More spyware

I have a persistant piece of spyware that has taken residence on my computer.
All attempts to erradicate it have failed so far have failed.

I have tried several spyware programs and though they find their share of the nasties,
this one persists.

It is an FMN Media type hijacker.
Pages asociated with it are..

hxxp://fmn-media.com
hxxp://35psi.com

Included .. somebody might see something in here that I don't....

Logfile of HijackThis v1.97.7
Scan saved at 4:32:46 AM, on 2/15/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\icq\icq.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.users.bigpond.net.au/trash
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B81CFB02-1219-4C92-9A30-9BE3564EFC33} - C:\WINDOWS\system32\vpkjod.dll
O2 - BHO: (no name) - {C02E301D-DCDF-4258-B6B9-B01D2BB8FC2F} - C:\WINDOWS\system32\mo030414s.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\icq\icq.exe -minimize
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37565.9690509259
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47D02929-D272-4F83-A891-76F3775826CD}: NameServer = 61.9.192.14,61.9.192.15


thanks - trash

Disabled links - Pieter

 

and another url that I just discovered a link to.

hxxp://xlime.offeroptimizer.com/close.html?&ontop=0








Disabled link - Pieter

 

Hi trash,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {B81CFB02-1219-4C92-9A30-9BE3564EFC33} - C:\WINDOWS\system32\vpkjod.dll
O2 - BHO: (no name) - {C02E301D-DCDF-4258-B6B9-B01D2BB8FC2F} - C:\WINDOWS\system32\mo030414s.dll

Then reboot.

Keep us posted,

Pieter

 

Hi trash,

there are some malwares in ur machine as it seems thru ur HJT log

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

--> http://www.pestpatrol.com/PestInfo/t/twain-tech.asp

O2 - BHO: (no name) - {C02E301D-DCDF-4258-B6B9-B01D2BB8FC2F} - C:\WINDOWS\system32\mo030414s.dll

-->http://www.kephyr.com/spywarescanner/library/wurldmedia/index.phtml

and i dunno this one is a nice person or not

-->O2 - BHO: (no name) - {B81CFB02-1219-4C92-9A30-9BE3564EFC33} - C:\WINDOWS\system32\vpkjod.dll

and do get a confirmation from Pieter for there maybe some more too


thx

EDIT : sorry pieter .. i din see ur reply when i was givin mine... anyway i kept the reply for the removal links of the malware if trash may feel to know bout the evils. if u think i shud remove just feel free to remove it or temme to remove

 

thanks guys.
Is there something in particular to look for in a DLL that gives it away as spyware or is it just a building up of skills and a bit of luck in identifying them from their filenames ?

 

Hi trash,

Most of them can be looked up here:
http://www.sysinfo.org/bholist.php
Either by name or by CLSID (the long numbers between accolades)

Some others are random, which automatically qualifies them as malware.

Regards,

Pieter