spyware question

I’ve got some really bad spyware on my pc called coolwwwsearch. I downloaded Spybot and scanned using that. Although it finds cws it can’t get rid of it so I also downloaded CWShredder but when that scans it doesn’t find it - it says “there is no trace of cws on your machine”. So I scanned my computer with HijackThis and got a log. I’ve posted the log on the SpyWareInfo forum a couple of days ago but I haven’t had a reply. They like you to wait three days though for a reply before you ask them again.

But my question actually concerns keyloggers. What are they? Having cws seems to attract other bits of spyware and Spybot found one called HellzLittleSpy which was a keylogger. Can people remotely see what I type into my computer? Can they read what I’m typing now? What about credit card numbers, e-mail passwords etc?

Keyloggers are sneaky programs that can run quite stealthily in the background. I had a computer where i work that had a keylogger running (forget the name) but Adaware didn’t find anything and neither did spybot. However, when I installed McAfee and selected the options for Unwanted Programs Policy it was able to find it and remove it at the next reboot.

You could post the HijackThis log here for people to take a look at. Also, are you using the latest version of CWShredder?

A keylogger is a program or device that records all keystrokes on your computer. They can very well be used to steal passwords, credit card numbers, or anything else you might type in. Some can be accessed remotely, but I don’t know the capabilities of this particular trojan. One page I found while googling has some information on HellzLittleSpy.

This may be inaccurate or out of date, but it couldn’t hurt to look for that file and registry key

Yeah, I have about:blank, and nothing can remove it- well except Hijack this, on a temporary basis. Just keep Hijack this as a icon, and run it once in a while.

Speaking of which, I ran a Hijack this scan, and there was something that looks a bit like what out OP is talking about “Service Ati HotKey Poller- unknown- C:\WINNT\System32\Ati2evxx.exe”- what’s this, does anyone know?

Number said:

Holy shit. Does this not render the internet functionally useless as a means of buying things since you don’t know whether or not you are being logged? I realise that having Spybot or Adaware and regularly scanning can reduce the risk but what about all those computer illiterate people who don’t know anything about this? Why isn’t this all over the newspapers and TV?

I don’t think there is much point in doing this in my (extremely amateur) opinion because spybot removes it anyway but then it comes back next time I go online. I think the root problem is CWS because that directs my browser to some bogus search page which probably has tons of spyware on it - if I get rid of CWS then I won’t get directed to these other pages.

Incidentally the other thing that comes back when I reboot is a DSO Exploit. I need to get rid of both these things.

I think it’s the latest version I only downloaded it a couple of days ago. It’s version 2.12. Incidentally I’ve also been having problems downloading Hijack This - I think CWS has been trying to stop me from doing it. But I managed to eventually download it (as a ZIP file) and it’s now an icon on my desktop but my computer won’t let me load it. When I click on it I get a dialog box that says:

Program Not Found

Windows cannot find Program.exe
This program is needed for opening files of type “ZIP.file”

And then it asks me for the location of Program.exe

I don’t understand what all this means. I think though that I’m going to need to be able to open Hijack This whilst removing CWS in order to get a new log so I’ve got to fix this. The log I took a couple of days ago is as follows - if it makes any sense to anyone, it’s all Greek to me:

Logfile of HijackThis v1.99.0
Scan saved at 12:42:59 AM, on 2/2/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\JEJEDN6FE2THD.EXE
C:\WINDOWS\SYSTEM\M89OK2LSF24JGGC.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\EDUP0HYN\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.freeserve.com:8080;http=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\XBRYGY~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM…\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS askmon.exe
O4 - HKLM…\Run: [SystemTray] SysTray.Exe
O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM…\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM…\Run: [Control handler] C:\WINDOWS\SYSTEM\JEJEDN6FE2THD.EXE
O4 - HKLM…\Run: [dnscleaner] C:\WINDOWS\DNSCLEANER.EXE
O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU…\Run: [romahere3] C:\WINDOWS\SYSTEM\M89OK2LSF24JGGC.EXE
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab
O16 - DPF: {0CB2BD5A-7A80-4BA9-B49A-02DC51144BDF} (vciewer control) - http://www.thepaymentcentre.com/build/vciewer.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://vparivalka.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1754.exe

I know AboutBuster didn’t work for you back in October, but have you tried the version that was released in November?

According to blackviper it’s a harmless but unnecessary process that checks to see if you have the latest drivers for your ATI video card. You can disable it in the Services applet under Administrative Tools.

Yes, and thank you for thinking of me. I tried that also, and no go. Odd, now Norton seems to have Quarantined it- that happened before, but then it morphed and Norton did nothing. Maybe this time Norton will keep it under control. :frowning:

Next time, it comes on, would you like to see a Hijackthis scan log?

One must be diligent. There are a number of measures you can take to reduce the danger. A software firewall such as ZoneAlarm can notify you when malicious processes are trying to “phone home”. SpywareBlaster, Spybot’s TeaTimer, and Ad-aware’s Ad-Watch (not available in the free version) can prevent malware from getting on your system in the first place. Keeping Windows up-to-date with the latest patches is critical. Switching to a browser other than Internet Explorer removes one big avenue for exploits.

As for the issue at hand, I would boot in Safe Mode and remove the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\XBRYGY~1.DLL
O4 - HKLM…\Run: [Control handler] C:\WINDOWS\SYSTEM\JEJEDN6FE2THD.EXE
O4 - HKLM…\Run: [dnscleaner] C:\WINDOWS\DNSCLEANER.EXE
O4 - HKCU…\Run: [romahere3] C:\WINDOWS\SYSTEM\M89OK2LSF24JGGC.EXE
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!亚洲av综合av国产av中文_午夜成午夜成年片在线观看_3pregnant小孕妇_欧美成ee人免费视频_非会员试看5分钟视频
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1754.exe

I’m not sure about these next two. Remove them if you didn’t intentionally install them.

O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab
O16 - DPF: {0CB2BD5A-7A80-4BA9-B49A-02DC51144BDF} (vciewer control) - http://www.thepaymentcentre.com/build/vciewer.cab

Scan again with Spybot, Ad-aware, and CWShredder in Safe Mode once you’re done. Remove anything they find. Manually delete the files XBRYGY~1.DLL, JEJEDN6FE2THD.EXE, DNSCLEANER.EXE, and M89OK2LSF24JGGC.EXE if none of the other programs did.

Thanks Number,

Any ideas about what I should do about opening Hijack This from my desktop?

I’m going to need to be able to use HJ in safe mode so I can’t connect. When I got that log off HJ I think I did it through an .exe download so it just opened straight away, the HJ I have now on my desktop is a ZIP file and I get the error message I mentioned before:

Putting Program.exe into google gives me this Microsoft page. Do I need to follow the instructions on that page? The instructions it gives are:

Actually I think I’ve managed to fix the problem. I’ve managed to get Hijack This as an icon on my desktop which opens when I click on it so I should be able to use it in safe mode. So you can ignore my last post.

Ahhh, I have the same problem as DrDeth…except I have always have this one spyware BTIEIN (or is it BETIEN?) attached to this about_:blank opening page which is undeletable with Spybot and AdAware…what really kills me is that this spyware keeps me from downloading update files from Microsoft and other helpful sites. I’m gettting a headache again.

Along with SpyBot & Adaware I also use a little utility called Bazooka. If it finds anything it won’t remove it automatically but will provide a link to very detailed instructions on how to (usually involves deleting registry keys etc.)

Not for the total newbie, but its found a lot of things that Adaware & SB couldn’t.

Hey thanks Number. I followed your instructions and I think I’ve finally rid my pc of CWS. Jees that was a horrible one (shudder).

Spybot is still showing the DSO Exploit though, can I get rid of that? My latest HJ log is:

Logfile of HijackThis v1.99.0
Scan saved at 7:20:08 AM, on 2/3/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.freeserve.com:8080;http=http://www-cache.freeserve.com:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM…\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS askmon.exe
O4 - HKLM…\Run: [SystemTray] SysTray.Exe
O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM…\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab
In any case thanks for your help, Number.

DSO Exploit is a known false positive that is detected by Spybot, and will be corrected in the next version, due out soon. You may disregard it, or put it in your ignore list. It is caused when Spybot detects an IE security weakness even after it has been patched with the appropriate windows update.

That log looks clean. I’m glad the removal was successful.

Post your HijackThis log here if you’d like.

Ok.

I’ll take you up on this in a couple of days when I get some time off on the weekend…

Ok, Number & others, I have got a new one. Hijack this & Spyware blaster both remove it, but this new one comes back within minutes. It also brings a fake Windows Wizard warning about being infacted with Spyware.

Logfile of HijackThis v1.99.0
Scan saved at 8:19:38 PM, on 2/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\system32\MsiExec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM…\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM…\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM…\Run: [sp] rundll32 C:\WINNT\TEMP\se.dll,DllInstall
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

I know that the line I have bolded is related to this problem.

Use Microsoft’s AntiSpyware app. Best damn spyware removal tool out there!

It’s still in Beta, but it still is light years better than any other tool out there (including Spybot, which is good).

Sadly, if you get Prutect Malware on your machine, the Beta is useless.

My problem keeps getting worse & worse…

Dr Deth and Bosda

I can’t help with the HijackThis log but you might want to post your logs on the SpywareInfo forum - those boys love a challenge. It might take them a couple of days to get round to your post so don’t “bump” your request like you would here but once they get round to dealing with it they sure are thorough.

Also a couple of things I’ve learnt:

  • you can tend to start getting a bit obssessive about the whole thing and spend time hunting round various anti-sypware sites. HOWEVER I’ve got a theory (not really backed up with any facts just something I’ve noticed) that the spyware people tend to deliberately target anti-spyware sites. So by hunting around anti-spyware sites you may actually be increasing your chances of getting stuff. The spyware may not stay on these sites for very long before they get removed but they might be there for a day or two and you might get unlucky. So once you’ve got all your anti-spyware stuff in place and have removed it all from your computer, it’s a good idea to avoid the whole issue.

  • you can download SpywareGuard for free. This complements SpywareBlaster and works in the same way - it scans your machine on startup

  • you can download a free trial of SpySweeper from Webroot. You only get 30 days but it seems pretty good. After I got rid of CWS and all my anti-spyware stuff wasn’t finding anything I scanned with SpySweeper and it found a load of stuff that the others didn’t - mostly just leftover traces of CWS that were no longer active but it got rid of them all anyway. If you go to the Webroot site you can get a free online scan but it won’t remove anything unless you download the 30 day trial version. You don’t have to give them any financial details to get the trial.

Just a couple of things to try until someone more knowledgable comes along (I’d barely even heard of malware until a couple of weeks ago).