Undetectable Spyware

[Nate]

Hi, I have Windows XP Home Edition. I recently got some spyware that pops IE
up(I have FF set as default, the game I play loads IE, and once it is loaded
the popups continue until I restart. I notice that msmsgs.exe is always
running when the spyware does because IE loads it.. I renamed the exe hoping
to stop it for now)


I have tried:

Adaware Personal
AVg Antispyware
NOD32 Antivirus
Spybot S&D
CCleaner
Windows Defender
Windows Malicious Software Removal Tool

None of them detect it. AVG found a couple of trojans that NOD32 didnt pick
up and some tracking cookies(dont care about the cookies). Spybot found a
few entries that were low risk, and adaware found a trojan and deleted
it(even though avg found it later on)


I would really like an option that is NOT formatting my hard drive if
possible. thanks!


Also, in startup I found:

uphitudr rundll.exe "C:\WINDOWS\system32\uphitudr.dll", setvm

Probably something to do with windows defender, even though MSASCui is
already on the list for it..

 

[Guest]

Hi, I have Windows XP Home Edition. I recently got some spyware that pops IE
up(I have FF set as default, the game I play loads IE, and once it is loaded
the popups continue until I restart. I notice that msmsgs.exe is always
running when the spyware does because IE loads it.. I renamed the exe hoping
to stop it for now)


I have tried:

Adaware Personal
AVg Antispyware
NOD32 Antivirus
Spybot S&D
CCleaner
Windows Defender
Windows Malicious Software Removal Tool

None of them detect it. AVG found a couple of trojans that NOD32 didnt pick
up and some tracking cookies(dont care about the cookies). Spybot found a
few entries that were low risk, and adaware found a trojan and deleted
it(even though avg found it later on)


I would really like an option that is NOT formatting my hard drive if
possible. thanks!


Also, in startup I found:

uphitudr rundll.exe "C:\WINDOWS\system32\uphitudr.dll", setvm

Probably something to do with windows defender, even though MSASCui is
already on the list for it..

1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.

= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit or you can send them here in your next
post) and click [OK] to confirm your Changes.

Click on Advanced Tab and scroll down under the browsing option and uncheck
this box:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) and click Apply
then OK to close your IE Properties.

= Open the Windows
Explorer and locate this path:
C:\Windows\System32\drivers\etc = look in the Right Pane/window for this
file called the HOSTS file but not the one with the extension *.SAM* leave
this as is.
If you can't see it try to click Tools >> Folder Options and select show
Hidden files and folder, then right Click the Hosts file and select open with
Notepad.
There see any reference for that site and remove it, you Hosts file will
looks like this:
# 102.54.94.97 rhino.acme.com # Source server
# 38.25.63.10 x.acme.com # Client Host
127.0.0.1 LocalHost
------------------------------------------
Remove all other References other than those above.

Run disk Clean Up and Defrag in safe mode.

If you still directed Download the Hijackthis and send the report to one of
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
HTH.
Let us know.
Regards,
nass

 

[Nate]

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD
127.0.0.1 download.cdn.errorsafe.com ## added by CiD
127.0.0.1 download.cdn.winsoftware.com ## added by CiD
127.0.0.1 download.errorsafe.com ## added by CiD
127.0.0.1 download.systemdoctor.com ## added by CiD
127.0.0.1 download.winantispyware.com ## added by CiD
127.0.0.1 download.windrivecleaner.com ## added by CiD
127.0.0.1 download.winfixer.com ## added by CiD
127.0.0.1 drivecleaner.com ## added by CiD
127.0.0.1 dynamique.drivecleaner.com ## added by CiD
127.0.0.1 errorprotector.com ## added by CiD
127.0.0.1 errorsafe.com ## added by CiD
127.0.0.1 es.winantivirus.com ## added by CiD
127.0.0.1 fr.winantivirus.com ## added by CiD
127.0.0.1 fr.winfixer.com ## added by CiD
127.0.0.1 go.drivecleaner.com ## added by CiD
127.0.0.1 go.errorsafe.com ## added by CiD
127.0.0.1 go.winantispyware.com ## added by CiD
127.0.0.1 go.winantivirus.com ## added by CiD
127.0.0.1 hk.winantivirus.com ## added by CiD
127.0.0.1 instlog.errorsafe.com ## added by CiD
127.0.0.1 instlog.winantivirus.com ## added by CiD
127.0.0.1 instlog.winfixer.com ## added by CiD
127.0.0.1 jsp.drivecleaner.com ## added by CiD
127.0.0.1 kb.errorsafe.com ## added by CiD
127.0.0.1 kb.winantivirus.com ## added by CiD
127.0.0.1 nl.errorsafe.com ## added by CiD
127.0.0.1 se.errorsafe.com ## added by CiD
127.0.0.1 secure.drivecleaner.com ## added by CiD
127.0.0.1 secure.errorsafe.com ## added by CiD
127.0.0.1 secure.winantispam.com ## added by CiD
127.0.0.1 secure.winantispy.com ## added by CiD
127.0.0.1 secure.winantivirus.com ## added by CiD
127.0.0.1 support.winantivirus.com ## added by CiD
127.0.0.1 trial.updates.winsoftware.com ## added by CiD
127.0.0.1 ulog.winantivirus.com ## added by CiD
127.0.0.1 utils.errorsafe.com ## added by CiD
127.0.0.1 utils.winantivirus.com ## added by CiD
127.0.0.1 utils.winfixer.com ## added by CiD
127.0.0.1 winantispyware.com ## added by CiD
127.0.0.1 winantivirus.com ## added by CiD
127.0.0.1 winfixer.com ## added by CiD
127.0.0.1 winfixer2006.com ## added by CiD
127.0.0.1 winsoftware.com ## added by CiD
127.0.0.1 www.drivecleaner.com ## added by CiD
127.0.0.1 www.errorprotector.com ## added by CiD
127.0.0.1 www.errorsafe.com ## added by CiD
127.0.0.1 www.systemdoctor.com ## added by CiD
127.0.0.1 www.utils.winfixer.com ## added by CiD
127.0.0.1 www.win-anti-virus-pro.com ## added by CiD
127.0.0.1 www.win-virus-pro.com ## added by CiD
127.0.0.1 www.winantispam.com ## added by CiD
127.0.0.1 www.winantispy.com ## added by CiD
127.0.0.1 www.winantispyware.com ## added by CiD
127.0.0.1 www.winantivirus.com ## added by CiD
127.0.0.1 www.winantiviruspro.com ## added by CiD
127.0.0.1 www.windrivecleaner.com ## added by CiD
127.0.0.1 www.windrivesafe.com ## added by CiD
127.0.0.1 www.winfixer.com ## added by CiD
127.0.0.1 www.winfixer2006.com ## added by CiD
127.0.0.1 www.winsoftware.com ## added by CiD


What is CiD? Those are some of the websites that it directed me to(not all
of them)

Hi, I have Windows XP Home Edition. I recently got some spyware that pops
IE
up(I have FF set as default, the game I play loads IE, and once it is
loaded
the popups continue until I restart. I notice that msmsgs.exe is always
running when the spyware does because IE loads it.. I renamed the exe
hoping
to stop it for now)


I have tried:

Adaware Personal
AVg Antispyware
NOD32 Antivirus
Spybot S&D
CCleaner
Windows Defender
Windows Malicious Software Removal Tool

None of them detect it. AVG found a couple of trojans that NOD32 didnt
pick
up and some tracking cookies(dont care about the cookies). Spybot found a
few entries that were low risk, and adaware found a trojan and deleted
it(even though avg found it later on)


I would really like an option that is NOT formatting my hard drive if
possible. thanks!


Also, in startup I found:

uphitudr rundll.exe "C:\WINDOWS\system32\uphitudr.dll", setvm

Probably something to do with windows defender, even though MSASCui is
already on the list for it..

1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button
called
[ Clear History ..] click on it to clear your History caches, then click
on
[Delete Files..] to delete Internet Files created over the time, click on
[
Delete Cookies...] to delete your cookies left by visiting websites.

= Then try to Disable the Add-Ons on your Browser somehow installed on
your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there
Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them
one-by-one
later and see which is the culprit or you can send them here in your next
post) and click [OK] to confirm your Changes.

Click on Advanced Tab and scroll down under the browsing option and
uncheck
this box:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) and click Apply
then OK to close your IE Properties.

= Open the Windows
Explorer and locate this path:
C:\Windows\System32\drivers\etc = look in the Right Pane/window for this
file called the HOSTS file but not the one with the extension *.SAM* leave
this as is.
If you can't see it try to click Tools >> Folder Options and select show
Hidden files and folder, then right Click the Hosts file and select open
with
Notepad.
There see any reference for that site and remove it, you Hosts file will
looks like this:
# 102.54.94.97 rhino.acme.com # Source server
# 38.25.63.10 x.acme.com # Client Host
127.0.0.1 LocalHost
------------------------------------------
Remove all other References other than those above.

Run disk Clean Up and Defrag in safe mode.

If you still directed Download the Hijackthis and send the report to one
of
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
HTH.
Let us know.
Regards,
nass

 

[B. Nice]

Hi, I have Windows XP Home Edition. I recently got some spyware that pops IE
up(I have FF set as default, the game I play loads IE, and once it is loaded
the popups continue until I restart. I notice that msmsgs.exe is always
running when the spyware does because IE loads it.. I renamed the exe hoping
to stop it for now)

You can try HiJackThis and have someone who knows how to interpret the
output look at it. Eventually you can post it to a forum that deals
with HJT logs.

I have tried:

Adaware Personal
AVg Antispyware
NOD32 Antivirus
Spybot S&D
CCleaner
Windows Defender
Windows Malicious Software Removal Tool

None of them detect it.

Geez. Do you have room on your machine left also for more useful
programs?

AVG found a couple of trojans that NOD32 didnt pick
up and some tracking cookies(dont care about the cookies).

A couple of trojans??? - What on earth are you doing with your
computer?

Spybot found a few entries that were low risk, and adaware found a trojan and deleted
it(even though avg found it later on)


I would really like an option that is NOT formatting my hard drive if
possible. thanks!

Get a clue. There is no other method that can guarantee you a clean
machine. But if you are so badly infected there is something
fundamentally wrong with what you are doing and unless you start
learning about security and how to avoid bad stuff in the first place
it's just a question of time until you have your computer messed up
again.

 

[Guest]

Nate,
Remove these entries from the Hosts File as per my instructions in the first
post then open the Windows Explorer and locate this Path:
C:\Documents and Settings\All Users\Application Data = Delete the suspicious
file/folder with extension ".exe" make sure it is the right one.
Then click Start–>Settings–>Control Panel–> Add and Remove Programs, then
select CiD Help, click remove.
Open a run command and type in:
regedit click [OK]
On the Registry Editor locate these keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = Delete any
suspicious Running process in the Right Pane/window.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks =
Delete any search hook not an MS, you can copy and search the net for them.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\BDHelper
= Delete any search hook not an MS, you can copy and search the net for them.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run =
Delete any suspicious Running process in the Right Pane/window.

Then run a complete scan and run the HijackThis and send the Log to any
forum on the web that specialize in analysing HijackThis log to make sure all
cleaned out and please raise your security on your browser and disable the
P2P for now.
HTH.
nass
===
www.nasstec.co.uk

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD
127.0.0.1 download.cdn.errorsafe.com ## added by CiD
127.0.0.1 download.cdn.winsoftware.com ## added by CiD
127.0.0.1 download.errorsafe.com ## added by CiD
127.0.0.1 download.systemdoctor.com ## added by CiD
127.0.0.1 download.winantispyware.com ## added by CiD
127.0.0.1 download.windrivecleaner.com ## added by CiD
127.0.0.1 download.winfixer.com ## added by CiD
127.0.0.1 drivecleaner.com ## added by CiD
127.0.0.1 dynamique.drivecleaner.com ## added by CiD
127.0.0.1 errorprotector.com ## added by CiD
127.0.0.1 errorsafe.com ## added by CiD
127.0.0.1 es.winantivirus.com ## added by CiD
127.0.0.1 fr.winantivirus.com ## added by CiD
127.0.0.1 fr.winfixer.com ## added by CiD
127.0.0.1 go.drivecleaner.com ## added by CiD
127.0.0.1 go.errorsafe.com ## added by CiD
127.0.0.1 go.winantispyware.com ## added by CiD
127.0.0.1 go.winantivirus.com ## added by CiD
127.0.0.1 hk.winantivirus.com ## added by CiD
127.0.0.1 instlog.errorsafe.com ## added by CiD
127.0.0.1 instlog.winantivirus.com ## added by CiD
127.0.0.1 instlog.winfixer.com ## added by CiD
127.0.0.1 jsp.drivecleaner.com ## added by CiD
127.0.0.1 kb.errorsafe.com ## added by CiD
127.0.0.1 kb.winantivirus.com ## added by CiD
127.0.0.1 nl.errorsafe.com ## added by CiD
127.0.0.1 se.errorsafe.com ## added by CiD
127.0.0.1 secure.drivecleaner.com ## added by CiD
127.0.0.1 secure.errorsafe.com ## added by CiD
127.0.0.1 secure.winantispam.com ## added by CiD
127.0.0.1 secure.winantispy.com ## added by CiD
127.0.0.1 secure.winantivirus.com ## added by CiD
127.0.0.1 support.winantivirus.com ## added by CiD
127.0.0.1 trial.updates.winsoftware.com ## added by CiD
127.0.0.1 ulog.winantivirus.com ## added by CiD
127.0.0.1 utils.errorsafe.com ## added by CiD
127.0.0.1 utils.winantivirus.com ## added by CiD
127.0.0.1 utils.winfixer.com ## added by CiD
127.0.0.1 winantispyware.com ## added by CiD
127.0.0.1 winantivirus.com ## added by CiD
127.0.0.1 winfixer.com ## added by CiD
127.0.0.1 winfixer2006.com ## added by CiD
127.0.0.1 winsoftware.com ## added by CiD
127.0.0.1 www.drivecleaner.com ## added by CiD
127.0.0.1 www.errorprotector.com ## added by CiD
127.0.0.1 www.errorsafe.com ## added by CiD
127.0.0.1 www.systemdoctor.com ## added by CiD
127.0.0.1 www.utils.winfixer.com ## added by CiD
127.0.0.1 www.win-anti-virus-pro.com ## added by CiD
127.0.0.1 www.win-virus-pro.com ## added by CiD
127.0.0.1 www.winantispam.com ## added by CiD
127.0.0.1 www.winantispy.com ## added by CiD
127.0.0.1 www.winantispyware.com ## added by CiD
127.0.0.1 www.winantivirus.com ## added by CiD
127.0.0.1 www.winantiviruspro.com ## added by CiD
127.0.0.1 www.windrivecleaner.com ## added by CiD
127.0.0.1 www.windrivesafe.com ## added by CiD
127.0.0.1 www.winfixer.com ## added by CiD
127.0.0.1 www.winfixer2006.com ## added by CiD
127.0.0.1 www.winsoftware.com ## added by CiD


What is CiD? Those are some of the websites that it directed me to(not all
of them)

Hi, I have Windows XP Home Edition. I recently got some spyware that pops
IE
up(I have FF set as default, the game I play loads IE, and once it is
loaded
the popups continue until I restart. I notice that msmsgs.exe is always
running when the spyware does because IE loads it.. I renamed the exe
hoping
to stop it for now)


I have tried:

Adaware Personal
AVg Antispyware
NOD32 Antivirus
Spybot S&D
CCleaner
Windows Defender
Windows Malicious Software Removal Tool

None of them detect it. AVG found a couple of trojans that NOD32 didnt
pick
up and some tracking cookies(dont care about the cookies). Spybot found a
few entries that were low risk, and adaware found a trojan and deleted
it(even though avg found it later on)


I would really like an option that is NOT formatting my hard drive if
possible. thanks!


Also, in startup I found:

uphitudr rundll.exe "C:\WINDOWS\system32\uphitudr.dll", setvm

Probably something to do with windows defender, even though MSASCui is
already on the list for it..

1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button
called
[ Clear History ..] click on it to clear your History caches, then click
on
[Delete Files..] to delete Internet Files created over the time, click on
[
Delete Cookies...] to delete your cookies left by visiting websites.

= Then try to Disable the Add-Ons on your Browser somehow installed on
your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there
Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them
one-by-one
later and see which is the culprit or you can send them here in your next
post) and click [OK] to confirm your Changes.

Click on Advanced Tab and scroll down under the browsing option and
uncheck
this box:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) and click Apply
then OK to close your IE Properties.

= Open the Windows
Explorer and locate this path:
C:\Windows\System32\drivers\etc = look in the Right Pane/window for this
file called the HOSTS file but not the one with the extension *.SAM* leave
this as is.
If you can't see it try to click Tools >> Folder Options and select show
Hidden files and folder, then right Click the Hosts file and select open
with
Notepad.
There see any reference for that site and remove it, you Hosts file will
looks like this:
# 102.54.94.97 rhino.acme.com # Source server
# 38.25.63.10 x.acme.com # Client Host
127.0.0.1 LocalHost
------------------------------------------
Remove all other References other than those above.

Run disk Clean Up and Defrag in safe mode.

If you still directed Download the Hijackthis and send the report to one
of
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
HTH.
Let us know.
Regards,
nass