Need help eliminating "Spyware" infection (HijackThis log attached)

I am not sure if its this exact on http://securityresponse.symantec.com/avcenter/venc/data/w32.elem.trojan.html

but you need to check your system A.S.A.P

scan it online at http://security.symantec.com

Buy the latest version of norton or mcafee to get rid of it or

download and run vexira

http://www.centralcommand.com/downloads.html

click on try next to

Vexira Antivirus for Microsoft Windows 95/98/Me

or

Vexira Antivirus for Microsoft Windows NT/2000/XP Workstations

according to the type of Operating system you have

keeps clicking next/ok and install it will say the licence file cannot be copied click ok and continue

I have found vexira to delete a lot if not most of the common types of spyware too

also run cwshredder from  http://www.spywareinfo.com/~merijn/downloads.html

The hijack this experts may find other malicious programs and guide you

Thanks!  I'll give it a shot.

CJG

C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

Bad location for Hijackthis...move it please for safe HJT backup files:

Please unzip Hijackthis.zip into a new folder you create in the root level of the C: drive. Name this folder C:\HJT for best and safest results. (don't put in a temp folder, or the desktop, etc...as it needs a safe folder to keep backup logs).
See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm


Run Hijackthis, click on the 'scan' button and check these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fondd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fondd.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fondd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\fondd.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\fondd.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fondd.dll/sp.html (obfuscated)

O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
Comments: (bad Trojan)  http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ratega.html

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

Comments: DialerPlatform Dialer (bad)

With all other windows closed click on fix checked.

Exit Hijackthis:

To end the Trojan win32.exe process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for WIN32.EXE.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

Open Windows Explorer and drill down into C:\Windows and find and delete win32.exe. It may be hidden so enable hidden files if needed.

Reboot:

Download and run these two programs (Spybot S&D and Adaware). Use Spybot first.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware:

http://www.cjwd.demon.co.uk/spybot-adaware.html

I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).

Reboot and click on Start/Run/ type: cleanmgr
I check all the selected items to be deleted here.

Post a fresh HJT log.

Stay in this thread for continuity. Reply to this message.


HTH (Hope that Helps)

Texruss

Wow!  That's a ton of info ... thanks a bunch!  I truly appreciate the time obviously you put into this.  I already ran the "cwshredder" recommended above and it seemed to fix the IE home web page.  I will also follow your recommendations and post a new HijackThis log.  Thanks again.

CJG

Followed your instructions; the new HijackThis log is below.  Most of the registry entries you identified were deleted by cwsweeper but several were still there.  The Spybot S&D and Ad-aware programs picked up a bunch of other files. The Win32.exe process was not running but the file was in the Windows directory and I deleted it.  There were a couple of other Win32.* files (e.g., I think Win32.dat & Win32.dll)  Should I deleted these too?  Computer seems to be working fine now.  Thanks again for you help.  Great info! 

CJG

Logfile of HijackThis v1.97.7
Scan saved at 11:28:05 PM, on 4/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319

http://vil.nai.com/vil/content/v_100043.htm

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ratega.html

What do you know...between the two of them they can identify those two files...but not both for each AV company. *;-)

Edit in red: Delete them...just make sure you get win32.dll only in the Windows main directory as it can be a legit file in other locations. Let this be a lesson to all...virtually all correct .dll files are found in \system and most in \system32. Suspicious .dll files in the main Windows directory are a red flag just as strange-named .exe files are suspect in the main Windows directory.

All the best,

Texruss

Message Edited by Texruss on 04-23-2004 11:27 AM