argh spywares

[cammi]

my friend was having problems with her computer (she downloaded imesh) and i was asked to help her. i installed lavasoft ad-ware 5.8 (or whatever its called) and I deleted all the stuff it came up with from my computer. The only one i couldn't delete was CNBabe.dll. (Later on I searched on google and found out here on tsg not to delete it! )

I went to her windows explorer and went to her program files. in her program files were some really weird stuff - i think it might be spyware. these are the following files that i think are weird:

*Cnbabe.dll (and its associated files)
*a folder called ebkrdr which has *.ebk files (what are they?), something that i think is attached to microsoft schedule, ebook, stub, mediaman, etc.
*a folder called eurotool, which has one icon on it saying "euroconv" and the other docs in this folder are all *.txt files called "eula", "eula_fr" (etc), "cluf", "lisezmoi" and more.
*a folder called firstlook... which has something called firstlook in it
*a folder called flt which has something called unins in it, and its icon is a rubbish bin
*a folder called newdotnet which contains newdotnet4_50.dll, a readme, and uninstall4_50 in it.

What's my next step? I really don't know what to do now. How do I get rid of it all? I'm getting really mad cos I can't solve it. Hopefully you guys can help me!

 

[Rollin' Rog]

Welcome to TSG, cammi.

Ad-aware is long out of date, they will be offering a new program in the months to come.


Right now Spybot is by far the best spyware removal tool. Try installing, updating and running the program following the directions given here:

http://tomcoyote.com/SPYBOT/

By the way, it is best to remove New.net through add/remove programs and reboot before doing anything else. Improper removal of its components will prevent internet connectivity.

After running Spybot, give us a look at the current startup configuration by running the StartupList application available below and copy/paste the results to a reply.

http://www.lurkhere.com/~nicefiles/

 

[cammi]

did i mention she can't use any browsers to navigate the internet?

 

[Rollin' Rog]

That might be the result of new.net. If it remains in Add/Remove programs, try removing from there and rebooting.

Then download this file (lspfix) and unzip it for her to a floppy disk and run it on her computer. It should repair the winsock protocols if New.net or some other program has corrupted them. When that happens it is usually possible to connect to the net, but not browse.


http://www.cexx.org/lspfix.htm

Also see this link here from New.net:

http://www.newdotnet.com/#remove

If she is still having trouble browsing, run msconfig and remove the check for "load startup group" then see if Spybot can be downloaded.

 

[cammi]

it seems more of my friends have these problems. one of them used to have kazaa (but uninstalled it after i told her about our other friend's spyware problem). i used the spybot and this is what Startup List says:

StartupList report, 10/01/2003, 9:42:59 AM
StartupList version: 1.50
Started from : C:\Documents and Settings\Angela1\Local Settings\Temp\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\GetRight\getright.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Angela1\Local Settings\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

C-Media Mixer = Mixer.exe /startup
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
WinampAgent = "C:\Program Files\Winamp\Winampa.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
NetBuster = C:\Netbuster\NetBuster.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SpyBotSnD = "C:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe" /autoclose

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=
HKLM\..\Windows\CurrentVersion\WinLogon: load=
HKLM\..\Windows\CurrentVersion\WinLogon: run=
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=
HKCU\..\Windows\CurrentVersion\WinLogon: load=
HKCU\..\Windows\CurrentVersion\WinLogon: run=
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=
HKLM\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

*INI section not found*
*INI section not found*
*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
*Registry value not found*
*Registry value not found*

Policies Shell key:

HKCU\..\Policies: *Registry key not found*
HKLM\..\Policies: *Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - (no file) - {D14641FA-445B-448E-9994-209F7AF15641}
(no name) - (no file) - {EF99BD32-C1FB-11D2-892F-0090271D4F88}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[{11111111-1111-1111-1111-111111111111}]
CODEBASE = http://207.246.124.105/cabs/ROOSTER3001/TPS108.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37575.0694560185

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://photos.ninemsn.com.au/r/neutral/controls/MsnPUpld.cab?5,0,1730,0

[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------
End of report, 7,808 bytes
Report generated in 0.250 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Rollin' Rog]

Basically nothing wrong with the startups there, BUT, it really isn't the best idea to have Spybot running at startup. I would only run it manually on occasion when problems are suspected. You can reconfigure it through Settings > Settings > Automation -- uncheck the startup option.

And, really no need for this as a permanent startup:

NetBuster = C:\Netbuster\NetBuster.exe

Your NAV program should be quite adequate for detecting and cleaning Netbus trojans.

 

[cammi]

ok, the problem with the browser was fixed. i can now surf th net on her ie. i removed the net. thing, as well as programs associated with imesh (eg, toptextit). nothing was wrong with her winsock. i installed spybot and it removed like 142 spyware on her computer!

by the way, do you know what C:\\WINDOWS\System32\ntdvnp. (i cant remember the file extension) is? It appeared in something that looked like a msdos box.

anyway enough rambling. THis is her startup list:

StartupList report, 10/01/2003, 9:30:32 PM
StartupList version: 1.50
Started from : C:\Documents and Settings\user\Desktop\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AOL 7.0\waol.exe
C:\Documents and Settings\user\Desktop\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\user\Start Menu\Programs\Startup]
Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AGRSMMSG = AGRSMMSG.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
PCCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
Pop3trap.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
VirtualDrive = "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
vcdplayx = "C:\WINDOWS\vcdplayx.exe"
MULTIMEDIA KEYBOARD = C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
mouseElf = C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
nwiz = nwiz.exe /install
ICQ Lite = C:\Program Files\ICQLite\ICQLite.exe -minimize
WebScan = C:\Program Files\Acceleration Software\Anti-Virus\defscangui.exe -k
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ Lite = C:\Program Files\ICQLite\ICQLite.exe -trayboot

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=
HKLM\..\Windows\CurrentVersion\WinLogon: load=
HKLM\..\Windows\CurrentVersion\WinLogon: run=
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=
HKCU\..\Windows\CurrentVersion\WinLogon: load=
HKCU\..\Windows\CurrentVersion\WinLogon: run=
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=
HKLM\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

*INI section not found*
*INI section not found*
*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
*Registry value not found*

Policies Shell key:

HKCU\..\Policies: *Registry key not found*
HKLM\..\Policies: *Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------------------------------
End of report, 8,307 bytes
Report generated in 0.160 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[TonyKlein]

As for the first logfile, this ActiveXobject is a baddie and needs to be deleted:

[{11111111-1111-1111-1111-111111111111}]
CODEBASE = http://207.246.124.105/cabs/ROOSTER3001/TPS108.cab

It's this one:

http://www.cexx.org/vx2.htm

About this ntdvnp(probably.exe) file, nothing to be found, unfortunately.

Cheers,

 

[Rollin' Rog]

Nothing grossly out of order there either that I can see. But for optimum peformance you really should disable Find Fast, which causes a lot of unnecessary hard drive and cpu activity. This can be done either through the Control Panel or by running msconfig and removing the startup check for it.

Try to get a better look at the file name you are seeing, you may have copied it wrong; if it starts with nt, it is likely a system file. If it starts with nv, like this: nvsvc32.exe, it is probably an NVidia driver file of some kind.

Glad to see Tony is catching what I breeze over

anyway, it's nice that you've got browsing back. You don't realize what a bullet you've dodged. Fortunately the New.net uninstall worked properly and repaired the winsock/lsp entries on its own; that doesn't always happen.

 

[TonyKlein]

Actually, there's new SpyBot update out that includes updated TPS108 detection, possibly to cover this ActiveX object, among others:

2003-01-09

Spyware

++ GigaTech SuperBar ++ eBates MoneyMaker + C2.lop + Transponder/TPS108 + IPinsight + SaveNow + Bargain Buddy + TwistedHumor

Dialer

+ VLoading + XXXDial + 00SyncNet

Hijacker

+ Xupiter

 

[cammi]

thanks guys!