What is Spy Lantern?

sidbub · 17-Feb-2008, 02:34 PM #1

My spybot S&D has picked up a couple of times once a registry key which I eliminated and now a cookie. See pic. Anyone know what this is and where it could come from?

WhitPhil · 17-Feb-2008, 02:46 PM #2

Do you have any of these installed?

sidbub · 17-Feb-2008, 02:56 PM #3

No, none of those. I don't know where the registry string or cookie came from. No idea. The registry string is gone, just found the cookie as I posted.

sidbub · 17-Feb-2008, 03:03 PM #4

In addition, I have run AVG and super antispyware and nothing was found. I have not downloaded anything and certainly not opened any links in emails.

WhitPhil · 17-Feb-2008, 03:11 PM #5

If the Registry entry appears again, do not delete it.

Post it back here for review.

The cookie, in theory, came from the Spydex site, but could have been triggered by some other link. Cookies are not dangerous and are not part of malware, and can't spread it.

sidbub · 17-Feb-2008, 03:17 PM #6

Wll do. Thank you.

sidbub · 17-Feb-2008, 03:21 PM #7

I was able to see what spybot s&d found the other day and here's the pic. from the registry.

WhitPhil · 17-Feb-2008, 03:54 PM #8

I think when it happens again, we would export that key and then see what the contents are.

sidbub · 17-Feb-2008, 04:10 PM #9

What do you mean? Export the key to where?

sidbub · 17-Feb-2008, 07:33 PM **#10**

It's back, the cookie. I don't know where it's coming from.

WhitPhil · 18-Feb-2008, 12:12 AM **#11**

Run HJT and post back a log for review to see if anything there is obvious.

Cookies are just text files and can't spread malware. There are being classed as such because they belong to a site that has been classified as such,

sidbub · 18-Feb-2008, 07:21 AM **#12**

As requested, here is the HJT log:

WhitPhil · 18-Feb-2008, 10:30 AM **#13**

Pasted for easier reading.

As well, this is an old version. Download the latest one for future use.

Logfile of HijackThis v1.99.1
Scan saved at 6:17:44 AM, on 2/18/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\program files\a-squared free\a2service.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Quick ShutDown\qsd.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcy/d.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/d...search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\Program Files\Yahoo!\Common\ycheckh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CBHO Object - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\startpage guard\spguard.exe /s /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Quick ShutDown.lnk = C:\Program Files\Quick ShutDown\qsd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: IE Zoom &In - C:\PROGRA~1\IEZOOM~1\IE Zoom In.htm
O8 - Extra context menu item: IE Zoom O&ut - C:\PROGRA~1\IEZOOM~1\IE Zoom Out.htm
O8 - Extra context menu item: IE Zoomer Help... - C:\PROGRA~1\IEZOOM~1\IE Zoomer Help.htm
O8 - Extra context menu item: Open in IE &Zoomer - C:\PROGRA~1\IEZOOM~1\Open in IE Zoomer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: http://*.adelphia.net
O15 - Trusted Zone: http://www.adelphiapowerpage.com
O15 - Trusted Zone: *.agentnet.com
O15 - Trusted Zone: *.webconfig.amadeus.com
O15 - Trusted Zone: *.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeuscruise.com
O15 - Trusted Zone: *.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: *.amadeusvista.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://www.newsradio610.com
O15 - Trusted Zone: wwww.wachovia.com
O15 - Trusted Zone: *.agentnet.com (HKLM)
O15 - Trusted Zone: *.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: *.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: *.amadeusvista.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdcc...d/tgctlins.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusproweb.com/AutomaticUp...oUpdateATL.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {3C50A393-A8DE-11D3-929C-000083262DFF} (Macro_API13.Macro) - http://us.amadeusproweb.com/ComCoreD...acro_API13.CAB
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/23.17/uploader2.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.techwareglobal.com/Remote/msrdp.cab
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://fastaccess.drivers.bellsouth....ls_speedop.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A78856A6-334B-43AF-96F5-58574005910D} (CEinstaller Object) - https://secure200.ipixmedia.com/code/Einstaller.cab
O16 - DPF: {AA7AB619-0AEB-404C-B12F-D34D4EF32787} (Amadeus CCCert02 Wrapper) - http://us.amadeusproweb.com/ComCoreD...t02Wrapper.CAB
O16 - DPF: {E2E92FDA-7588-11D3-8F93-00008321C804} (MSIInspect.FileSystemObject) - http://amadeuscruise.com/common/cabs/MSIInspect.CAB
O16 - DPF: {E90EF4C9-1476-4C49-B926-97C7D9D30A06} (Certificates_Info Class) - http://certificates.amadeusvista.com...CCert_Info.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15027/CTPID.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\program files\a-squared free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

**Cookiegal** · 18-Feb-2008, 01:05 PM **#14**

These detections by Spybot are false positives:

http://forums.spybot.info/showthread.php?p=164875

The HijackThis log looks fine. Are you having any specific problems?

sidbub · 18-Feb-2008, 01:13 PM **#15**

No specific problems. Thank you very much for checking for checking.

Tag Cloud
access acer asus bios bsod computer crash desktop dns driver drivers error ethernet excel freeze gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard network printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!