Need help getting rid of spyware - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 06-15-2004, 04:26 PM   #1 (permalink)
Junior Techie
 
Join Date: Jan 2004
Posts: 90
Default Need help getting rid of spyware

My parents just started to learn how to use the internet. Couple days ago, I hopped onto my computer and saw the homepage had been hijacked and a bunch of pop ups came up. Therefore, I cleared the cache, cookies, and history from IE. I went into the control panel and saw some advertising stuff was installed on there. I proceeded to run spybot and ad-aware and that got rid of tons of spyware. I ran my updated norton anti-virus and it found some trojans which it deleted. I rebooted and proceeded to run spybot, ad-aware, and norton again to play it safe. Looked like all the spyware is gone. Anyway, for the last couple of days, I still get random pop ups, but they are more subtle, so I thought it was part of MSN or Yahoo. I go to my friend's private forum and certain words like 'card' and 'household' have a hyperlink to it. For the word 'card', only 'car' is hyperlinked and when I click on the link, it takes me to a page with advertisement. So, I have installed Hijackthis and would like your help to see what I can remove. Please help. Thank you in advance.

Logfile of HijackThis v1.97.7
Scan saved at 4:16:51 PM, on 6/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
g:\programming\coldfusion\bin\cfserver.exe
g:\programming\coldfusion\bin\cfexec.exe
g:\programming\coldfusion\bin\CFRDSService.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\NavNT\rtvscan.exe
E:\WINNT\System32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\ZipToA.exe
E:\WINNT\System32\inetsrv\inetinfo.exe
E:\WINNT\system32\MsgSys.EXE
E:\WINNT\Explorer.EXE
G:\utilities\iomegaZipDrive\DriveIcons\ImgIcon.exe
E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
E:\Program Files\Hardware\Sound\skin\QveCplSk.EXE
G:\Media\Camera\Digital Imaging\Unload\hpqcmon.exe
G:\Media\Camera\HP Share-to-Web\hpgs2wnd.exe
G:\Media\Camera\HP Share-to-Web\hpgs2wnf.exe
E:\Program Files\NavNT\vptray.exe
E:\winnt\temp\h33.exe
E:\WINNT\system32\IEHost.exe
E:\WINNT\system32\lzsbck.exe
E:\WINNT\system32\wjvadm.exe
E:\WINNT\system32\RUNDLL32.EXE
E:\WINNT\system32\nwcannel.exe
C:\Program Files\SysAI\SysAI.exe
G:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://E:\WINNT\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Daniel/DanielLaptop/Data/siteDaniel/Misc/bkmkParent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.msn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar_en_2.0.111-big.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - E:\Program Files\SEP\sep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - E:\Program Files\SEP\sep.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar_en_2.0.111-big.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Iomega Startup Options] g:\utilities\iomegaZipDrive\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] g:\utilities\iomegaZipDrive\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TkBellExe] E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QveCtl2Tray] E:\Program Files\Hardware\Sound\skin\QveCplSk.EXE E:\Program Files\Hardware\Sound\skin
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CamMonitor] G:\Media\Camera\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] G:\Media\Camera\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\browers\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [h33.exe] E:\winnt\temp\h33.exe
O4 - HKLM\..\Run: [Dsi] E:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [fcjael] E:\WINNT\system32\lzsbck.exe
O4 - HKLM\..\Run: [AutoLoaderq2p21IPTXKNN] "E:\WINNT\system32\wjvadm.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [q96k36S] wjvadm.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [bypqRWe7g] nwcannel.exe
O4 - Startup: Internet Explorer.lnk = E:\Program Files\Internet Explorer\IEXPLORE.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .swf: G:\Browers\Netscape\Program\PLUGINS\npswf32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/216868990265fe0...zip/RdxIE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...8008.722037037
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
__________________

godai73 is offline  
Old 06-15-2004, 09:07 PM   #2 (permalink)
Super Techie
 
Join Date: Aug 2003
Posts: 268
Default

I aint reading that lot!

OK you've done AW and SB... so have you done CWShredder then Spywareblaster?
__________________

roho is offline  
Old 06-16-2004, 12:20 AM   #3 (permalink)
Junior Techie
 
Join Date: Mar 2004
Posts: 69
Send a message via AIM to provoko
Default

Yeah, run CWShredder. If that doesn't solve the problem, run adaware, spybot AND CWShredder in SAFEMODE.

That should do it. Make sure all three programs are up to date.

I forgot to mention, get a pop up blocker like google bar and make sure you have a firewall running. If you don't already have norton firewall, then go download a free one like zonealarm.
provoko is offline  
Old 06-16-2004, 01:26 AM   #4 (permalink)
Ultra Techie
 
Join Date: Apr 2004
Posts: 617
Default

hi provoko

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://E:\WINNT\system32\SearchBar.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - E:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [h33.exe] E:\winnt\temp\h33.exe

O4 - HKLM\..\Run: [fcjael] E:\WINNT\system32\lzsbck.exe

O4 - HKLM\..\Run: [AutoLoaderq2p21IPTXKNN] "E:\WINNT\system32\wjvadm.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [q96k36S] wjvadm.exe

O4 - HKCU\..\Run: [bypqRWe7g] nwcannel.exe

-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

reboot into safe mode

How to boot into safe mode

delete

these files

E:\WINNT\system32\SearchBar.htm
E:\WINNT\system32\wjvadm.exe
E:\winnt\temp\h33.exe
E:\WINNT\system32\nwcannel.exe
E:\WINNT\system32\lzsbck.exe


come back and post a fresh log and tell me how you computers running

Lobos
Lobos is offline  
Old 06-16-2004, 01:50 PM   #5 (permalink)
Junior Techie
 
Join Date: Jan 2004
Posts: 90
Default

Hi. Thanks for everyone's help. I really appreciate it. It looks like you guys help me solve the problem. I don't get the advertisements and the hyperlinks anymore. But just in case, I am going to post my Hijackthis log as LobosBlanco suggested (thanks LobosBlanco).

Logfile of HijackThis v1.97.7
Scan saved at 1:29:24 PM, on 6/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
g:\programming\coldfusion\bin\cfserver.exe
g:\programming\coldfusion\bin\cfexec.exe
g:\programming\coldfusion\bin\CFRDSService.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\NavNT\rtvscan.exe
E:\WINNT\Explorer.EXE
E:\WINNT\System32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\System32\ZipToA.exe
E:\WINNT\System32\inetsrv\inetinfo.exe
G:\utilities\iomegaZipDrive\DriveIcons\ImgIcon.exe
E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
E:\Program Files\Hardware\Sound\skin\QveCplSk.EXE
G:\Media\Camera\Digital Imaging\Unload\hpqcmon.exe
G:\Media\Camera\HP Share-to-Web\hpgs2wnd.exe
G:\Media\Camera\HP Share-to-Web\hpgs2wnf.exe
E:\Program Files\NavNT\vptray.exe
E:\WINNT\system32\RUNDLL32.EXE
E:\WINNT\system32\npsolss.exe
E:\WINNT\system32\MsgSys.EXE
G:\downloads\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Daniel/DanielLaptop/Data/siteDaniel/Misc/bkmkParent.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar_en_2.0.111-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar_en_2.0.111-big.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Iomega Startup Options] g:\utilities\iomegaZipDrive\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] g:\utilities\iomegaZipDrive\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TkBellExe] E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QveCtl2Tray] E:\Program Files\Hardware\Sound\skin\QveCplSk.EXE E:\Program Files\Hardware\Sound\skin
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CamMonitor] G:\Media\Camera\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] G:\Media\Camera\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Dsi] E:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [eckqjwiitte] E:\WINNT\system32\lzsbck.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [bypqRWe7g] npsolss.exe
O4 - Startup: Internet Explorer.lnk = E:\Program Files\Internet Explorer\IEXPLORE.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .swf: G:\Browers\Netscape\Program\PLUGINS\npswf32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/216868990265fe0...zip/RdxIE2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...8008.722037037
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/co...20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
godai73 is offline  
Old 06-16-2004, 03:18 PM   #6 (permalink)
Ultra Techie
 
Join Date: Apr 2004
Posts: 617
Default

ok you still have some stuff still to get rid of

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O4 - HKLM\..\Run: [TkBellExe] E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKLM\..\Run: [Dsi] E:\WINNT\system32\dp-him.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [eckqjwiitte] E:\WINNT\system32\lzsbck.exe

O4 - HKCU\..\Run: [bypqRWe7g] npsolss.exe

O4 - Startup: Internet Explorer.lnk = E:\Program Files\Internet Explorer\IEXPLORE.EXE

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/216868990265fe...tzip/RdxIE2.cab
-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

reboot into safe mode

How to boot into safe mode

delete

this folder

C:\Program Files\AutoUpdate\

these files

E:\WINNT\system32\dp-him.exe
E:\WINNT\system32\npsolss.exe
E:\WINNT\system32\lzsbck.exe

reboot back to normal mode

Run an online antivirus check from at least one and preferably 2 of the following sites....select autoclean click below

Housecall
Panda scan
RAV

come back and post a fresh log and tell me how you computers running

Lobos
__________________

Lobos is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 03:45 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.