Possible Spyware?

Discussion in 'adware, spyware & hijack cleaning' started by Comp01, Nov 14, 2003.

Thread Status:
Not open for further replies.
  1. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Ok, I let someone use my computer for 45 minutes, and they have it messed up already :mad: I came back, ti find they enabled scripting, java, and activeX on IE! Now, I have some ActiveX Control called "ACTIMAGE" or something like that, not thinking, I deleted the control, then done a restore from my last snapshot with SpywareBlaster, I ran Adaware, Spybot, found nothing at all, also have up-to-date spyware blaster, and SpywareGaurd, (Also note, that adaware, and spybot are up to date) Heres a Hijack This log (Although I could not find anything)
    Logfile of HijackThis v1.97.2
    Scan saved at 10:29:33 PM, on 11/14/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\PROGRAM FILES\REGPROT\REGPROT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\ID-BLASTER PLUS\IDBLASTERPLUS.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
    C:\PROGRAM FILES\MOZILLA\MOZILLAFIREBIRD\MOZILLAFIREBIRD.EXE
    C:\PROGRAM FILES\MIRC\MIRC.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Spyware Gaurd] C:\Program Files\SpywareGuard\sgmain.exe
    O4 - HKLM\..\Run: [IDblaster] C:\Program Files\ID-Blaster Plus\idblasterplus.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKLM\..\RunServices: [RegProt] c:\program files\regprot\regprot.exe /start
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CC
    O4 - HKLM\..\RunOnce: [SpiderBite] C:\MY DOCUMENTS\SPIDER\SpiderBite.exe -s -d
    O5 - control.ini: inetcpl.cpl=no
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Comp01,

    Before having HijackThis fix anything, i would suggest you go to the post made by LowWaterMark, at the top of this forum, titled: "Posting Policy: Please read before posting your log!" and where the paragraph for HijackThis is, download the latest version, which is at 1.97.6.

    The 3 items under 05 and 06 "may" need fixing, but first i would ask if you had SpybotS&D lock your homepage from any changes being made to it?

    Your log also does not look complete. After you've downloaded the latest version of HJT, repost your log, and one of the HJT Experts will advise what, if anything, needs fixing.

    regards,

    snap
     
  3. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Okay, I downloaded the newest version of HJT (I didnt know it updated much :doubt: ) But, still isnt much to it, and this is the complete log.. :doubt: I try to keep my system very clean, just stuff like this is what usually happens, anyways, heres the HJT log:
    Logfile of HijackThis v1.97.6
    Scan saved at 12:08:24 AM, on 11/15/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\PROGRAM FILES\REGPROT\REGPROT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\ID-BLASTER PLUS\IDBLASTERPLUS.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
    C:\PROGRAM FILES\MOZILLA\MOZILLAFIREBIRD\MOZILLAFIREBIRD.EXE
    C:\PROGRAM FILES\MIRC\MIRC.EXE
    C:\PROGRAM FILES\TRILLIAN\TRILLIAN.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Spyware Gaurd] C:\Program Files\SpywareGuard\sgmain.exe
    O4 - HKLM\..\Run: [IDblaster] C:\Program Files\ID-Blaster Plus\idblasterplus.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKLM\..\RunServices: [RegProt] c:\program files\regprot\regprot.exe /start
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CC
    O4 - HKLM\..\RunOnce: [SpiderBite] C:\MY DOCUMENTS\SPIDER\SpiderBite.exe -s -d
    O5 - control.ini: inetcpl.cpl=no
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Note, I do remember disabling Internet Control panel by using TweakUI (Felt it was useless, because I could access it through IE, and dont use IE that often) Bt I do not know if doing that is the result of what O6 is...
     
  4. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    I can't find anything in there that is not accounted for in the list of software you have running, except:
    O4 - HKLM\..\RunOnce: [SpiderBite] C:\MY DOCUMENTS\SPIDER\SpiderBite.exe -s -d
    which is a index.dat cleaner, if I'm not mistaking.
     
  5. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Yeah, it is a index.dat cleaner, I haven restarted yet lol
     
Thread Status:
Not open for further replies.