shanenin Posted May 23, 2005 Report Share Posted May 23, 2005 (edited) My father in law had a new tool bar that was installed, I told him I would do my best to find everything. I ran both spybot and adaware, adaware seemed to remove the toolbar. He still is getting the popup from e.spyspotter.com.Below is the log fileLogfile of HijackThis v1.99.1Scan saved at 9:56:54 PM, on 5/22/2005Platform: Windows ME (Win9x 4.90.3000)MSIE: Internet Explorer v5.50 (5.50.4134.0100)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\MSTASK.EXEC:\WINDOWS\SYSTEM\SSDPSRV.EXEC:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXEC:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXEC:\WINDOWS\SYSTEM\PSTORES.EXEC:\WINDOWS\SYSTEM\RESTORE\STMGR.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXEC:\WINDOWS\SYSTEM\HIDSERV.EXEC:\WINDOWS\SYSTEM\HPSYSDRV.EXEC:\WINDOWS\DELAYRUN.EXEC:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXEC:\WINDOWS\SYSTEM\ELITEAUY32.EXEC:\WINDOWS\RunDLL.exeC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\WINDOWS\SYSTEM\CTFMON.EXEC:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXEC:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXEC:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXEC:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXEC:\HJT\HIJACKTHIS\HIJACKTHIS.EXER1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostF1 - win.ini: run=hpfschedO2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorunO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -sO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [Hidserv] Hidserv.exe runO4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exeO4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exeO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEAUY32.EXEO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exeO4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exeO4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXEO4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRYO4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quietO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXEO9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXEO14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.comO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/248cfa0c4f509d...ip/RdxIE601.cabedit added later//I notice he is running ie 5.5. If his computer is properly updated should it be running IE 6.0?edit added later//his system is now fully updated including IE6 Edited May 23, 2005 by shanenin Link to post Share on other sites
shanenin Posted May 23, 2005 Author Report Share Posted May 23, 2005 this is the sight that the popup wants me to go to. it is trying to sell me adware removel for the adware it installed http://c.spyspotter.com/landings/208-9108/alt_download.html Link to post Share on other sites
murtu52 Posted May 23, 2005 Report Share Posted May 23, 2005 this is the sight that the popup wants me to go to. it is trying to sell me adware removel for the adware it installed http://c.spyspotter.com/landings/208-9108/alt_download.html look here: http://www.spywarewarrior.com/rogue_anti-spyware.htmpress ctrl + F, search for Spyspotter...just a little background info... Link to post Share on other sites
shanenin Posted May 24, 2005 Author Report Share Posted May 24, 2005 after some googling, I notice lots of people have entries for spyspotter in ther log file, I do not. I must be infected because I am getting the same popup from spyspotter constantly. Do any of you skilled spyware removers know why spyspotter is not showing up in my hjt log? Link to post Share on other sites
murtu52 Posted May 24, 2005 Report Share Posted May 24, 2005 Well, most probably you have tracking cookies/other malware that gives you popups for the product, however you have not downloaded the product itself. Basically, you might have things that just give you the popups--not the actual malware program....but that is just my theory... Link to post Share on other sites
shanenin Posted May 24, 2005 Author Report Share Posted May 24, 2005 I needed to get his computer back, so I reinstalled windows millenium, updated it, deleted the IE icon, then installed firefox. I no longer need anyone to check over my log file. Link to post Share on other sites
Canoeingkidd Posted May 27, 2005 Report Share Posted May 27, 2005 Glad you were able to solve your problem You need to prevent re-infection. I strongly recommend you take the following steps because infections are likely to reoccur unless you are protected (I post the same speech for everyone so you may have already taken some of these steps):Disable then re-enable System Restore. This will delete your old restore points. Malware could get backed up in System Restore. To do so in Windows XP see this tutorial. To do so in Windows ME see this tutorial. (If you are using a different Operating System skip this step).Keep up-to-date with the latest security patches from Microsoft. This step is VERY important. Please visit http://www.windowsupdate.com in Internet Explorer and if it asks to install software, let it. Start the scan for updates needed for your computer. Install all critical updates. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed.You can also access the Windows Update site at any time by going to "Tools" > "Windows Update" in Internet Explorer. Please check for updates frequently.Install Antivirus software. It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Two popular programs are AVG and Avast. Both have free versions for home users. Do not have more than one active antivirus at a time.Install a Firewall. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Please see Understanding and Using Firewalls. Do not use more than one firewall. If you are using Windows XP SP2 the rather poor Windows Firewall is enabled by default and you will need to disable it before installing another one.Install Ad-aware and Spybot-S&D and scan with them regularly. They will each catch items the other may miss and can clean some of the leftovers off since you have just been cleansed of an infection. Spybot-S&D also has some good prevention features. See these links:Using Spybot - Search & Destroy to remove Spyware , Malware, and HijackersUsing Ad-aware to remove Spyware, Malware, & Hijackers from Your ComputerInstall SpywareBlaster. SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. See the link below:Using SpywareBlaster to protect your computer from Spyware and MalwareInstall IE-SPYADS. This script will place an enormous number of web sites known to be abusive into Internet Explorer's "Restricted Zone". Any site in that list will be unable to run javascripts, java applets, set or read cookies or use ActiveX scripting. You still will be able to visit those sites but they will be very limited in what they can do.Download it from HERE. Read the "ReadMe.txt" included with the download for help installing it. You will need to download new versions occasionally and uninstall the old version.Keep these programs updated. If you do not they will not help you very much.Read the doxdesk prevention article at http://www.doxdesk.com/parasite/prevention.html for some more tips to prevent infection. Link to post Share on other sites
Recommended Posts