Help - Search - Members - Calendar
Full Version: Unable to remove spyware
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
aardvark
May 5 2005, 08:18 PM
Hi,

Please find attached my current log. I have all but a few days ago totally reloaded the entire system from scratch due to a hard drive failure...and already I have spyware I can't remove.!! uhm.gif

Identified as BackWeb Lite...registry entries for:
HKEY_USERS\S-1-5-18\SOFTWARE\BACKWEB
HKEY_USERS\DEFAULT\SOFTWARE\BACKWEB

Running Spybot S&D from boot-up doesn't remove it either

Your advice would be greatly appreciated.

Cheers,

Aa

Logfile of HijackThis v1.99.1
Scan saved at 22:00:29, on 05/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\devldr32.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\WINDOWS\System32\CTsvcCDA.EXE
E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\System32\GEARSec.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\system32\ezSP_Px.exe
E:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-xu\msnappau.exe
E:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
E:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
E:\Program Files\Creative\ShareDLL\CtNotify.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Creative\ShareDLL\MediaDet.Exe
E:\Program Files\Nikon\NkView5\NkvMon.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by cablecom hispeed internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-xu\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-xu\msntb.dll
O4 - HKLM\..\Run: [DIAGENT] E:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] E:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] E:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [RecoverFromReboot] E:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] E:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [msnappau] "E:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-xu\msnappau.exe"
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Disc Detector] E:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = E:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView5\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114813340296
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - E:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GEARSecurity - GEAR Software - E:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Mosaic1
May 5 2005, 09:49 PM
It's probably a registry permissions issue preventing you from deleting these keys.

HKEY_USERS\S-1-5-18\SOFTWARE\BACKWEB
HKEY_USERS\DEFAULT\SOFTWARE\BACKWEB


Find each of them, one at a time and right click on the BACKWEB key. Choose export from the menu to make a back up of the key.

Save each in a safe place. Two keys altogether.


I cannot find any definitive answers on this file you have listed in your startups:

O4 - HKLM\..\Run: [RecoverFromReboot] E:\WINDOWS\Temp\RecoverFromReboot.exe

Use msconfig to disable this item. Go to Start >Run and typing msconfig
Press enter
When msconfig opens, click the startup tab.

Find the entry for
RecoverFromReboot and click in the box in front of it to remove the checkmark. Apply.

If you have any problems later, you can re-enable it.

-------------

Before we try to remove the registry keys, look in Add Remove Programs for a BackWeb Entry. If you find it use it to uninstall BackWeb.

Restart and see if those registry keys are now gone.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.