I need help cleaning up the last of some malware.

G

Guest

I got some harsh malware on my PC after visiting a website that basically
spammed me with anti-virus ads. It would run multiple processes, slow my
internet, force me to visit websites, trigger pop-ups, and various other
stuff. I've removed almost all of it after a handful of hours studying my
processes and programs, and a few nights of running reputable anti-malware
software.

All that's left is this pop-up that I got every 20 minutes or so. It doesn't
seem to be triggered by anything outside of Internet Explorer being run.
Nothing seems to remove it either in terms of the programs I have.

Logfile of HijackThis v1.99.1
Scan saved at 5:15:37 PM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kyan Mehwulfe\Desktop\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [mcoyssn.dll] C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mcoyssn.dll,ortdwmf
O4 - HKLM\..\Run: [Jet Detection] "C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program
Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan
Agent 6.5) -
http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe




Thank you.
 
P

Pennywise

Kyan M. said:
All that's left is this pop-up that I got every 20 minutes or so. It doesn't
seem to be triggered by anything outside of Internet Explorer being run.
Nothing seems to remove it either in terms of the programs I have.

Logfile of HijackThis v1.99.1
Click to expand...

Paste it here http://hijackthis.de/en
 
J

Joe Wright

Kyan said:
I accidently deleted my last paragraph when I posted the HijackThis log.

I used this guide:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

I downloaded, updated, and ran all 9 recomended programs multiple times over
the span of multiple days. They can't seem to remove this one last problem.
They come up clean on scans though.

Thanks.
Click to expand...

Look in Internet Options, General tab, Settings button, View Object
button, double-click each object to see its properties. Anything
suspicious? Don't just remove arbitrarily; I've seen modem components
listed there.

On the same General tab, click Delete files and include "Delete all
offline content".

Did you update the definitions on "Spybot Search & Destroy"?

Run some of these in Safe Mode where some malware can't disable a/v and
spyware programs.

I personally like Avast! because it does spyware and antivirus. I also
run Spybot Search & Destroy.

A Google Groups search should help.. Make sure you enter the name of
the software in the popup ad to narrow the search results:

http://groups.google.com/groups/search?q=popup+antivirus+ads&qt_s=Search
 
F

Frank Saunders, MS-MVP OE

Kyan M. said:
I got some harsh malware on my PC after visiting a website that basically
spammed me with anti-virus ads. It would run multiple processes, slow my
internet, force me to visit websites, trigger pop-ups, and various other
stuff. I've removed almost all of it after a handful of hours studying my
processes and programs, and a few nights of running reputable anti-malware
software.

All that's left is this pop-up that I got every 20 minutes or so. It
doesn't
seem to be triggered by anything outside of Internet Explorer being run.
Nothing seems to remove it either in terms of the programs I have.

Logfile of HijackThis v1.99.1
Scan saved at 5:15:37 PM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Click to expand...


**Post your HijackThis log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

--
Frank Saunders, MS-MVP OE/WM
Reply in newsgroup
http://www.fjsmjs.com
"They who would give up an essential liberty for temporary security, deserve
neither liberty or security"
-B. Franklin
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Nt Authority System Please Help!! 0
IE 8 won't start 2
IE redirection problem 2
Problems with pops ups 6
Desktop Icons Missing at startup 7
sharedobj.dll errors 1
WinVir 5
PLEASE HELp.. i can not get rid of this bug on my computer 2

Top