More spyware

Discussion in 'adware, spyware & hijack cleaning' started by trash, Feb 15, 2004.

Thread Status:
Not open for further replies.
  1. trash

    trash Guest

    I have a persistant piece of spyware that has taken residence on my computer.
    All attempts to erradicate it have failed so far have failed.

    I have tried several spyware programs and though they find their share of the nasties,
    this one persists.

    It is an FMN Media type hijacker.
    Pages asociated with it are..

    hxxp://fmn-media.com
    hxxp://35psi.com

    Included .. somebody might see something in here that I don't....

    Logfile of HijackThis v1.97.7
    Scan saved at 4:32:46 AM, on 2/15/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\atwtusb.exe
    C:\Program Files\icq\icq.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.users.bigpond.net.au/trash
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {B81CFB02-1219-4C92-9A30-9BE3564EFC33} - C:\WINDOWS\system32\vpkjod.dll
    O2 - BHO: (no name) - {C02E301D-DCDF-4258-B6B9-B01D2BB8FC2F} - C:\WINDOWS\system32\mo030414s.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\icq\icq.exe -minimize
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37565.9690509259
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{47D02929-D272-4F83-A891-76F3775826CD}: NameServer = 61.9.192.14,61.9.192.15


    thanks - trash

    Disabled links - Pieter
     
  2. trash

    trash Guest

    and another url that I just discovered a link to.

    hxxp://xlime.offeroptimizer.com/close.html?&ontop=0








    Disabled link - Pieter
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi trash,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O2 - BHO: (no name) - {B81CFB02-1219-4C92-9A30-9BE3564EFC33} - C:\WINDOWS\system32\vpkjod.dll
    O2 - BHO: (no name) - {C02E301D-DCDF-4258-B6B9-B01D2BB8FC2F} - C:\WINDOWS\system32\mo030414s.dll

    Then reboot.

    Keep us posted,

    Pieter
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi trash,

    there are some malwares in ur machine as it seems thru ur HJT log

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    --> http://www.pestpatrol.com/PestInfo/t/twain-tech.asp

    O2 - BHO: (no name) - {C02E301D-DCDF-4258-B6B9-B01D2BB8FC2F} - C:\WINDOWS\system32\mo030414s.dll

    -->http://www.kephyr.com/spywarescanner/library/wurldmedia/index.phtml

    and i dunno this one is a nice person or not

    -->O2 - BHO: (no name) - {B81CFB02-1219-4C92-9A30-9BE3564EFC33} - C:\WINDOWS\system32\vpkjod.dll

    and do get a confirmation from Pieter for there maybe some more too


    thx

    EDIT : sorry pieter .. ;) i din see ur reply when i was givin mine... anyway i kept the reply for the removal links of the malware if trash may feel to know bout the evils. if u think i shud remove just feel free to remove it or temme to remove
     
  5. trash

    trash Guest

    thanks guys.
    Is there something in particular to look for in a DLL that gives it away as spyware or is it just a building up of skills and a bit of luck in identifying them from their filenames ?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi trash,

    Most of them can be looked up here:
    http://www.sysinfo.org/bholist.php
    Either by name or by CLSID (the long numbers between accolades)

    Some others are random, which automatically qualifies them as malware.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.