TechSpot

Adaware problem.

By member1
Jun 19, 2005
  1. Adaware problem. -[updated . posted 2nd log]-

    Hey all. I woke up this morning and found out that I have aquired some sort of spyware/adware/malware over night while i was asleep. I downloaded/updated and ran the following programs. Microsoft anti spyware, Adaware and spybot. They have not been able to get rid of the problem. So now I present you my hijackthis logfile

    Logfile of HijackThis v1.99.1
    Scan saved at 11:19:59 AM, on 6/19/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\mfxstream10b5\mfxstreamsrv.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\SYSTEM32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\vidctrl\vidctrl.exe
    C:\Program Files\Cas\Client\casclient.exe

    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    D:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
    C:\Program Files\TV2K\QuickTV.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\BRYANI~1\LOCALS~1\Temp\Rar$EX00.702\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yagoohoogle.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yagoohoogle.com/
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliterjo32.exe
    O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
    O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
    O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: QuickTV.lnk = C:\Program Files\TV2K\QuickTV.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1111728343686
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9BF274C6-3D2D-4C01-87F5-E8915221D9FE}: NameServer = 151.202.0.85 151.203.0.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1985EFB-ECEA-4894-9B9F-78C9D74E01E4}: NameServer = 192.168.0.1
    O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
    O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\slorage.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Media File XStream Service - - c:\program files\mfxstream10b5\mfxstreamsrv.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
     
  2. member1

    member1 TS Rookie Topic Starter Posts: 24

    rebooted. that is the updated logfile
     
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    First, MOVE your HJT program to a proper directory, like C:\HJT
    C:\DOCUME~1\BRYANI~1\LOCALS~1\Temp\Rar$EX00.702\HijackThis.exe

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    mfxstreamsrv.exe
    vidctrl.exe
    casclient.exe
    exp.exe
    wintask.exe
    eliterjo32.exe

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    mfxstreamsrv.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, UNinstall (not delete yet!) anything to do with:
    c:\program files\mfxstream10b5\mfxstreamsrv.exe
    C:\WINDOWS\system32\vidctrl\vidctrl.exe
    C:\Program Files\Cas\Client\casclient.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    c:\program files\mfxstream10b5\mfxstreamsrv.exe
    C:\WINDOWS\system32\vidctrl\vidctrl.exe
    C:\Program Files\Cas\Client\casclient.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yagoohoogle.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yagoohoogle.com/
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliterjo32.exe
    O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp <<== probably same as exp.exe <<==
    O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
    O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
    OO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1111728343686
    Fix BOTH O17 entries if the first is NOT your ISP.
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9BF274C6-3D2D-4C01-87F5-E8915221D9FE}: NameServer = 151.202.0.85 151.203.0.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1985EFB-ECEA-4894-9B9F-78C9D74E01E4}: NameServer = 192.168.0.1
    O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
    O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\slorage.dll
    O23 - Service: Media File XStream Service - - c:\program files\mfxstream10b5\mfxstreamsrv.exe
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.

    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.
     
  4. member1

    member1 TS Rookie Topic Starter Posts: 24

    okay will do.

    mfxstreamsrv.exe is a server i installed ... that allows me to map a folder to my xbox and access media files through xbmc by streaming them.

    also would stripping my account of its privledges make it more difficult for this crap to install itself?

    i would user start\run\control userpasswords2

    then make it a user or a restricted account.
     
  5. member1

    member1 TS Rookie Topic Starter Posts: 24

    Logfile of HijackThis v1.99.1
    Scan saved at 7:52:02 PM, on 6/19/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\rundll32.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\mfxstream10b5\mfxstreamsrv.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    D:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
    C:\Program Files\TV2K\QuickTV.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\bryanisasampfag\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yagoohoogle.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yagoohoogle.com/
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: QuickTV.lnk = C:\Program Files\TV2K\QuickTV.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1111728343686
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9BF274C6-3D2D-4C01-87F5-E8915221D9FE}: NameServer = 151.202.0.85 151.203.0.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1985EFB-ECEA-4894-9B9F-78C9D74E01E4}: NameServer = 192.168.0.1
    O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
    O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\slorage.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Media File XStream Service - - c:\program files\mfxstream10b5\mfxstreamsrv.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

    I tried to remove the bolded line a few times and had now luck. This is the latest log.
     
  6. member1

    member1 TS Rookie Topic Starter Posts: 24

    grrr ...

    now my AIM is running a much also....

    i've never had problems like this.

    funny thing is i am a tech :confused: and i do this for spare money.
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    For some reason this one slipped through first time:
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START

    It's because people don't bother reading the all-important Read: stickies at the top of each forum page, like: How to post your Hijackthis log-files as an attachment.

    Basically repeat the first instructions I gave you, include the above entry and leave out your server thingie. I cant find anything about that server, hence I don't trust it.
     
  8. member1

    member1 TS Rookie Topic Starter Posts: 24

    edit.edit.
     
  9. IronDuke

    IronDuke TS Rookie Posts: 856

    Member1 - suggest you re-read the stickies taht RBS referred to and carry them out be he blows a gasket.
     
  10. member1

    member1 TS Rookie Topic Starter Posts: 24

    ah noted. i read it but was so focused reading it i missed the point. sorry.
     
  11. member1

    member1 TS Rookie Topic Starter Posts: 24

    so it would appear that I have a variant of bookedspace ... I have googled this till no end and not been able to find out how to remove this variant :(

    i suspended the run32dll.exe process and all the popups stoped... but now to remove this ? puke:
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...