Problem With Spywear! [Archive]

junkyardking

11-17-2003, 10:38 PM

Somewhere along the line i have downloaded some particulary nasty spywear which trys to connect to 216.127.94.107 Everyones Internet, Inc <_< , it's particuly hard to track down as it uses windows files - windows exploer and Run dll as an App to connect, now i have currently blocked it using kerio firewall but would like to remove it, i have ran both adaware pro and spybot with the latest updates but to no avail. :(

I have tracked down at least one file in C:\Documents and Settings\GuessWho\Local Settings\Temp the file name being "osfhiqf" which i cant seem to delete it as it hooked itself to windows exploer,
Now how do i delete this file?

I have also used a program called startuplist to list files in use if thats any help

here's the list

Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Kerio\Personal Firewall\PFWADMIN.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GuessWho\LOCALS~1\Temp\Rar$EX00.897\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINDOWS\UpdReg.EXE
Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task = "C:\WINDOWS\System32\qttask.exe" -atboottime
CloneCDTray = "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
osfhiqf = rundll32 C:\WINDOWS\System32:osfhiqf.dll,Init 1

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*osfhiqf = rundll32 C:\WINDOWS\System32:osfhiqf.dll,Init 1

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ProxyCap = C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe
Steam = C:\Program Files\Steam\Steam.exe -silent

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\iDonate.dll - {397D7D63-816E-4ECF-8761-775C932C5CF1}
(no name) - C:\Program Files\NetLeech\IEExt.dll - {F4A27D22-E603-4B1B-B8D0-1CF7D57E56F2}

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7863.7639467593 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.7639467593)

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #2: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #3: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #4: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #5: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #6: w2pxdrv.dll (file MISSING)
Protocol #7: w2pxdrv.dll (file MISSING)
Protocol #8: w2pxdrv.dll (file MISSING)
Protocol #9: w2pxdrv.dll (file MISSING)
Protocol #10: w2pxdrv.dll (file MISSING)
Protocol #16: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #36: w2pxdrv.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,630 bytes
Report generated in 0.090 seconds

Command line options:
  /verbose  - to add additional info on each section
  /complete - to include empty sections and unsuspicious data
  /full    - to include several rarely-important sections
  /force9x  - to include Win9x-only startups even if running on WinNT
  /forcent  - to include WinNT-only startups even if running on Win9x
  /forceall - to include all Win9x and WinNT startups, regardless of platform
  /history  - to list version history only
:swear: :swear: :angry: :( :(

Monkeee

11-17-2003, 10:39 PM

try using spybot search and destroy :)

junkyardking

11-17-2003, 10:47 PM

Originally posted by Monkeee@17 November 2003 - 22:39
try using spybot search and destroy :)
I already did that

i have ran both adaware pro and spybot with the latest updates but to no avail

LTJBukem

11-17-2003, 10:48 PM

It's a trojan.

http://ses.symantec.com/content.cfm?articleid=2949&EID=0

http://www.trojanscan.com/

Don't worry, you'll be fine. ;)

:)

EDIT :- The moral of this story is, don't use Internet explorer.

Get mozilla firebird free here (http://www.mozilla.org/products/firebird/).

junkyardking

11-17-2003, 11:09 PM

Well i tried the scan and it came up with nothing, the file is still there, i tried deleting the reg keys with reg cleaner and they just reapear.

LTJBukem

11-17-2003, 11:20 PM

There's a removal tool here. (http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html)

:)

junkyardking

11-17-2003, 11:45 PM

I dont think this is the same as i ran the tool and it came up with nothing, is there a way to delete this file without going into the actualy directory?

Johnny_B

11-17-2003, 11:46 PM

Check out www.spywareinfo.com (http://www.spywareinfo.com).
You can post your HijackThis log in their forum, and they will help you solving the problem.
They seem to have plenty of complaints about Everyones Internet.

junkyardking

11-18-2003, 01:43 AM

Thanks for that site Johnny found out it was the Aflooder trojan very nasty, if anybody got this check out http://forums.spywareinfo.com/index.php?showtopic=10456&st=0 :D

sparsely

11-18-2003, 02:13 AM

/me loves spywear!

http://www.brakpage.com/spywear/img/friendly.gif