Results 1 to 10 of 10

Thread: Problem With Spywear!

  1. #1
    Somewhere along the line i have downloaded some particulary nasty spywear which trys to connect to 216.127.94.107 Everyones Internet, Inc , it's particuly hard to track down as it uses windows files - windows exploer and Run dll as an App to connect, now i have currently blocked it using kerio firewall but would like to remove it, i have ran both adaware pro and spybot with the latest updates but to no avail.

    I have tracked down at least one file in C:\Documents and Settings\GuessWho\Local Settings\Temp the file name being "osfhiqf" which i cant seem to delete it as it hooked itself to windows exploer,
    Now how do i delete this file?

    I have also used a program called startuplist to list files in use if thats any help

    here's the list

    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Kerio\Personal Firewall\persfw.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Kerio\Personal Firewall\PFWADMIN.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\GuessWho\LOCALS~1\Temp\Rar$EX00.897\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    WINDVDPatch = CTHELPER.EXE
    UpdReg = C:\WINDOWS\UpdReg.EXE
    Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup
    NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
    QuickTime Task = "C:\WINDOWS\System32\qttask.exe" -atboottime
    CloneCDTray = "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    osfhiqf = rundll32 C:\WINDOWS\System32sfhiqf.dll,Init 1

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *osfhiqf = rundll32 C:\WINDOWS\System32sfhiqf.dll,Init 1

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ProxyCap = C:\PROGRA~1\PROXYL~1\ProxyCap\proxycap.exe
    Steam = C:\Program Files\Steam\Steam.exe -silent

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\WINDOWS\iDonate.dll - {397D7D63-816E-4ECF-8761-775C932C5CF1}
    (no name) - C:\Program Files\NetLeech\IEExt.dll - {F4A27D22-E603-4B1B-B8D0-1CF7D57E56F2}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7863.7639467593

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    Protocol #1: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #2: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #3: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #4: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #5: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #6: w2pxdrv.dll (file MISSING)
    Protocol #7: w2pxdrv.dll (file MISSING)
    Protocol #8: w2pxdrv.dll (file MISSING)
    Protocol #9: w2pxdrv.dll (file MISSING)
    Protocol #10: w2pxdrv.dll (file MISSING)
    Protocol #16: C:\Program Files\NetLimiter\nl_lsp.dll
    Protocol #36: w2pxdrv.dll (file MISSING)

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 5,630 bytes
    Report generated in 0.090 seconds

    Command line options:
      /verbose  - to add additional info on each section
      /complete - to include empty sections and unsuspicious data
      /full    - to include several rarely-important sections
      /force9x  - to include Win9x-only startups even if running on WinNT
      /forcent  - to include WinNT-only startups even if running on Win9x
      /forceall - to include all Win9x and WinNT startups, regardless of platform
      /history  - to list version history only

  2. Software & Hardware   -   #2
    Monkeee's Avatar Post Whore
    Join Date
    Sep 2003
    Posts
    3,453
    try using spybot search and destroy

  3. Software & Hardware   -   #3
    Originally posted by Monkeee@17 November 2003 - 22:39
    try using spybot search and destroy
    I already did that

    i have ran both adaware pro and spybot with the latest updates but to no avail

  4. Software & Hardware   -   #4
    It's a trojan.

    http://ses.symantec.com/content.cfm?...eid=2949&EID=0

    http://www.trojanscan.com/

    Don't worry, you'll be fine.



    EDIT :- The moral of this story is, don't use Internet explorer.

    Get mozilla firebird free here.

  5. Software & Hardware   -   #5
    Well i tried the scan and it came up with nothing, the file is still there, i tried deleting the reg keys with reg cleaner and they just reapear.

  6. Software & Hardware   -   #6
    There's a removal tool here.


  7. Software & Hardware   -   #7
    I dont think this is the same as i ran the tool and it came up with nothing, is there a way to delete this file without going into the actualy directory?

  8. Software & Hardware   -   #8
    Check out www.spywareinfo.com.
    You can post your HijackThis log in their forum, and they will help you solving the problem.
    They seem to have plenty of complaints about Everyones Internet.

  9. Software & Hardware   -   #9
    Thanks for that site Johnny found out it was the Aflooder trojan very nasty, if anybody got this check out http://forums.spywareinfo.com/index....pic=10456&st=0

  10. Software & Hardware   -   #10
    sparsely's Avatar
    Join Date
    Dec 2002
    Location
    static hum
    Posts
    3,538
    /me loves spywear!


    this post is guaranteed 100% parrot-free

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •