not sure, could be spyware

Discussion in 'adware, spyware & hijack cleaning' started by visitor, Jan 14, 2004.

Thread Status:
Not open for further replies.
  1. visitor

    visitor Guest

    I have problem with NOD repeat-update to same file posted here
    http://www.wilderssecurity.com/showthread.php?t=19428
    and here is my HJT log (scanned after CWShredder,spybot and ad-aware). please can you tell me if some thing wrong in it. Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 11:53:41, on 14.1.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Windows Media Player\wmp.exe
    C:\WINDOWS\System32\conimekr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PRIVATE1\Hijack This\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\CONFLICT.1\ALTAVI~1.DLL
    O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\FCBHO.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\CONFLICT.1\ALTAVI~1.DLL
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [C:\WINDOWS\System32\conimekr.exe] conimekr
    O4 - HKLM\..\Run: [conimekr] C:\WINDOWS\System32\conimekr.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: FlashCapture (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\setup\awswax.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=NJAIKT
    O16 - DPF: {6D072F11-F35C-49CE-AAC1-F4FB876E8C74} (ScudAgent Control) - http://pipisnet1.cafe24.com/ScudAgent.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37996.4589930556
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi visitor,

    Are you from Korea by any chance?
    If so please tell me what it says here: http://groups.google.com/groups?q=conimekr.exe&hl=en&lr=&ie=UTF-8&oe=utf-8&selm=uX8CAB2fDHA.944%40TK2MSFTNGP11.phx.gbl&rnum=2

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\CONFLICT.1\ALTAVI~1.DLL

    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\CONFLICT.1\ALTAVI~1.DLL

    O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32

    O4 - HKLM\..\Run: [C:\WINDOWS\System32\conimekr.exe] conimekr
    O4 - HKLM\..\Run: [conimekr] C:\WINDOWS\System32\conimekr.exe

    O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm

    O8 - Extra context menu item: Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm

    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=NJAIKT
    O16 - DPF: {6D072F11-F35C-49CE-AAC1-F4FB876E8C74} (ScudAgent Control) - http://pipisnet1.cafe24.com/ScudAgent.cab

    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

    Then reboot and delete:
    C:\PROGRAM FILES\3721 <= entire folder

    If you liked the Altavista bar you will have to reinstall it. There was a conflict when you tried that the last time.

    And could you please send C:\WINDOWS\System32\conimekr.exe to
    samples@eset.com
    Please include a link to this and your other thread in the body of the email.

    Regards,

    Pieter
     
  3. visitor

    visitor Guest

    WOW very fast
    No from Scandinavia
    Thank Pieter_Arntz
    will send the .exe file
     
  4. visitor

    visitor Guest

    conimekr conimekr!!!!!!!!
    May be some thing related to games or cartoon characters
    My kids are Japanese cartoon characters fans
    I'll check with them when they come back from schools and keep you informed. Thanks
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi visitor,

    That site looked like they were giving detailed instructions on how to uninstall something. Like the ones you find about viruses.

    Keep us posted,

    Pieter
     
  6. visitor

    visitor Guest

    Pieter_Arntz
    thank you, thank you, thank you
    please, is it clean now
    and please what is this entry
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing

    Logfile of HijackThis v1.97.7
    Scan saved at 12:43:31, on 14.1.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Windows Media Player\wmp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PRIVATE1\Hijack This\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\FCBHO.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: FlashCapture (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\setup\awswax.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37996.4589930556
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi visitor,

    Please leave that one alone:
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing

    It is a misunderstanding between HijackThis and NOD32.
    If you fix it, your mail will no longer be scanned.

    Did this solve your problem?
    The log is clean now.

    Regards,

    Pieter
     
  8. visitor

    visitor Guest

    Thanks amillion!
    I have to wait for the next NOD update and see
    will keep you informed
     
  9. visitor

    visitor Guest

    thanks Pieter_Arntz
    NDO seems working now has just updated to 1.598
    here is event log

    Time   Module   Event   User
    14.1.2004 20:18:30   Kernel   The virus signature database has been updated successfully to version 1.598 (20040114).   
    13.1.2004 16:13:32   Kernel   The virus signature database has been updated successfully to version 1.597 (20040112).   
    13.1.2004 11:32:59   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    13.1.2004 10:29:29   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    13.1.2004 9:29:00   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    13.1.2004 8:28:50   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    12.1.2004 22:49:39   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    12.1.2004 21:44:54   Update   Update attempt terminated with error (Server connection failure)   
    12.1.2004 20:46:00   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    10.1.2004 1:21:53   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    9.1.2004 19:24:46   Kernel   The virus signature database has been updated successfully to version 1.595 (2004010:cool:.   
    9.1.2004 10:24:58   Kernel   The virus signature database has been updated successfully to version 1.594 (20040107).   
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That's great. :)

    I hope some-one lets us know what that file is.

    Pieter
     
  11. visitor

    visitor Guest

    Now NOD is working normally
    Thank you again


    Time   Module   Event   User
    15.1.2004 18:31:05   Kernel   The virus signature database has been updated successfully to version 1.599 (20040115).   
    14.1.2004 20:18:30   Kernel   The virus signature database has been updated successfully to version 1.598 (20040114).   
    13.1.2004 16:13:32   Kernel   The virus signature database has been updated successfully to version 1.597 (20040112).   
    13.1.2004 11:32:59   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    13.1.2004 10:29:29   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    13.1.2004 9:29:00   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    13.1.2004 8:28:50   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    12.1.2004 22:49:39   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    12.1.2004 21:44:54   Update   Update attempt terminated with error (Server connection failure)   
    12.1.2004 20:46:00   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    10.1.2004 1:21:53   Kernel   The virus signature database has been updated successfully to version 1.596 (20040109).   
    9.1.2004 19:24:46   Kernel   The virus signature database has been updated successfully to version 1.595 (2004010:cool:.   
    9.1.2004 10:24:58   Kernel   The virus signature database has been updated successfully to version 1.594 (20040107).   
     
Thread Status:
Not open for further replies.