Major spyware problem

Discussion in 'System Security & Infection Support' started by kayslice, Jul 28, 2004.

  1. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    ok i've tried doing it in prompt,and i did delete it in prompt but it still keeps appearing in hijackthis in regular windows...it just won't go away
     
    kayslice, Aug 7, 2004
    #21
    1. Advertisements

  2. kayslice

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    Does the spyware still work? Do you still get those silly search bars and popups?
     
    Fenis-Wolf, Aug 7, 2004
    #22
    1. Advertisements

  3. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    searchbars no,popups yes. they appear every once in awhile everytime i open up my explorer. i do notice that when i delete the yek.dat from hijackthis my browsing seems to be so much faster and smoother,but when i restart its there again.
     
    kayslice, Aug 7, 2004
    #23
  4. kayslice

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    Hmmm...you may want to try to upgrade to the newest rev of AdAware, and run another system scan.
     
    Fenis-Wolf, Aug 7, 2004
    #24
  5. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    DSO EXPLOIT always shows up on my spybot search,should i fix it with spybot? and i did dl the latest version/updates
     
    kayslice, Aug 9, 2004
    #25
  6. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Remove it, see what happens. I can't tell you what will happen with out all the information...
     
    James, Aug 9, 2004
    #26
  7. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    ok not to mention i have two users on this computer and i think the spyware coincide between the two,b/c with my brothers account i seen a pop-up that once in awhile appears in my account. so the next best thing for me to do is run ad-aware/spybot/hijackthis on his account in safe mode and do what i need to do. hes not home right now so i don't have his pw to get his hijackthis log,i will get it though

    also about the deletion of my HOSTS files,what hosts files do i delete exactly,do i just run a search and delete all the hosts files?
     
    kayslice, Aug 12, 2004
    #27
  8. kayslice

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    no, go to c:\windows\system32\drivers\etc\hosts is the file you should emtpy.
     
    Fenis-Wolf, Aug 12, 2004
    #28
  9. kayslice

    Bubba Gump XBL: John Voda VIP Member

    Joined:
    Dec 12, 2003
    Messages:
    764
    Likes Received:
    5
    Location:
    Minnesota
    Should they be empty on everyone's computer?
     
    Bubba Gump, Aug 12, 2004
    #29
  10. kayslice

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    Depends, there very few good uses for things to be in there. It won't hurt anything if you delete everything below the example at the top of the file.
    If you want to have fun with someone and you're sitting at their computer, you can go into that file, and type in an ip address of a questionable site, and then next to it their favorite domain. Then everytime they type in that domain they'll go to the questionable site.
     
    Fenis-Wolf, Aug 12, 2004
    #30
  11. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    ok heres my latest log:

    running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\key.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijackthis\HijackThis.exe
    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\CHEATR~1\LOCALS~1\Temp\yek.dat
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\CHEATR~1\LOCALS~1\Temp\yek.dat
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [WorkFlo] E:\BrdJmp\WorkFlow.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [key] C:\WINDOWS\key.exe
    O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O18 - Protocol hijack: mhtml -

    note : O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\CHEATR~1\LOCALS~1\Temp\yek.dat is a file on my brothers account,i can tell b/c of the CHEATR~1,cheadtr is his name,ill post his log in a minute

    this is my brothers log:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\key.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\CHEATR~1\LOCALS~1\Temp\yek.dat
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\CHEATR~1\LOCALS~1\Temp\yek.dat
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [WorkFlo] E:\BrdJmp\WorkFlow.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [key] C:\WINDOWS\key.exe
    O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O18 - Protocol hijack: mhtml -

    thanks a lot
     
    Last edited: Aug 13, 2004
    kayslice, Aug 13, 2004
    #31
  12. kayslice

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    Check all this stuff
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\key.exe
    C:\Program Files\QuickTime\qttask.exe
    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\CHEATR~1\LOCALS~1\Temp\yek.dat
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\CHEATR~1\LOCALS~1\Temp\yek.dat
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [key] C:\WINDOWS\key.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O18 - Protocol hijack: mhtml -
     
    Fenis-Wolf, Aug 13, 2004
    #32
  13. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    kayslice, Aug 13, 2004
    #33
  14. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    i was just looking through my registry and came across my History and Domains in Internet Explorer and saw a lot of websites that seemed useless,is it alright for me to delete these sites from my registry
     
    kayslice, Aug 15, 2004
    #34
  15. kayslice

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    Yeah, it shouldn't hurt anything. Just be careful to not delete anything that might be criticial.
     
    Fenis-Wolf, Aug 15, 2004
    #35
  16. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    yeah i been browsing my registry and found a lot of stuff on kazaa and other spyware,i deleted them but the kazaa popup still continues to come up. ill keep searching around the registry and we'll see from there

    and do you guys know how to fix this DSO exploit thing?
     
    kayslice, Aug 15, 2004
    #36
  17. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    I'm not sure what you mean by DSO exploit thing... do you have a paste of the file or an screen shot? Try the kazaa be gone in our Handy Tools as well.
     
    James, Aug 15, 2004
    #37
  18. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    heres a screen shot of the DSO Exploit from my SpyBot scan

    [​IMG]
     
    kayslice, Aug 15, 2004
    #38
  19. kayslice

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    Ummm...I think you need to do the Windows Update. That doesn't sound like active spyware, that looks like Spybot can tell if you haven't patched up your IE.
     
    Fenis-Wolf, Aug 15, 2004
    #39
  20. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Install SP2 for Windows XP and you will be all set...
     
    James, Aug 15, 2004
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.