spm.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    http://allneedsearch.com/spm.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

    C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\saved from win98 install 1\Program Files\MSN

    Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -

    http://register.btopenworld.com/templates/btwebcontrol012.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) -

    http://www.real-euros.com/EPlugin_GB.cab
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    splitted off and turned into a new thread - please open your own new thread - we'dlike to keep things organized ;) - paul
     
  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi FerrisBueller,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allneedsearch.com/spm.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allneedsearch.com/spm.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allneedsearch.com/spm.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allneedsearch.com/spm.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html

    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKLM\..\Run: [windows auto update] msblast.exe

    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://www.real-euros.com/EPlugin_GB.cab

    Download CWShredder and run. Be sure ALL other windows are closed and use the Fix button and follow the instructions you will receive.

    Download McAfee AVERT Stinger and run. If necessary, click the Add or Browse button to add additional drives/directories to scan. By default the C: drive will be scanned. Click the Scan Now button to begin scanning the specified drives/directories.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot in Safe Mode and delete the following:

    C:\WINNT\secure.html
    enbiei.exe <-- You may have to do a search for this file.
    mslaugh.exe <-- You may have to do a search for this file.
    C:\WINNT\reg32.exe
    msblast.exe <-- You may have to do a search for this file.

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    and most importantly visit these sites and follow their instructions to download and install the patch that prevents this worm and others getting on the computer andf spreading
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
     
Thread Status:
Not open for further replies.