Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

A tough Spyware..

  • 08-04-2005 6:54pm
    #1
    Sully
    Moderators, Education Moderators, Technology & Internet Moderators, Regional South East Moderators Posts: 24,056 Mod ✭✭✭✭


    Hey all,

    Right well heres the story, iv been helping out a guy for a while to remove some spyware. Iv gone threw every solution and trick in the book that I know of, and its still not gone -- now im stumped and in need of your assistance. Iv trailed googles results, but none of there tips worked for this guy.

    Basicaly, his browser has been "hijacked" as such. The "Home Page" in Internet Explorer goes to: res://C:\WINDOWS\system32\shdocpl.dll/security.htm#subID=MPV;401 which is a "401 MPV warning". Clicking the link on the page directs him to another site
    http://www.evidence-eliminator.com/product.d2w?g=11125663747478 Which tells him:
    URGENT NEWSFLASH SUNDAY 03 APRIL 2005 - YOUR INTERNET TRAFFIC IS BEING
    ROUTED THROUGH THE IRISH ISP 195.218.107.26 AND DUBLIN, IRELAND - YOU ARE AT
    VERY HIGH RISK OF INVESTIGATION!

    Here are the programs we ran (in Safe Mode): Spybot, Ad-Aware, Microsoft Anti Spyware, CCleaner, CWShredder and AboutBlaster. Also ran EWIDO which found some exe's and dlls and removed them. HiJack this removes the item of spyware, but once a re-boot is done, it returns.

    We checked the hosts file, was empty. Edited the registry for startup, just resets back to normal on re-boot. One thing we didnt do yet (awaiting results) are the Startup entrys and clearing temp internet files then doing all the usual scans. Here are the latest log files tho:

    ABOUT BUSTER LOGFILE


    Scanned at: 23:00:20 on: 07/04/2005


    -- Scan 1
    About:Buster Version 4.0
    Reference List : 26

    No ADS found on system
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    -- Scan 2
    About:Buster Version 4.0
    Reference List : 26

    No ADS found on system
    Attempted Clean Of Temp folder.
    Pages Reset... Done!






    Scanned at: 23:14:19 on: 07/04/2005


    -- Scan 1
    About:Buster Version 4.0
    Reference List : 26

    No ADS found on system
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    -- Scan 2
    About:Buster Version 4.0
    Reference List : 26

    No ADS found on system
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    -- Scan 4
    About:Buster Version 4.0
    Reference List : 26

    No ADS found on system
    Attempted Clean Of Temp folder.
    Pages Reset... Done!






    HIJACK THIS LOGFILE BEFORE REBOOT



    Logfile of HijackThis v1.99.0
    Scan saved at 23:02:36, on 07/04/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyServer = 195.218.116.8:3128
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay
    Reader\shwiconem.exe
    O4 - HKLM\..\Run: [magicolor 2300WStatusDisplay]
    C:\WINDOWS\System32\MSTMON_J.EXE
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
    Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut.exe home
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
    C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .aif: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .wav: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin2.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
    http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Iomega App Services - Iomega Corporation -
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
    O23 - Service: TrueVector Internet Monitor - Zone Labs LLC -
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe



    HIJACK THIS LOGFILE AFTER REBOOT




    Logfile of HijackThis v1.99.0
    Scan saved at 23:19:38, on 07/04/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\Fast.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\eMachines Bay Reader\shwiconem.exe
    C:\WINDOWS\System32\MSTMON_J.EXE
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\System32\fast.exe
    C:\WINDOWS\zHotkey.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\svcnut.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    res://shdocpl.dll/blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    res://shdocpl.dll/asst.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyServer = 195.218.116.8:3128
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay
    Reader\shwiconem.exe
    O4 - HKLM\..\Run: [magicolor 2300WStatusDisplay]
    C:\WINDOWS\System32\MSTMON_J.EXE
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
    Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut.exe home
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
    C:\WINDOWS\System32\Shdocvw.dll
    O12 - Plugin for .aif: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .wav: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin2.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
    http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Iomega App Services - Iomega Corporation -
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
    O23 - Service: TrueVector Internet Monitor - Zone Labs LLC -
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Ill post back when I get results on my two other solutions im waiting for an answer to :) Any help, would be very much appreciated.

    - Sully


Comments

  • #2
    Nukem
    Registered Users, Registered Users 2 Posts: 4,082 ✭✭✭Nukem


    Try a program called Xoft(just google it) - use it from time to time. Find a free download and run it,tends to catch a few things that the others dont get.

    nukem


  • #3
    Illkillya
    Registered Users, Registered Users 2 Posts: 2,372 ✭✭✭Illkillya


    Have you scanned with any antivirus software? I would think that he has a virus rather than the usual spyware.


  • #4
    secret_squirrel
    Closed Accounts Posts: 3,357 ✭✭✭secret_squirrel


    See this page looks like its actually a virus - which might be why the ad removal tools dont work. Theres a link to a specific removal tool.


  • #5
    Hoochiemama
    Registered Users, Registered Users 2 Posts: 542 ✭✭✭Hoochiemama


    Use a program called BHODemon. This detects changes in the registry and you can disable them. it doesnt delete it but you can manually do that.


  • #6
    cerbeus
    Registered Users, Registered Users 2 Posts: 372 ✭✭cerbeus


    Look at the svcnut.exe process that is running. It may be a virus that cannot be detected by your av product.

    Try looking here SVCNUT Explanation


  • Advertisement
  • #7
    Skud
    Registered Users, Registered Users 2 Posts: 1,821 ✭✭✭Skud


    BPS Spyware Remover. I had same probs as you and removed pretty much everthing. My system is running alot better since anyway. Theres a browser hijack with it but be careful what you delete (i made that mistake ;))


  • #8
    Sysiphus
    Registered Users, Registered Users 2 Posts: 320 ✭✭Sysiphus


    I swear by two apps:

    1) MicroWord Antivirus (19 dollars)

    2) Panda Titanium antivirus (Free)

    Both are extremly effiecient at removing very pernicious spyware and viruses.


  • #9
    aaf
    Registered Users, Registered Users 2 Posts: 2,098 ✭✭✭aaf


    Also try RegCleaner. It usually finds alot of junk in your registry and startup that can be deleted and it automatically backs up the files you delete so you can restore if something goes wrong. Maybe you should post the results of RegCleaner here.


  • #10
    snappieT
    Registered Users, Registered Users 2 Posts: 3,357 ✭✭✭snappieT


    Microsoft AntiSpyware Beta. You can set all the default IE locations (for page not found etc.) and it won't let anybody overwrite it.

    Or use Firefox.


  • #11
    JC 2K3
    Closed Accounts Posts: 7,794 ✭✭✭JC 2K3


    It's virtually impossible to remove, I've been in that situation. Easiest thing to do is to use Firefox or another browser instead...


  • Advertisement
  • #12
    Alkers
    Registered Users, Registered Users 2 Posts: 6,908 ✭✭✭Alkers


    Spybot search and destroy, switch to advanced mode and there is a detailed description of all start-up programmes and options to remove them. Used it to remove one or two tricky ones before.


  • #13
    BloodBath
    Registered Users, Registered Users 2 Posts: 10,299 ✭✭✭✭BloodBath


    Try the panda online scanner. It removed a lot of crap that other programs wouldn't on mine.


    BloodBath


  • #14
    Sully
    Moderators, Education Moderators, Technology & Internet Moderators, Regional South East Moderators Posts: 24,056 Mod ✭✭✭✭Sully


    cerbeus wrote:
    Look at the svcnut.exe process that is running. It may be a virus that cannot be detected by your av product.

    Try looking here SVCNUT Explanation

    Your suggestion did the trick, looked it up on Google, and put forward some suggestions on how to remove it fully and he done a few extra scans etc and the problem is sorted!

    Cheers for the suggestion, yours was the one that pointerd me in the right direction to fixing it!


Advertisement