Spyware

[Guest]

Somehow I got Spyware on my pc and it's really acting up. I cannot go online
long enought to purchase a spyware removal program. Is there something I can
do manually to remove this. Thanks.

 

[Malke]

Somehow I got Spyware on my pc and it's really acting up. I cannot go online
long enought to purchase a spyware removal program. Is there something I can
do manually to remove this. Thanks.

You need to get all tools/updates from a working, known-clean computer.
Put them on a usb key or burn a CD-R.

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
- download site

The site is in German but David's tool is in English so don't let that
worry you. Scroll all the way down to almost the bottom of the page and
you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool".
You'll see "Download von www pctipp.ch" and the live link to download
Multi_AV.

You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may
be so infested that Windows will need to be clean-installed. Have all
your data backed up before you take the machine into a shop.


Malke

 

[rchapman0608]

Malke,
Thank you for the information. I have a log saved from hijackthis. I was a
little confused on the link where you wanted me to post the scan/log. I'm
gonna post it here, sorry. Also, My pc was built by me about 4yrs ago and has
run perfect until this deal happened. I have the original WinXP disc. Is
there anything I can do with that to repair Windows or do I have to manually
do this? Thanks for your help. Again, sorry for posting the log here.

 

[rchapman0608]

Logfile of HijackThis v1.99.1
Scan saved at 8:55:05 PM, on 11/24/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\DOCUME~1\RAYMON~1.CHA\APPLIC~1\FNTS~1\scanregw.exe
C:\Program Files\Common Files\?icrosoft\w?nspool.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Documents and Settings\Raymond J. Chapman\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices
\Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG
Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [44026031] rundll32.exe "C:\WINDOWS\System32\setshskt.dll",b
O4 - HKCU\..\Run: [Opit]
"C:\DOCUME~1\RAYMON~1.CHA\APPLIC~1\FNTS~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cwgssyo] "C:\Program Files\Common
Files\?icrosoft\w?nspool.exe"
O8 - Extra context menu item: &Search - ?p=ZKxdm086YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) -
https://mail08.mygulfstream.com/iNotes6W.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) -
http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O20 - AppInit_DLLs: WIKI.DLL c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program
Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner -
C:\WINDOWS\System32\hvkhuepb.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe

 

[Malke]

Logfile of HijackThis v1.99.1

(snip HJT log)

As I clearly stated in my original post to you, please do not post
HijackThis logs here in the MS newsgroups. HJT logs take a great deal of
time and expertise to analyze and you will not get the help you need
here. Instead, choose one of the specialty forums listed below (in no
particular order), register at it, read the posting FAQ, and post your
HJT log there. You will get guided help.

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/


Malke

 

[R. McCarty]

Also the latest version of HiJackThis is now 2.0.2
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
*For Security Tools it is important to use the latest version & or
have the most recent definition files to be able to detect the latest
or most recent threats.

 

[PA Bear]

Format & reinstall Windows (again).

You'll now have the equivalent of a "new computer" so take care of
EVERYTHING on the following webpage before otherwise connecting the machine
to the internet (i.e., to surf, check email, chat, or download anything
else):

Before You Connect a New Computer to the Internet
http://www.cert.org/tech_tips/before_you_plug_in.html

Also see:

Security FAQ & Checklist
http://www.dslreports.com/faq/8463
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L.ORG http://66.39.69.143/

Logfile of HijackThis v1.99.1
Scan saved at 8:55:05 PM, on 11/24/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

<snip>