SPYWARE INFECTION (hijackthis)

its_me123 · 08-22-2006, 02:00 AM

Okay, I think everyone knows the spyware infection when you get the red cirle with the white "X" in it, you get the message saying something like "Your computer could be infected, blah blah blah, going to install and download the latest spyware software" and it downloads more spyware. Trust cleaner is the scanner that keeps being installed.

here is a hijackthis log file

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\savedump.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Program Files\Telstra\Signup\tbpt.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\sistray.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
D:\Documents and Settings\Jamie\Desktop\Scanners\HijackThis.exe
D:\Program Files\Mozilla Firefox\firefox.exe

O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [winupdates] D:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [winupdate] D:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] D:\Program Files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Anti-keylogger] D:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Piracy] "D:\DOCUME~1\Jamie\LOCALS~1\Temp\SysUtil.exe" /PIRACY
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Trust Cleaner] "D:\Program Files\Trust Cleaner\Trust Cleaner.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Utility Tray.lnk = D:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136506377170
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: RegCompact - D:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

PC eye · 08-22-2006, 02:59 AM

your main entry for Trust cleaner is
O4 - HKCU\..\Run: [Trust Cleaner] "D:\Program Files\Trust Cleaner\Trust Cleaner.exe"
Did you install an anti-key logger at one point?
O4 - HKLM\..\Run: [Anti-keylogger] D:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun
And of course there is always one you can do without.
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] D:\Program Files\Telstra\Signup\tbpt.exe

These are the registry values that stand out here. If you know that the Telstra\Signup belongs to something else disregard it. The anti-key logger is an item that came along with it. After fixing these remove the folder found in the Program Files directory to see this gone. Besides Ewido try a good run of the AVG 7.1 Free edition. It's great for locating things like trojan downloaders. http://free.grisoft.com/doc/2/lng/us/tpl/v5
Spybot Search + Destroy is another one for finding the hiding spots like the root of C for "unknowns" with the exe file extension.

cell4me · 08-22-2006, 03:14 AM

You need to download smitfraud fix and atf cleaner...run them both and then post a new log!

08-22-2006, 02:00 AM	#1 (permalink)
its_me123 Bronze Member Join Date: Mar 2006 Posts: 29	SPYWARE INFECTION (hijackthis) Okay, I think everyone knows the spyware infection when you get the red cirle with the white "X" in it, you get the message saying something like "Your computer could be infected, blah blah blah, going to install and download the latest spyware software" and it downloads more spyware. Trust cleaner is the scanner that keeps being installed. here is a hijackthis log file Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\savedump.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Ahead\InCD\InCDsrv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Microsoft IntelliPoint\ipoint.exe D:\Program Files\Telstra\Signup\tbpt.exe D:\WINDOWS\system32\RUNDLL32.EXE D:\Program Files\HP\HP Software Update\HPWuSchd2.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\ewido anti-malware\ewidoctrl.exe D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe D:\WINDOWS\system32\nvsvc32.exe D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe D:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\sistray.exe D:\WINDOWS\system32\wscntfy.exe D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe D:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe D:\Documents and Settings\Jamie\Desktop\Scanners\HijackThis.exe D:\Program Files\Mozilla Firefox\firefox.exe O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [winupdates] D:\Program Files\winupdates\winupdates.exe /auto O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [winupdate] D:\Program Files\winupdate\winupdate.exe /auto O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] D:\Program Files\Telstra\Signup\tbpt.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Anti-keylogger] D:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Piracy] "D:\DOCUME~1\Jamie\LOCALS~1\Temp\SysUtil.exe" /PIRACY O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1 O4 - HKCU\..\Run: [Trust Cleaner] "D:\Program Files\Trust Cleaner\Trust Cleaner.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O4 - Global Startup: Utility Tray.lnk = D:\WINDOWS\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136506377170 O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: RegCompact - D:\WINDOWS\SYSTEM32\RegCompact.dll O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
I got spyware, here's my Hijackthis logfile	eighthcircuit	Computer Security	9	03-15-2006 09:50 PM
Help loads of popups and spyware and here is my hijackthis log	age123	Computer Security	0	12-22-2005 11:39 PM
HijackThis Log...I think I have Winfixer spyware.	Calibretto	Computer Security	3	11-28-2005 05:37 PM
Spyware infection ! Please help !	Vista	Computer Security	11	08-25-2005 09:14 PM
If anyone of you wonders what spyware is	Fure6	Internet Discussion	0	02-07-2005 03:12 AM

08-22-2006, 02:59 AM	#2 (permalink)
PC eye Diamond Member Join Date: Apr 2006 Location: Inside a pc Posts: 20,213	your main entry for Trust cleaner is O4 - HKCU\..\Run: [Trust Cleaner] "D:\Program Files\Trust Cleaner\Trust Cleaner.exe" Did you install an anti-key logger at one point? O4 - HKLM\..\Run: [Anti-keylogger] D:\Program Files\Anti-keylogger\Anti-keylogger.exe /autorun And of course there is always one you can do without. O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] D:\Program Files\Telstra\Signup\tbpt.exe These are the registry values that stand out here. If you know that the Telstra\Signup belongs to something else disregard it. The anti-key logger is an item that came along with it. After fixing these remove the folder found in the Program Files directory to see this gone. Besides Ewido try a good run of the AVG 7.1 Free edition. It's great for locating things like trojan downloaders. http://free.grisoft.com/doc/2/lng/us/tpl/v5 Spybot Search + Destroy is another one for finding the hiding spots like the root of C for "unknowns" with the exe file extension.

08-22-2006, 03:14 AM	#3 (permalink)
cell4me banned Join Date: Feb 2005 Posts: 1,486	You need to download smitfraud fix and atf cleaner...run them both and then post a new log!