Need help getting rid of spyware

Status
Not open for further replies.
G

godai73

Baseband Member
Messages
90
My parents just started to learn how to use the internet. Couple days ago, I hopped onto my computer and saw the homepage had been hijacked and a bunch of pop ups came up. Therefore, I cleared the cache, cookies, and history from IE. I went into the control panel and saw some advertising stuff was installed on there. I proceeded to run spybot and ad-aware and that got rid of tons of spyware. I ran my updated norton anti-virus and it found some trojans which it deleted. I rebooted and proceeded to run spybot, ad-aware, and norton again to play it safe. Looked like all the spyware is gone. Anyway, for the last couple of days, I still get random pop ups, but they are more subtle, so I thought it was part of MSN or Yahoo. I go to my friend's private forum and certain words like 'card' and 'household' have a hyperlink to it. For the word 'card', only 'car' is hyperlinked and when I click on the link, it takes me to a page with advertisement. So, I have installed Hijackthis and would like your help to see what I can remove. Please help. Thank you in advance.

Logfile of HijackThis v1.97.7
Scan saved at 4:16:51 PM, on 6/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
g:\programming\coldfusion\bin\cfserver.exe
g:\programming\coldfusion\bin\cfexec.exe
g:\programming\coldfusion\bin\CFRDSService.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\NavNT\rtvscan.exe
E:\WINNT\System32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\ZipToA.exe
E:\WINNT\System32\inetsrv\inetinfo.exe
E:\WINNT\system32\MsgSys.EXE
E:\WINNT\Explorer.EXE
G:\utilities\iomegaZipDrive\DriveIcons\ImgIcon.exe
E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
E:\Program Files\Hardware\Sound\skin\QveCplSk.EXE
G:\Media\Camera\Digital Imaging\Unload\hpqcmon.exe
G:\Media\Camera\HP Share-to-Web\hpgs2wnd.exe
G:\Media\Camera\HP Share-to-Web\hpgs2wnf.exe
E:\Program Files\NavNT\vptray.exe
E:\winnt\temp\h33.exe
E:\WINNT\system32\IEHost.exe
E:\WINNT\system32\lzsbck.exe
E:\WINNT\system32\wjvadm.exe
E:\WINNT\system32\RUNDLL32.EXE
E:\WINNT\system32\nwcannel.exe
C:\Program Files\SysAI\SysAI.exe
G:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://E:\WINNT\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Daniel/DanielLaptop/Data/siteDaniel/Misc/bkmkParent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.msn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar_en_2.0.111-big.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - E:\Program Files\SEP\sep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - E:\Program Files\SEP\sep.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar_en_2.0.111-big.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Iomega Startup Options] g:\utilities\iomegaZipDrive\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] g:\utilities\iomegaZipDrive\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TkBellExe] E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QveCtl2Tray] E:\Program Files\Hardware\Sound\skin\QveCplSk.EXE E:\Program Files\Hardware\Sound\skin
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CamMonitor] G:\Media\Camera\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] G:\Media\Camera\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\browers\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [h33.exe] E:\winnt\temp\h33.exe
O4 - HKLM\..\Run: [Dsi] E:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [fcjael] E:\WINNT\system32\lzsbck.exe
O4 - HKLM\..\Run: [AutoLoaderq2p21IPTXKNN] "E:\WINNT\system32\wjvadm.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [q96k36S] wjvadm.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [bypqRWe7g] nwcannel.exe
O4 - Startup: Internet Explorer.lnk = E:\Program Files\Internet Explorer\IEXPLORE.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .swf: G:\Browers\Netscape\Program\PLUGINS\npswf32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/216868990265fe09d115/netzip/RdxIE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38008.722037037
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
I aint reading that lot!

OK you've done AW and SB... so have you done CWShredder then Spywareblaster?
 
Yeah, run CWShredder. If that doesn't solve the problem, run adaware, spybot AND CWShredder in SAFEMODE.

That should do it. Make sure all three programs are up to date.

I forgot to mention, get a pop up blocker like google bar and make sure you have a firewall running. If you don't already have norton firewall, then go download a free one like zonealarm.
 
hi provoko

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://E:\WINNT\system32\SearchBar.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - E:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [h33.exe] E:\winnt\temp\h33.exe

O4 - HKLM\..\Run: [fcjael] E:\WINNT\system32\lzsbck.exe

O4 - HKLM\..\Run: [AutoLoaderq2p21IPTXKNN] "E:\WINNT\system32\wjvadm.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [q96k36S] wjvadm.exe

O4 - HKCU\..\Run: [bypqRWe7g] nwcannel.exe

-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

reboot into safe mode

How to boot into safe mode

delete

these files

E:\WINNT\system32\SearchBar.htm
E:\WINNT\system32\wjvadm.exe
E:\winnt\temp\h33.exe
E:\WINNT\system32\nwcannel.exe
E:\WINNT\system32\lzsbck.exe


come back and post a fresh log and tell me how you computers running

Lobos
 
Hi. Thanks for everyone's help. I really appreciate it. It looks like you guys help me solve the problem. I don't get the advertisements and the hyperlinks anymore. But just in case, I am going to post my Hijackthis log as LobosBlanco suggested (thanks LobosBlanco).

Logfile of HijackThis v1.97.7
Scan saved at 1:29:24 PM, on 6/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
g:\programming\coldfusion\bin\cfserver.exe
g:\programming\coldfusion\bin\cfexec.exe
g:\programming\coldfusion\bin\CFRDSService.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\NavNT\rtvscan.exe
E:\WINNT\Explorer.EXE
E:\WINNT\System32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\ZipToA.exe
E:\WINNT\System32\inetsrv\inetinfo.exe
G:\utilities\iomegaZipDrive\DriveIcons\ImgIcon.exe
E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
E:\Program Files\Hardware\Sound\skin\QveCplSk.EXE
G:\Media\Camera\Digital Imaging\Unload\hpqcmon.exe
G:\Media\Camera\HP Share-to-Web\hpgs2wnd.exe
G:\Media\Camera\HP Share-to-Web\hpgs2wnf.exe
E:\Program Files\NavNT\vptray.exe
E:\WINNT\system32\RUNDLL32.EXE
E:\WINNT\system32\npsolss.exe
E:\WINNT\system32\MsgSys.EXE
G:\downloads\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Daniel/DanielLaptop/Data/siteDaniel/Misc/bkmkParent.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar_en_2.0.111-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar_en_2.0.111-big.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Iomega Startup Options] g:\utilities\iomegaZipDrive\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] g:\utilities\iomegaZipDrive\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TkBellExe] E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QveCtl2Tray] E:\Program Files\Hardware\Sound\skin\QveCplSk.EXE E:\Program Files\Hardware\Sound\skin
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CamMonitor] G:\Media\Camera\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] G:\Media\Camera\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Dsi] E:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [eckqjwiitte] E:\WINNT\system32\lzsbck.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [bypqRWe7g] npsolss.exe
O4 - Startup: Internet Explorer.lnk = E:\Program Files\Internet Explorer\IEXPLORE.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .swf: G:\Browers\Netscape\Program\PLUGINS\npswf32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/216868990265fe09d115/netzip/RdxIE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38008.722037037
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
ok you still have some stuff still to get rid of

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O4 - HKLM\..\Run: [TkBellExe] E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [Dsi] E:\WINNT\system32\dp-him.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [eckqjwiitte] E:\WINNT\system32\lzsbck.exe

O4 - HKCU\..\Run: [bypqRWe7g] npsolss.exe

O4 - Startup: Internet Explorer.lnk = E:\Program Files\Internet Explorer\IEXPLORE.EXE

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/216868990265fe...tzip/RdxIE2.cab
-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

reboot into safe mode

How to boot into safe mode

delete

this folder

C:\Program Files\AutoUpdate\

these files

E:\WINNT\system32\dp-him.exe
E:\WINNT\system32\npsolss.exe
E:\WINNT\system32\lzsbck.exe

reboot back to normal mode

Run an online antivirus check from at least one and preferably 2 of the following sites....select autoclean click below

Housecall
Panda scan
RAV

come back and post a fresh log and tell me how you computers running

Lobos
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
Back
Top Bottom