More spyware

Discussion in 'adware, spyware & hijack cleaning' started by trash, Feb 15, 2004.

Thread Status:
Not open for further replies.
  1. trash

    trash Guest

    I have a persistant piece of spyware that has taken residence on my computer.
    All attempts to erradicate it have failed so far have failed.

    I have tried several spyware programs and though they find their share of the nasties,
    this one persists.

    It is an FMN Media type hijacker.
    Pages asociated with it are..

    hxxp://fmn-media.com
    hxxp://35psi.com

    Included .. somebody might see something in here that I don't....

    Logfile of HijackThis v1.97.7
    Scan saved at 4:32:46 AM, on 2/15/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\atwtusb.exe
    C:\Program Files\icq\icq.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.users.bigpond.net.au/trash
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {B81CFB02-1219-4C92-9A30-9BE3564EFC33} - C:\WINDOWS\system32\vpkjod.dll
    O2 - BHO: (no name) - {C02E301D-DCDF-4258-B6B9-B01D2BB8FC2F} - C:\WINDOWS\system32\mo030414s.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\icq\icq.exe -minimize
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37565.9690509259
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{47D02929-D272-4F83-A891-76F3775826CD}: NameServer = 61.9.192.14,61.9.192.15


    thanks - trash

    Disabled links - Pieter
     
  2. trash

    trash Guest

    and another url that I just discovered a link to.

    hxxp://xlime.offeroptimizer.com/close.html?&ontop=0








    Disabled link - Pieter
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi trash,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O2 - BHO: (no name) - {B81CFB02-1219-4C92-9A30-9BE3564EFC33} - C:\WINDOWS\system32\vpkjod.dll
    O2 - BHO: (no name) - {C02E301D-DCDF-4258-B6B9-B01D2BB8FC2F} - C:\WINDOWS\system32\mo030414s.dll

    Then reboot.

    Keep us posted,

    Pieter
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi trash,

    there are some malwares in ur machine as it seems thru ur HJT log

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    --> http://www.pestpatrol.com/PestInfo/t/twain-tech.asp

    O2 - BHO: (no name) - {C02E301D-DCDF-4258-B6B9-B01D2BB8FC2F} - C:\WINDOWS\system32\mo030414s.dll

    -->http://www.kephyr.com/spywarescanner/library/wurldmedia/index.phtml

    and i dunno this one is a nice person or not

    -->O2 - BHO: (no name) - {B81CFB02-1219-4C92-9A30-9BE3564EFC33} - C:\WINDOWS\system32\vpkjod.dll

    and do get a confirmation from Pieter for there maybe some more too


    thx

    EDIT : sorry pieter .. ;) i din see ur reply when i was givin mine... anyway i kept the reply for the removal links of the malware if trash may feel to know bout the evils. if u think i shud remove just feel free to remove it or temme to remove
     
  5. trash

    trash Guest

    thanks guys.
    Is there something in particular to look for in a DLL that gives it away as spyware or is it just a building up of skills and a bit of luck in identifying them from their filenames ?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi trash,

    Most of them can be looked up here:
    http://www.sysinfo.org/bholist.php
    Either by name or by CLSID (the long numbers between accolades)

    Some others are random, which automatically qualifies them as malware.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.