Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 08-07-2006, 03:05 PM   #1
Beta Member
 
Join Date: Aug 2006
Posts: 5
Default Antispynet problem

Hello, I have not been able to find a fix on the net for my problem yet, so anyone that may have some assisstance would be greatly appreciated.
In a nutshell, I have lost the ability to alter any internet options (homepage, clear cache, etc), as I can open the window, but not click on anything. I am also receiving a pop up window in the lower right corner in the same image as the MS messages but this one is a fake. It claims to be form the Windows security center telling that spyware has been detected and i need to run a free scan. This opop up comes up every few minutes and automatically opens a new browser page to the site www.antispynet.com. I have run adaware, MS Defender, and Trend Micro PC Cillin with no luck. They have all caught some form of spyware, but no change has happened when cleaning them. I also conducted a system restore for a few days before I noticed the problem. This too has shown no positive effects. Most recently I attempted to reboot in Safe Mode and try my sweepers but I was unable to, recieving the error that the system32\hal.dll file was missing and need to be reinstalled.
I am currently running on Win XP Media Center Edition, SP 2,
AMD Athlon, 64 3500+

Any help would be greatly appreciated! If need be I can post a hijack this list. Thank You.
__________________

Tertius is offline   Reply With Quote
Old 08-07-2006, 07:11 PM   #2
Baseband Member
 
PseudoEvolution's Avatar
 
Join Date: Aug 2006
Posts: 40
Default Re: Antispynet problem

Got a popular hijack there. It seems to have touched the hal.dll, (hal is hardware abstraction layer, it is the layer between "what you see" and the core of your OS).
I don't know much about this "hijack", but if it touched your HAL, there is a good chance that it did some work on your MBR or boot files (especially if it exists in safe mode).

Try running hijackthis and post a log in here. There is a good chance that you might need to rebuild the MBR and reinstall windows. But don't do that yet! :P


Oh yeah, are you able to get in to msconfig?
__________________

PseudoEvolution is offline   Reply With Quote
Old 08-07-2006, 08:02 PM   #3
Beta Member
 
Join Date: Aug 2006
Posts: 5
Default Re: Antispynet problem

I am able to open msconfig but once there, I am unable to make any changes at all.
Below is my hijackthis listing:

Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 8:00:58 PM, on 8/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRAM FILES\BIGFIX\BIGFIX.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\smartdrv.exe
C:\WINDOWS\system32\officescan.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.921\Hijac kThis.exe

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} -

C:\WINDOWS\system32\office_pnl.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security

2006\pccguide.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) -

http://zone.msn.com/binFrameWork/v10...I.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation

Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) -

http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) -

http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsu...te.cab?1137456

128406
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) -

https://support.gateway.com/eSupport...weblaunch2.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) -

https://ecampus.wintu.edu/secure/PhxStudent15.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) -

http://zone.msn.com/bingame/zpagames...l.cab36107.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) -

http://zone.msn.com/binframework/v10...y.cab41227.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -

C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated.

- C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New

Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. -

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Tertius is offline   Reply With Quote
Old 08-07-2006, 08:39 PM   #4
Daemon Poster
 
Toby's Avatar
 
Join Date: Jan 2006
Posts: 1,028
Send a message via MSN to Toby Send a message via Yahoo to Toby
Default Re: Antispynet problem

I would suggest to give Spy Sweeper, Spyware Doctor, and XoftSpy a try... they usually have gotten rid of a lot of spyware that other programs haven't, at least in my experience. Also ensure that you run some virus scans.
__________________
Dell Inspiron 9400 Notebook 120GB 5400RPM SATA HDD, 500GB 7200RPM SATA External HDD, DVD+-RW, DVD+-RW External, Mobile Intel Calistoga i945PM, Intel Core 2 Duo 2.0 GhZ, 2GB DDR2-667MhZ Dual Channel SDRAM, Nvidia GeForce GO 7900 GS 256MB Single-Pipe.
TinyXP Rev05, PerfectDisk, TuneUp Utilities, Window Washer, Nod32, Bo-Clean, SuperAntiSpyware Pro, Spyware Blaster, Comodo Firewall Pro.
Toby is offline   Reply With Quote
Old 08-07-2006, 09:06 PM   #5
Beta Member
 
Join Date: Aug 2006
Posts: 5
Default Re: Antispynet problem

I ran 4 anti spyware programs and each time they say they clean them all out to no avail. I attempted a Panda Active Scan as well just now to see what may have been missed or reinstalled after a reboot. here are the results.
Toby, I did run some virus scans as well.

Incident
Status
Location

Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\system32\office_pnl.dll

Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\system32\officescan.exe

Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\system32\smartdrv.exe

Adware:adware/superspider Not disinfected c:\windows\system32\a.exe

Adware:adware/alexa-toolbar Not disinfected c:\windows\system32\alxres.dll

Spyware:spyware/bridge Not disinfected c:\windows\system32\bridge.dll

Adware:adware/dailytoolbar Not disinfected c:\windows\system32\dailytoolbar.dll
Adware:adware/swimsuitnetwork Not disinfected c:\windows\system32\MYDLL.dll

Adware:adware/antivirus-gold Not disinfected c:\windows\system32\runsrv32.exe

Adware:adware/admess Not disinfected c:\windows\system32\tcpservice2.exe

Adware:adware/topspyware Not disinfected c:\windows\system32\txfdb32.dll
Adware:adware/btgrab Not disinfected c:\windows\BTGrab.dll

Adware:adware/transponder Not disinfected c:\windows\dlmax.dll

Spyware:spyware/betterinet Not disinfected c:\windows\susp.exe

Adware:adware/wupd Not disinfected Windows Registry
Dialer:dialer.du Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB}

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[2].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adopt.hbmediapro[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banner[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[5].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Owner\Cookies\owner@entrepreneur[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kinghost[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Cookies\owner@searchportal.informat ion[1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\owner@target[2].txt

Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt
Tertius is offline   Reply With Quote
Old 08-07-2006, 09:13 PM   #6
Daemon Poster
 
Toby's Avatar
 
Join Date: Jan 2006
Posts: 1,028
Send a message via MSN to Toby Send a message via Yahoo to Toby
Default Re: Antispynet problem

Which anti-spyware programs and virus scans did you run though?

By the looks of that, you have a lot there.
__________________
Dell Inspiron 9400 Notebook 120GB 5400RPM SATA HDD, 500GB 7200RPM SATA External HDD, DVD+-RW, DVD+-RW External, Mobile Intel Calistoga i945PM, Intel Core 2 Duo 2.0 GhZ, 2GB DDR2-667MhZ Dual Channel SDRAM, Nvidia GeForce GO 7900 GS 256MB Single-Pipe.
TinyXP Rev05, PerfectDisk, TuneUp Utilities, Window Washer, Nod32, Bo-Clean, SuperAntiSpyware Pro, Spyware Blaster, Comodo Firewall Pro.
Toby is offline   Reply With Quote
Old 08-07-2006, 09:27 PM   #7
Beta Member
 
Join Date: Aug 2006
Posts: 5
Default Re: Antispynet problem

I ran Trendmicro PC Cillin for both virus and spy, Adaware, Spybot, and Microsoft Defender. I also ran AVG for virus as well. SpySweeper I know to be a good program from past experience but I do not currently own it. Xoftspy I have had bad experiences with in the past.
I have this year's version of mcafee on disck if I absolutely have to run something else, but mcafee is such a joke, it would simply be a waste.
Tertius is offline   Reply With Quote
Old 08-07-2006, 10:20 PM   #8
Baseband Member
 
PseudoEvolution's Avatar
 
Join Date: Aug 2006
Posts: 40
Default Re: Antispynet problem

It's not spyware or adware, that's why it's not being detected. It's a hijacker. Something you downloaded and executed recently wasn't legit. So that's why it's floating around your system.

Go to safe mode, run hijackthis and delete anything you don't recognize. Make sure you check with liutilities.com before deleting things.
Then see if you can access msconfig, and disable the "strange" startup objects. Get rid of messenger too (msmsgr etc...). Unless you run the windows network tools, you don't really want this at all.


If this doesnt work, you might need to reinstall windows...

But even that might not always work...
I had a WinXP box before that has the sobnet hijack, this is what happens: it makes a home in your MBR, which means not even a reformat will work. If the boot record exists, the bad code does too. Before this happens, the thing hides in your registry, when you try to fix/clean the registry it then puts itself in your MBR, when you fix your MBR it jumps back to the registry. So the only way is to get rid of the registry first, then get rid of the mbr. So what you do is get rid of windows (overwrite it, install linux over it, whatever you gotta do), rebuild the MBR with fdisk and then install windows. Otherwise it will just keep jumping around your registry and mbr and your hard drive will be infected forever.
PseudoEvolution is offline   Reply With Quote
Old 08-07-2006, 11:25 PM   #9
Beta Member
 
Join Date: Aug 2006
Posts: 5
Default Re: Antispynet problem

Unfortunatly, looking at the list I don't see anything unrecognizable to be deleted. Parsing the hijackthis list online gave little help either :-/
__________________

Tertius is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 01:40 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0