RealSpy?

I got some sort of Trojan or something that doesnt show up during a system scan but came up as RealSpy during a XoftSpy scan. It comes back when restarted even though Xoftspy says it removed it.

heres a hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 5:05:10 AM, on 10/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Mike Chatelle\My Documents\My Received Files\hijackthis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay
O4 - HKCU..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HighPoint ATA RAID Management Software.lnk = C:\Program Files\HighPoint Technologies, Inc\HighPoint ATA RAID Management Software\raidman.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://.windowsupdate.microsoft.com
O15 - Trusted Zone: http://
.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127638413046
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4.cab
O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

Also I get an error window now when trying to start Avast with a link to tech support
http://www.avast.com/eng/i_have_installed_ava.html

after following the instuctions copy/pasting “C:\WINDOWS\SYSTEM32\REGSVR32.EXE ACTSKIN4.OCX”
I get the error message;
"LoadLibrary(“ACTSKIN4.OCX)failed- The specified module could not be found.”

I hope you can help with this problem, thanks for your time
Money

There has been a recent an extensive topic on this very thing RealSpy and xoftspy http://forum.avast.com/index.php?topic=24181.0, it is almost certainly a false positive. The upshot of the topic was get rid of xoftspy chequered with its previous past.

The removal if this is a false positive as we suspect could have removed an essential file causing these issues. If xoft has the option of restoring a previous deletion you should first try this and see if it resolves the problem.

You also didn’t mention what xoft said is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

You will have to register ACTSKIN4.OCX
Follow the instructions:

Select START → RUN…
Enter the following command:
If you have Windows NT or 2000:
C:\WINNT\SYSTEM32\REGSVR32.EXE ACTSKIN4.OCX
If you have Windows 95, 98 or ME:
C:\WINDOWS\SYSTEM\REGSVR32.EXE ACTSKIN4.OCX
If you have Windows XP:
C:\WINDOWS\SYSTEM32\REGSVR32.EXE ACTSKIN4.OCX
If you have Windows x64:
C:\WINDOWS\SysWOW64\REGSVR32.EXE ACTSKIN4.OCX

Press OK (or Enter).
A message saying that the file was successfully registered should appear…

For some reason, ActiveSkin (the 3rd party library avast uses for skinning) does not seem to be working on your system. As a workaround, we may disable skinning in avast - that should solve the problem.

To do that, open the file \data\avast4.ini, look up the [UserInterface] section, and add the following entry:

StartWithSkin=0

ok heres what the XoftSpy lists (same as on the other thread) and these are not harmful?

activeskin4.skinlabel
activeskin.skinlabel.1
activeskin.skinlabel.1\clsid
activeskin.skinlabel\clsid
activeskin.skinlabel\curver
clsid{5945ea75-9bfa-461a-bd34-cea3a861ff16}
clsid{5945ea75-9bfa-461a-bd34-cea3a861ff16}\progid

and I did what you said to my Avast ini (StartWithSkin=0) and that works fine now

They aren’t harmful and you should consider the other options that Tech gave like registering the actskin4.ocx again, that will allow you to use the avast skins. The only reason for the (StartWithSkin=0) option is if for some reason the other option didn’t work and the only reason it doesn’t work here is because xoftspy killed it.

tried that multiple times only to get the same error message;
"LoadLibrary(“ACTSKIN4.OCX)failed- The specified module could not be found.”

Probably because xoftspy deleted it, have you not tried restoring what xoftspy did ?
Any anti-spyware of security based program worth its salt should give options to quarantine or save a copy before deletion, etc. so you can restore.

If you can’t do that because you chose to delete rather than quarantine, etc. then try a repair of avast. Add Remove programs, select ‘avast! Anti-Virus,’ click the Change/Remove button and scroll down to Repair, click next and follow. You need to be on-line to do this.

I trust xoftspy isn’t long for this life ;D

:slight_smile: Hi “Money” :

  I did notice from your HijackThis log that your Sun Java is
  extremely outdated and is therefore a serious security
  risk ; I recommend you uninstall it ASAP, then go to
  www.majorgeeks.com/download4648.html to get the
  latest version .

OK…repaired “skins” issues and updated Sun Java RE.
Thanks to all of you guys for your timely help, never would have guessed it to be Xoftspys false results. Not using it anymore btw, got Superantispyware as per your recommendation :wink:

Thanks again
Money

Your welcome, glad that we could help.

i have this also but mine comes up as a

realspy , keylogger , critical thats what it comes up as

my windows programs dont function now as it deleted a file
that was needed by the o/s ! :-[

i hope it was a false as i bought 2 items on my credit card that day :o

Which is the file name and path?

i did a reinstall as i was getting sick on me buggy o/s anyways
the file was something likes

can not run file as **** inf is missing in system32

cant remember the name now but u couldnt even look
at my computer as every was blank white didnt find any icons and so on

ive just bought a router now so hopefully things wont be asbad
as before when i had a static ip and crap security !! :wink:

I suppose everything is ok now…

Well, you’ll need to restart the router (the modem should be) to get a new IP, otherwise, the IP will remain the same until you ‘reboot’ the modem.