Getting rid of spyware

Remove this Banner Ad

Borgsta said:
go to the add/remove programs section and see if SED is on it. If so uninstall it from there. If it aint there, then download hijackthis and try posting a log of all your information here.

You will probably need to work with the registry and remove it properly.
Click to expand...

"Logfile of HijackThis v1.98.2
Scan saved at 1:48:05 PM, on 23/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Smtray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SED\SED.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Downloads\Installations\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9054BA66-392A-4618-95E3-C331E308A156}: NameServer = 203.49.70.92 139.134.2.190"

That's the HiJackThis (HJT) Log.

Here are the two important excerpts from another Adaware Quarantine Log I've just made:

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 396
ThreadCreationTime : 23-12-2004 3:15:45 AM
BasePriority : High

VX2 Object Recognized!
Type : Process
Data : m4po0e73eh.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\m4po0e73eh.dll)

-----

:7 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1860
ThreadCreationTime : 23-12-2004 3:24:10 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

VX2 Object Recognized!
Type : Process
Data : guard.tmp
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\guard.tmp)

feher said:
SED.exe looks like being adware, unst.exe could be anything, se.exe looks like being spyware. But can't find any info on how to remove them.

Sorry I don't know how to get rid of any of those. All I can suggest is to not visit that site, and wait a while so Adaware and Spybot update their def. pack, and try to scan again, also run those other virus/trojan scan online in safe mode.

You can find it here:

http://forums.majorgeeks.com/showthread.php?t=35407

Under: Alternative Scan's
Click to expand...

Two things, I can't connect to the web when I'm in Safe Mode With Networking. Also, I've heard of sites like this - do I really have to go through the whole messageboard sign-up deal? It's a find idea but then this site would have heaps of new members all the time signing up, asking questions and showing logs. This wouldn't annoy them would it? Idiots on boards who are "anti-newbie" are stupid at the best of times but that's a site that'd always be getting new people asking questions about things that confuse them.

Anyway, thanks again fellas. SED is increasingly what seems to be one of the problems. There's this bloody VX thing that Adaware has trouble with too, Adaware asks if it can quickly scan my PC once I reboot, I say yes every time but this is the freeware version - I cannot get it to do a scan on start-up like Spybot can. The latter by the way is picking up no evil nasty things now.

EDIT: Of course because I'm now on the web again I am sure a few of these same things will re-download themselves but I'll weather it. When I run Ad-aware, it finds the vx files, tries to remove them and fails, a weird thing happens. All the programs mini-crash like I said, and My Documents folder opens up, but with the search tool in the left pane. Why would it do that exactly?
 
Leigh said:
Two things, I can't connect to the web when I'm in Safe Mode With Networking. Also, I've heard of sites like this - do I really have to go through the whole messageboard sign-up deal? It's a find idea but then this site would have heaps of new members all the time signing up, asking questions and showing logs. This wouldn't annoy them would it? Idiots on boards who are "anti-newbie" are stupid at the best of times but that's a site that'd always be getting new people asking questions about things that confuse them.
Click to expand...
If no one can help you here, and you don't want to format and start again, it might be your only choice although I was mainly getting at, running those test to see if it would get rid of it, even running those test in non-safe mode is worth a go imo. But it sounds like it is a new threat/version and will probably take time for them to find a fix.
 

Log in to remove this ad.

Well, no.

Thanks feher, reading those two forum links you gave me, there are a few large threads on the same problems I have. The step by step procedures they're going through don't seem to be completely sorting it out. I'll register under something like BFLeigh or whatever and see if they can help me out.

How can I connect to the web in safe mode?
 
Im having problems with getting onto MSN Messenger. It 'switched' off on Monday night two weeks ago and I have never been able to login to it since with the correct username and password. Also when trying to login to my hotmail account on internet explorer I am being redirected to a search engine. it was the same when I tried to access my student information by using my PIN number and account with UWA. I have downloaded Firefox and that has allowed me to access my hotmail account with no problems and my pIN number at UWA. But I am still having trouble with MSN messenger.
 
feher said:
Not to sure, how do you connect to the net?

USB, Network Card or Serial (dial-up)?
Click to expand...

Dial-up. The majorgeeks (wish I was one so I could fix this) site says to choose the option Safe Mode with Networking Support but mine doesn't have that, it has Safe Mode with Networking. Same thing?
 
Leigh said:
Dial-up. The majorgeeks (wish I was one so I could fix this) site says to choose the option Safe Mode with Networking Support but mine doesn't have that, it has Safe Mode with Networking. Same thing?
Click to expand...
Yes same thing, but it may not matter as you have dial-up, which would most likely be going through serial port.
 
Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"

Then boot to safe mode, locate and delete these files and/or folders:

C:\Program Files\SED - folder

then download and run the following:

http://www.downloads.subratam.org/VX2Finder.exe

this might be very difficult to remove though, because the filenames change in the registry. I think you should sign up to www.techguy.org they usually dont care if its a newbie.
 
I'll try that, thanks. I did register at techguy about an hour ago - I've been reading their forums and am trying to get info on this thread's procedures - http://forums.techguy.org/showthread.php?p=2206198#post2206198 - like I thought it's full of jargon. The Symantec website back in the day for removing the klez virus, now that was easy to follow, technical messageboards full of threads full of posts are another thing entirely. If anybody wants to explain it better/dumb it down for me go for it!
 
Going to bed now. Everything I fix gets put back on when I come back on the web, but the ever changing vx .dll file that ad-aware and that ad-aware plugin can't fix is still popping up. It must be bringing all the removed crap back onto my system.

So yeah, what do you learned folks think about that thread? Do I follow that? What's findit.bat anyway?
 
its a damn good website Leigh and full of helpful people, you gotta listen to it all and be prepared for a long day though. Its up to you if you feel it is worth all that effort.
 

(Log in to remove this ad.)

SaveFeriss said:
How do I ping em back :confused:
Click to expand...
Do you have their IP address in your log??

goto the command prompt and type in:

ping 192.0.0.1

If you want to ping them non-stop then:

ping -t 192.0.0.1

press ctrl-v to stop, or exit command prompt.

replace 192.0.0.1 with the correct IP, or name (eg yahoo.com) don't know what your trying to do though? All it does is check if they are online, unless you get a whole host of computers and do a DDOS(I think that is what it's called) attack, but then again, I know nothing about that.
 
I read your original post again, it could be harmless.

If it's just a ping, then I wouldn't bother. If they are looking for open ports, I would be more concern. I can tell you that most ISP wouldn't care about Joe Public, and if this hacker/cracker is smart he wouldn't be going after Joe public and he would be covering his 'tracks' (bounching his IP addy around so it looks like someone else did it).

I have logs as well of attempt leaks etc, its really just upto you to close ports, and be smart.
 
Well I am not just Joe Blow.. I am the enigmatic Save Feriss :p..
Nah seriously.. I did a port scan at the provider of my firewalls website bout 2 hours ago and it told me all ports are blocked so probably nothing.

I wouldnt mind finding a bookie to lay a 100 on my modem having to be re-installed on wednesday to make it 5 in a row.
 
I wouldn't wish this crap on my worst enemy. Those who are interested in my progress (feher/borgsta/etc), don't come to me asking just yet although you can go to those forums you've linked to to see just how much of a problem this thing is for so many people.
 
You must log in or register to reply here.

Similar threads

BigFootyNews
News & Events US, partner countries call for controls to counter misuse of spyware -
Replies
0
Views
198
BigFootyNews
BigFootyNews
BigFootyNews
News & Events Britain sounds alarm on spyware, mercenary hacking market -
Replies
0
Views
215
BigFootyNews
BigFootyNews
BigFootyNews
News & Events Israeli spyware used to hack across 10 countries -
Replies
0
Views
209
BigFootyNews
BigFootyNews
TradeDraft
Help Getting a New PC
Replies
2
Views
580
HirdyLannister
HirdyLannister
BigFootyNews
News & Events Greece to ban sale of spyware amid wiretapping scandal -
Replies
0
Views
242
BigFootyNews
BigFootyNews
BigFootyNews
News & Events Mexican opposition lawmaker says he was target of Pegasus spyware -
Replies
0
Views
196
BigFootyNews
BigFootyNews
BigFootyNews
News & Events Home Affairs gets no new funding to set up national office for cyber security -
Replies
0
Views
180
BigFootyNews
BigFootyNews

Remove this Banner Ad

Back
Top