Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Spyware problem

Status
Not open for further replies.
mikebach

mikebach

MIS
Nov 27, 2002
69
US
Hi, got a a user that had tons of spyware, got must of it off, but a few nasty ones are still there. Any idea's ? Here's a copy of my hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 1:26:26 PM, on 08/03/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\WINNT\System32\svchost.exe
C:\ePOAgent\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRAM FILES\SENTILLION\DESKTOPCOMPONENTS\VergenceLocator.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\nethp32.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\Explorer.EXE
C:\ePOAgent\UpdaterUI.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\winoe32.exe
C:\WINNT\system32\iasptdll.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\WINNT\system32\Zjq60.exe
C:\WINNT\system32\Fwf524W7.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
T:\USL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSACCESS.EXE
C:\junk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sqtzr.dll/sp.html#27859
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://sqtzr.dll/index.html#27859
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://sqtzr.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sqtzr.dll/sp.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://sqtzr.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\sqtzr.dll/sp.html#27859
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {0147CFD2-F512-75C4-0E67-1DD24058BD3B} - C:\WINNT\system32\winlf32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [winoe32.exe] C:\WINNT\system32\winoe32.exe
O4 - HKLM\..\Run: [239GGHY4#A9779] C:\WINNT\system32\Lxiv1Ua.exe
O4 - HKCU\..\Run: [cBw8RRami] iasptdll.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &FastSeeker Search - res://C:\Program Files\FastSeeker\FastSeekerToolbar.dll/cmsearch.html
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} - file://C:\IberoDialerHTML.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - O16 - DPF: {9076A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - O16 - DPF: {DF99973C-1404-11D0-8F00-00AA00BBF119} (ESB Control) - O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - O17 - HKLM\System\CCS\Services\Tcpip\..\{0EBA6E15-01E0-4A5C-86C9-6E1B265C0BE3}: NameServer = 131.249.1.2,131.249.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD022251-2BBA-4A25-8E4A-8446D50C4D75}: NameServer = 131.249.1.2,131.249.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fccc.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EBA6E15-01E0-4A5C-86C9-6E1B265C0BE3}: NameServer = 131.249.1.2,131.249.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = fccc.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{0EBA6E15-01E0-4A5C-86C9-6E1B265C0BE3}: NameServer = 131.249.1.2,131.249.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fccc.edu
 
Sort by date Sort by votes
Here is what I do:

. I go to this web site: and use the trial offer to scan the workstation. (I also encourage them to buy the thing).

. Then, I follow exactly and in order every step in faq608-4650
 
Upvote 0 Downvote
No luck, here is an updated Hijackthis log file along with services running report
 
Upvote 0 Downvote
You have a dialer in the O16 entries. The websearch o16 entry gives a hit for trendmicro.
You could try housecall on line virus scan and see if it picks up anything.
You probably need to google the clsids in the O16 lines one at a time and see what you can find out about them. (I know that's a lot of work-but it's what I'd have to do to give you a list of keep or go.)

239GGHY4#A9779 This is probably peper trojan. You can get a removal tool here.


res://C:\WINNT\sqtzr.dll/sp.html#27859
This is likely to be your biggest problem-it's one of the newer cws programs which loads from a hidden dll. I don't understand the technical issues involved in getting rid of that stuff so I cant help you much further. You do need to be using the current version of hijackthis to get the most info for analysis.

html#27859 Google on that gives a lot of hits, many logs will probably not be answered, but you can look through logs and responses and what current approaches to getting rid of it are.

You are going to need something like killbox, copylock, moveonboot, or process view to get those dll files stopped.

There are some other items too, you need to scan your log for program names that don't seem right, google with the question items. If you get hits, you can make decisions, if you dont get any hits that would make the file highly suspect.







-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
I do not understand your comment "no luck". I know that having run CWShredder, AdAware, Spybot and Hijack This! these entries would be gone:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sqtzr.dll/sp.html#27859
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://sqtzr.dll/index.html#27859
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://sqtzr.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sqtzr.dll/sp.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://sqtzr.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\sqtzr.dll/sp.html#27859
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {0147CFD2-F512-75C4-0E67-1DD24058BD3B} - C:\WINNT\system32\winlf32.dll

O4 - HKLM\..\Run: [winoe32.exe] C:\WINNT\system32\winoe32.exe
O4 - HKLM\..\Run: [239GGHY4#A9779] C:\WINNT\system32\Lxiv1Ua.exe
O4 - HKCU\..\Run: [cBw8RRami] iasptdll.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Deniall
  • Locked
  • Question
Problem accessing Eng-Tips website 1
Replies
7
Views
785
Deniall
Deniall
MeGustaXL
  • Locked
  • Question
IE11 - Country Problems
Replies
1
Views
133
Diancecht
Diancecht
buddy83
  • Locked
  • Question
Problem with HTTPS sites
Replies
2
Views
106
ChrisHirst
ChrisHirst
mach04
  • Locked
  • Question
Problem starting Google Chrome
2
Replies
22
Views
242
stentorian
stentorian
GriffMG
  • Locked
  • Question
IE browser problem... not posting data
Replies
4
Views
76
GriffMG
GriffMG

Part and Inventory Search

Sponsor

Back
Top