Stealthy Adware Problem

Status
Not open for further replies.
S

Snackplate

Beta member
Messages
3
A few days ago, I accidentally downloaded and extracted a malicious RAR file, and it downloaded some nasty things onto my computer. These included a virus and some trojans, which were detected by AVG right as they woke up and scampered onto my machine.

I thought AVG killed them, but since then I have had an adware problem that is not being picked up by Spybot, Ad-Aware, or HJT, and AVG has 9 things in the Virus Vault from 7/3/2007 all listed as Trojans.

I've had problems in the past with browser-hijackers, pop-ups, etc, but this is far more mellow. Basically what's happening is that whenever I search for anything on any search website (Google, Yahoo, etc) about 3/4 of my results are the same websites:

Shopping.com
credit-land.com
DealTime.com
megasearch1.com
privacyprotector.com
TheCanadianMeds.com
offers.dadamobile.com
toseeka.com

It's to the point where out of a page of results, maybe 2 total will be ACTUAL results, and some of the ad results are sneaky enough that it's hard to tell.

I've run Spybot and HJT both in and out of Safemode, and Ad-Aware in normal mode, and they've found some other stuff, but this is still occuring. AVG has all that stuff in the Virus Vault, but there seems to be no way for me to actually DO anything about this, and I can't manually heal anything.

What is going on, what can I do, and am I going to have to reformat? I'll supply any information I can. Thanks in advance.
 
Download a software named autorun.exe. Try to remove some malicious autorun items with it.
Goodluck
 
Sorry, I finally got some time to try and mess with this stuff. Here are the results:

I went to the link posted, went through the steps, and tried everything there. Some of the download links were broken, though, but I got everything that wasn't.

Other than using the programs listed, I also used two of the online virus scanners listed, and fixed the problems they came up with. All in all, I uninstalled a few adware programs that it turned out I had. I got rid of all my tracker cookies. I deleted registry items as necessary. I have been in and out of safe mode multiple times and have run all the adware/spyware/antivirus programs I have at least 3 times each.

I've done everything I can possibly think of, and everything that was listed. The bogus search results are still there. I'm pretty much losing my mind at this point.

Here is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 3:48:28 AM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Thottbot: World of Warcraft
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\autorun\x86\bin\nskey.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0929B818-DE8F-451F-B427-8409CFBC6C30}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D4B4A6A-2CD3-45DB-8B9C-6E3E235F7B54}: NameServer = 194.54.90.226
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEC4952D-D4F6-4184-B3EF-0CD8DF539DDA}: NameServer = 194.54.90.226
O17 - HKLM\System\CS2\Services\Tcpip\..\{0929B818-DE8F-451F-B427-8409CFBC6C30}: NameServer = 194.54.90.226
O17 - HKLM\System\CS3\Services\Tcpip\..\{0929B818-DE8F-451F-B427-8409CFBC6C30}: NameServer = 194.54.90.226
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
 
remove these entries,

O17 - HKLM\System\CCS\Services\Tcpip\..\{0929B818-DE8F-451F-B427-8409CFBC6C30}: NameServer = 194.54.90.226

O17 - HKLM\System\CCS\Services\Tcpip\..\{7D4B4A6A-2CD3-45DB-8B9C-6E3E235F7B54}: NameServer = 194.54.90.226

O17 - HKLM\System\CCS\Services\Tcpip\..\{BEC4952D-D4F6-4184-B3EF-0CD8DF539DDA}: NameServer = 194.54.90.226

O17 - HKLM\System\CS2\Services\Tcpip\..\{0929B818-DE8F-451F-B427-8409CFBC6C30}: NameServer = 194.54.90.226

O17 - HKLM\System\CS3\Services\Tcpip\..\{0929B818-DE8F-451F-B427-8409CFBC6C30}: NameServer = 194.54.90.226

if you still have issues after removing those, try this... open IE > click tools > internet options > advanced tab > Restore advanced settings.

also, under the internet options menu > click the security tab > reset all the zones to their default levels.
 
Thanks, that worked! I was afraid to remove those entries, because I wasn't sure if they had something to do with my router. But I guess they were the culprit after all.

Thank you!
 
Status
Not open for further replies.

Similar threads

P
ComboFix Replacement
Replies
5
Views
509
PC_Cone
P
A
Seeking Assistance for Website Improvement
Replies
0
Views
760
Afrasiab1998
A
Smart_Guy
I cannot search for some special characters like [!] on the File Explorer search bar in Windows 10.
Replies
8
Views
1K
Smart_Guy
Smart_Guy
S
Would it benefit me joining Discord chat groups?
Replies
0
Views
872
Scissorman
S
O
hello & mostly clueless & would appreciate mac security help after trojan attack!
Replies
0
Views
916
once2023
O
Back
Top Bottom