Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

mal/spy/adware: what's hot and what's not?

  • 09-06-2006 9:59pm
    #1
    gnashrr
    Closed Accounts Posts: 137 ✭✭


    I've run AVG antivirus and Hitman Pro which is an automated script comprised of:

    Ad-Aware SE 1.06
    Spybot Search & Destroy 1.4
    Spy Sweeper
    Spyware Doctor 3.5
    CWShredder 2.19
    SpywareBlaster 3.5.1
    Security Update KB912812
    Security Update KB912919
    Flash Player security upgrade
    NOD32 Antivirus 2.51
    Sysclean Package
    SuperDAT VirusScan

    but still after all that I get popups for online casinos and advertisments asking me to pay for anti-spy/ad/mal/virus software. I have a hunch that the people who stand to profit from me buying this software are the very same people behind putting the gremlins on my box in the first place! Below is a copy of my HijackThis log. Input appreciated.

    Logfile of HijackThis v1.99.1
    Scan saved at 22:19:20, on 09/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\atmclk.exe
    C:\WINDOWS\system32\dcomcfg.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\GameDeviceDriver\RFPIcon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Gaim\gaim.exe
    C:\Program Files\Hitman Pro\srhelper.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {E6272B0E-1854-CC5F-62FB-E85FA371E38F} - C:\DOCUME~1\DIRE~1\APPLIC~1\DEBUGD~1\extraburn.exe (file missing)
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
    O4 - HKLM\..\Run: [RTBatteryMeter] C:\Program Files\GameDeviceDriver\RFPIcon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [4c1ca1d9.exe] C:\WINDOWS\system32\4c1ca1d9.exe
    O4 - HKLM\..\Run: [Enc Surf Bits Itch] C:\Documents and Settings\All Users\Application Data\biasstyleencsurf\Defy Bib.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - HKCU\..\Run: [Hitman Pro SurfRight Helper] "C:\Program Files\Hitman Pro\srhelper.exe"
    O4 - HKCU\..\Run: [4c1ca1d9.exe] C:\Documents and Settings\Dáire\Local Settings\Application Data\4c1ca1d9.exe
    O4 - HKCU\..\Run: [Math four] C:\DOCUME~1\DIRE~1\APPLIC~1\LITEPO~1\Intraboltacid.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6FD7AD6F-B562-4ABF-AF57-6861DA14229F}: NameServer = 62.231.32.10,62.231.32.11
    O20 - Winlogon Notify: winbft32 - C:\WINDOWS\SYSTEM32\winbft32.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Comments

  • #2
    LunaC
    Closed Accounts Posts: 62 ✭✭LunaC


    O4 - HKLM\..\Run: [Enc Surf Bits Itch] C:\Documents and Settings\All Users\Application Data\biasstyleencsurf\Defy Bib.exe

    Remove that.


  • #3
    Rollo Tamasi
    Registered Users, Registered Users 2 Posts: 3,514 ✭✭✭Rollo Tamasi


    also disable your "window messanger service"
    control panel
    admin tools
    services
    messanger > disable it there.

    pop-ups come through this channel quite often.


  • #4
    Gosh
    Registered Users, Registered Users 2 Posts: 683 ✭✭✭Gosh


    O4 - HKLM\..\Run: [4c1ca1d9.exe] C:\WINDOWS\system32\4c1ca1d9.exe
    O4 - HKCU\..\Run: [4c1ca1d9.exe] C:\Documents and Settings\Dáire\Local Settings\Application Data\4c1ca1d9.exe

    Unless you know what these 2 are you should remove them as well


  • #5
    Rollo Tamasi
    Registered Users, Registered Users 2 Posts: 3,514 ✭✭✭Rollo Tamasi


    google them first


  • #6
    gnashrr
    Closed Accounts Posts: 137 ✭✭gnashrr


    LunaC wrote:
    O4 - HKLM\..\Run: [Enc Surf Bits Itch] C:\Documents and Settings\All Users\Application Data\biasstyleencsurf\Defy Bib.exe

    Remove that.

    What is this file doing? How do we know it's a bogey?
    Rollo Tamasi wrote:
    also disable your "window messanger service"
    control panel
    admin tools
    services
    messanger > disable it there.

    pop-ups come through this channel quite often.

    Seems to have already been disabled on my box.
    gnashrr wrote:
    O4 - HKLM\..\Run: [4c1ca1d9.exe] C:\WINDOWS\system32\4c1ca1d9.exe
    O4 - HKCU\..\Run: [4c1ca1d9.exe] C:\Documents and Settings\Dáire\Local Settings\Application Data\4c1ca1d9.exe
    Gosh wrote:
    Unless you know what these 2 are you should remove them as well

    Yeah they set off alarm bells as soon AVG firewall asked me if I wanted to allow or deny it connecting to a remote IP address.
    Rollo Tamasi wrote:
    google them first

    I did google them first just in case I got a hit but I guessed that the reason they're random characters is so people can't google them take a common counter measure against them.


  • Advertisement
  • #7
    LunaC
    Closed Accounts Posts: 62 ✭✭LunaC


    Bib.exe is a IE toolbar for lop.com.


Advertisement