Problem after a spyware attack

I recently had some bad spyware on my computer that masked itself as a spyware cleaner that you would have to pay for….but ever since i cleaned up the spyware i have been haveing some weird problems when i search on google i get my results but when i try and go to the url it redirects me to a junk site or to a 404 page and also i have problems downloading firefox 3 and getting on to some other https site any suggestions or help i really would appreciate it

Eeehh. No offense but hiding itself as a cleaner is a giant sign that there is soon to be spyware. Also a good indicator that there all ready is. Well here is what you need to do for step one. Insert your operating system software and delete partition. Then make the partition again and install the os all over again. 'All ' + 'over ' + 'again' Then install motherboard drivers, then restart, then install video card drivers, and then do all of the windows updates. And remember to continuously restart when its tells your to. Enjoy a long night!

And as a stat tip, don't enter any passwords. Except for the ones you have all ready lost. For example, most likely your HBH account.

@chronicburst, Your an idiot. You don't just start reinstalling your os because of rogue spyware. @OP. Give specific names as to what the spyware was and what site it brought you to. (IE: Antivirus 2008 or avsystem care) I probably already have the removal instructions as I do this everyday. If you want run Hijackthis and post the log and I'll have you fixed up in no time.

Is she a reinstall freak? I know alot of them.

Ouch: I would hate that shit.

moshbat wrote: Yeah. I usually have… 4 minutes to fix a problem, or else in pops the disk, out pop my files.

Haahaha so so same here :D sometimes I get even 10 min though :D

Man now I feel bad. I am a reinstall freak because my father is a network admin so that's what he always taught me to do. Well think of it like this. Theres a skid bitch out there who took every single trojan he could find, and all the rootkits and binded them together and they distributes it. Usually where there's one, there's more. So I just reinstall. And now with this advice, I am going to try to stop..

well maybe you can help me out, i have two, ie antivirus 2009, and some hp thing that say i have to enter a disk, that i of course dont have, any help is appreciated.

@korg hey let me know where i can send that log i would really like to fix it without reinstalling

Typically what happens is it'll hide itself as a .dll and hook into every process you open, exploiting known processes. Post your HJT log as an attachment.

Pm me or post your log, I'll have a look.

May I suggest post, we mine as all take a look.

Also, @Korg, I like your avatar, slayer is a great band.

Logfile of HijackThis v1.99.1 Scan saved at 20:09:22, on 8/15/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\wusb54gv4.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Philips Webcam\Monitor.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe F:\Chapter 20 - Adware and Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA1\SPYBOT1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O3 - Toolbar: bgrqfetx - {72B68A1C-58DD-41B5-B619-D78A182A77D9} - C:\WINDOWS\bgrqfetx.dll (file missing) O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [lphclwuj0ee71] C:\WINDOWS\system32\lphclwuj0ee71.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Monitor.lnk = C:\Program Files\Philips Webcam\Monitor.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA1\MICROS2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA1\MICROS2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA1\MICROS2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA1\MICROS2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA1\SPYBOT1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA1\SPYBOT1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA1\COMMON1\Skype\SKYPE41.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA1\COMMON1\MICROS1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing) O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

What is: C:\WINDOWS\system32\lphclwuj0ee71.exe ?

And what exactly is rundll32 running? Open up run -> msconfig -> startup tab -> find what rundll32 is starting.

that solved mine thanks.

Rundll32 is a windows component to start various controls and stuff in windows, ex. Add/remove program.

Can you do one thing though, Start->Run…->regedit

In there, go to HKEY_LOCAL_MACHINE->Software->Windows->CurrentVersion->Run.

When you are there press archive menu and press Export. export it to desktop, afterwards right click the file you saved on the dekstop and Edit it, copy the content of the file and post it here, so we can see what nasty shit runs when you boot up the box.

root_op wrote: Rundll32 is a windows component to start various controls and stuff in windows, ex. Add/remove program.

Can you do one thing though, Start->Run…->regedit

In there, go to HKEY_LOCAL_MACHINE->Software->Windows->CurrentVersion->Run.

When you are there press archive menu and press Export. export it to desktop, afterwards right click the file you saved on the dekstop and Edit it, copy the content of the file and post it here, so we can see what nasty shit runs when you boot up the box. Or just a print screen from Start->Run->msconfig->autostart ;)

root_op wrote: Rundll32 is a windows component to start various controls and stuff in windows, ex. Add/remove program.

Can you do one thing though, Start->Run…->regedit

In there, go to HKEY_LOCAL_MACHINE->Software->Windows->CurrentVersion->Run.

When you are there press archive menu and press Export. export it to desktop, afterwards right click the file you saved on the dekstop and Edit it, copy the content of the file and post it here, so we can see what nasty shit runs when you boot up the box.

His HJT log already shows a dump of that portion in the registry.

If my guess is correct, though, rundll32 should be starting up the malicious file. In Msconfig it'll look something like: Startup Name | rundll32, "C:\location\of\evil\file"

Common trick to hide the name of the real process from things like the task manager.

That's what happened to me on my previous box. Rundll would start the malicious file, which very shortly extended into "files". As a community with ethical hacking traits, I think it is safe to say how common it is that a hacker will always usually create another way into the system other than the way they gained access originally.

This looks quite interesting: O4 - HKLM\..\Run: [lphclwuj0ee71] C:\WINDOWS\system32\lphclwuj0ee71.exe try to delete that from task manager then delete it, also. Empty your prefetch folder afterwards aswell.

I just googled lphclwuj0ee71.exe in a variety of ways and nothing. It also appears like someone was using a trojan and made a server and starting whacking at their keyboard. However… "j0ee" could have done this. Only kidding, but empty queries on google.

Well, it's a good guess to say that the filename was randomly generated, if this is the malicious file.

Also, I would suggest OP getting Unlocker Assistant. That way when you get the "access denied" when trying to delete the file, you can "unlock" all processes this beast hooked into.

Of course, I think we're getting ahead of ourselves, we still don't know if this is an evil file or not.

chronicburst wrote: I just googled lphclwuj0ee71.exe in a variety of ways and nothing. Many viruses and trojans create random names when they infect a computer. Some even modify a few bytes of their own code to change the file checksum ;)

Uber0n wrote: Many viruses and trojans create random names when they infect a computer. Some even modify a few bytes of their own code to change the file checksum ;)

Damn kids and their polymorphic toys. :p

I have the lphclwuj0ee71.exe listed as part of a rogue spyware called antiviruscleaner. @OP start up in safe mode, Run HJT again and check these items: R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: bgrqfetx - {72B68A1C-58DD-41B5-B619-D78A182A77D9} - C:\WINDOWS\bgrqfetx.dll (file missing) O4 - HKLM\..\Run: [lphclwuj0ee71] C:\WINDOWS\system32\lphclwuj0ee71.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) Then click fixed checked.

That will clean up a little bullshit you got in there also. When your done stay in safe mode and check your system32 folder for any "lphclwuj0ee71" files. Sometimes it will change to lphclwuj0ee71.exe2 or exe3 etc.etc. Should be good after that.

Ok i tried the safe mode and removed the object but i still am having the same problems any more suggestions i really dont want to reformat the object was named blphclwuj0ee71

blphclwuj0ee71? Never heard of that one.And that's not in the hjt log only lphclwuj0ee71. Anyway run this: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Always does a good job. Then rerun Hjt if you still have a problem.

is there anyway you could email me the exe file for that i cant even get to the website to download it. I would really appreate it blackmind.2007@gmail.com thanks alot

You cant get to the website?? Blocked? Use a proxy. If not here try this: http://tinyurl.com/27gkbc

i used my friends computer to download it and it work everything seems to be gone i can get to the websites and download thanks alot everyone for all your help

So far.. And by the way, I like you signature. How very true.

Excellent. Post if you have any more problems with it.