1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Security breach and signs of spyware - help!!

Discussion in 'Virus & Other Malware Removal' started by Dearson, Oct 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Dearson

    Dearson Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    9
    Helo,
    I need some help figuring out what to do with a problem or problems:

    I recently got an alert of spyware from my firewall (McAfee 6.0) of something called spybotw32. after deleting it I still get massages sometimes that my anti virus files were tampered with but I do not have a start up disk to follow their instructions and frankly, I am not sure if somties there is a reall problem or just some random error on the startup. Yet, this happened about two weeks ago and since then everything was fine, until today.

    I noticed that there were files on my hard drive that were not there before called "dotcomtoolbar". I went to the remove or add programs in the control pannel and saw not less than 3 programs named "dotcomtoolbar" installed there. I immediately tried uninstalling them and was prompted to a website with the same address actually thanking me... Anyway I succeeded uninstalling 2 but 1 remained and I do not know how to remove it. Additionally, when I reopened my browser my homepage was changed to some other portal I did not see before.

    What should I do, is it a trojan? What kind of utility software can help me?
    what kind of details about my system do you need?

    Thanks
     
  2. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Hi Dearson, Welcome to TSG.

    Download Hijack This:

    http://www.tomcoyote.org/hjt/


    ...follow the instructions for scanning your system and post your scan log here. Folks will be glad to check it out and see what's going on.

    :)
     
  3. Dearson

    Dearson Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    9
    These are the results of the scan:

    Logfile of HijackThis v1.97.3
    Scan saved at 8:48:51 PM, on 10/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\windows\redirect2.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Aladdin Systems\iClean\iClean.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
    C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Documents and Settings\oren\My Documents\My Downloads\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.walla.co.il/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.115.106.236:80
    O1 - Hosts: 213.222.11.11 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [redirect] C:\windows\redirect2.exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [Memory Optimizer] C:\Program Files\Memory Optimizer\MemoryOptimizer.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [iClean] "C:\Program Files\Aladdin Systems\iClean\iClean.exe" /I
    O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\AiO\HPis\bin\matcli.exe
    O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003042101/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37585.5
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    :confused:
     
  4. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Okay Dearson.....do you use a proxy server?

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.115.106.236:80


    You can use HJT to fix the following items. Close your browser, check the following in HJT, click Fix.

    Reboot.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/


    O1 - Hosts: 213.222.11.11 auto.search.msn.com

    ...this next item looks suspicious:

    O4 - HKLM\..\Run: [redirect] C:\windows\redirect2.exe

    ...do you recognize the app? If not, don't do anything right now with it, but find the file and check under it's properties for a company name, etc.

    Okay, the rest of the log looks fine. After taking those items out (except the 04 entry for now), go here for directions on downloading AdAware:

    http://forums.techguy.org/t164245/s.html

    Download current reference file, scan your system and remove any entries it finds.

    Also, go here and download Spybot:

    http://www.safer-networking.org/index.php?lang=en&page=download

    ...after installing, have it go online and download all updates and scan your system. Everything it finds in RED is safe to Fix.


    After all of that, re-post your log again.
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    This one:

    O4 - HKLM\..\Run: [redirect] C:\windows\redirect2.exe

    is what is loading the dotcom toolbar. Have HJT fix it and restart to safe mode and delete:

    The C:\windows\redirect2.exe file
     
  6. Dearson

    Dearson Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    9
    OK Buckaroo,

    No I do not use a proxy.
    I fixed the 5 entires with HJT, except the "redirect2" one. I run a search on it and found two files both without any information.
    I installed both programs. Ad 6 found 4 entries which I removed and Spybot found 70 red entries and fixed them.

    Then I run HJT:

    Logfile of HijackThis v1.97.3
    Scan saved at 11:22:07 PM, on 10/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\windows\redirect2.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Aladdin Systems\iClean\iClean.exe
    C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
    C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
    C:\PROGRA~1\HEWLET~1\AiO\HPis\common\MOTIVE~1.EXE
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\oren\My Documents\My Downloads\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.walla.co.il/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.115.106.236:80
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [redirect] C:\windows\redirect2.exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKCU\..\Run: [Memory Optimizer] C:\Program Files\Memory Optimizer\MemoryOptimizer.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [iClean] "C:\Program Files\Aladdin Systems\iClean\iClean.exe" /I
    O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\AiO\HPis\bin\matcli.exe
    O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003042101/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37585.5
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    What next? and by the way, THANKS I already feel better, though again I recieved a massage from McAfee that my files were tampered with (before I installed Ad 6 and Spybot).

    As for flrman1 sugesstion: if this indeed is the solution, how do I delete through safe mode, I have never operated in safe mode...sorry not much of a copmuter guy but for the basics..

    Dearson
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode.

    In Safe Mode Go to Start > Search and under "More advanced search options" make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders". In the "All or part of the file name" type redirect2.exe and click "search" when it is found right click it and delete it.
     
  8. Dearson

    Dearson Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    9
    OK, I restarted on safe mode and deleted the "redirect2.exe" manually.

    What do I do next according to the HJT logfile, if any?

    Dearson
     
  9. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    For more information on Dotcomtoolbar and the redirect2.exe file, go to http://securityresponse.symantec.com/avcenter/venc/data/spyware.dotcomtoolbar.html


    You also have a LOT of items that are starting up every time that really don't need to be. Look at your O4 items and go to http://www.pacs-portal.co.uk/startup_pages/startup_all.php to see what really needs to be running and what can be started on an as needed bases.

    IF after that you still need help on what to keep and what to get rid of, post another HJT log and we can suggest what doesn't need to be running every time you start up.

    Good luck!!
     
  10. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    flrman1 and NiteHawk, thanks for the assist here. (y)

    What about the proxy server entry?

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.115.106.236:80
     
  11. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    On the proxy server, I would wait to hear back from the user.
    Since most prople don't use a proxy server, it can probably go, but I would still wait to hear back from the user.
     
  12. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334

    Dearson......since you don't use a proxy, have HJT fix that R1 entry too.

    Thanks NiteHawk.

    (y)
     
  13. buddhafabio

    buddhafabio

    Joined:
    Aug 5, 2002
    Messages:
    2,246
    thanks guys found that redirect2.exe on a routine msconfig checkup. i was shocked that both adaware and spybot passed it up all they have been finding are the typical cookies. i keep them both updated. i was wondering what was slowing my browsers ie and firebird down.
     
  14. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    Yeah, this is the first I've seen of it here in this post.

    Kudos to flrman1 for sniffing that one out. (y)
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172727

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice