Replicating Spy/Adware?!?!

Status
Not open for further replies.
R

Ropponmatsu

Baseband Member
Messages
81
I just got the new parts for my comp new rig today and within 5 minutes of booting it up with the installed mobo drivers etc.. I notice it's sluggish and for some reason all my bandwidth is being sucked out the window. I do a Spybot and Adware check and over 400 objects found! WTF?!?! I just barely booted up a clean HD. I quarantine all the files and delete them. I reboot and as soon I boot up same thing, I run another scan and everything is back! I did a Hijack log and I want to know if ther is anything that really stands out that could cause this problem

And this is rich. Now everytime I scan with Spybot it will still pick up things that Adaware doesn't and then when I try to repair them Spybot crashes in the middle of the process. Now I'm having to go back and remove all the registry keys manually.

Logfile of HijackThis v1.99.0
Scan saved at 12:26:51 AM, on 1/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\IEEXPLORE.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dustin\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgd.exe
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe
O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\Run: [msrepair] msrepair.exe
O4 - HKLM\..\Run: [UkbGbatR] C:\WINDOWS\fuoapvvt.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgd.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [msrepair] msrepair.exe
O4 - HKLM\..\RunOnce: [Task Help] wualcts.exe
O4 - HKLM\..\RunOnce: [msrepair] msrepair.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgd.exe
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [msrepair] msrepair.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Task Help] wualcts.exe
O4 - HKCU\..\RunOnce: [msrepair] msrepair.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{B264BD66-75A7-4D47-8BE6-22F6DF2606A8}: NameServer = 209.26.88.31 199.2.252.10
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 
Sorry for the double post but I just thought this was important enough to deserve it's own.

Well I was able to remove everything manually. The only thing that was particularly stubborn was the Registry folder "ZESOFT". Anyone recognize that? Well everytime Spybot tried to delete it, Spybot would just lock up and crash without so much as an error box. So I tried going into Regedit and deleting it manually but a box popped up saying "Unable to delete. Error detecting in key."

So went into the folder and deleted all I could till only the default one was left and whenever I tried deleting that I recieved the same error. Well I edited the binary to corrupt it and then I was able to delete it.

So judging from Spybot and Adaware. I am finally free from all this crap that I've had to suffer through all day long. I still need to reboot and if all this stuff somehow returns after I reboot. Well then I'll go shoot myself because I don't know what else can be done.
 
You may want to print out these instructions out for reference.

1. First Download CWShredder
And save it to your desktop.
Close all open browser windows and any other open windows.

Install CWShredder, then:
Open CWS and click "FIX"

2. Please run each of these online scans, allow each one to delete anything they find:
You may have to select auto-fix prior to scanning, it should be a selection on the screen.Please make a note of anything that wasn't or couldn't be fixed.
Reboot your machine when finished.

3. You may have run these programs already, make sure they are up to date and run per provided instructions.
Current Versions are:
Spybot S&D Ver: 1.3 Download Here
Ad-Aware SE Build 1.05 Download Here

Download and install both Spybot S&D and Ad-Aware SE.

Instructions:

Spybot S&D:
Go to your Start Menu >> Programs >> Spybot S&D >> then choose Spybot S&D.

*Close ALL windows except Spybot S&D
*Click the button to "Search for Updates" and download and install the Updates.
*Close Spybot then launch it again
*Click the button "Check for Problems"
*When Spybot is done scanning, it will be showing "RED" (RED) entries, "BLACK" entries and "GREEN" (GREEN) entries in the window
*Put a check mark beside the RED (RED) entries ONLY.
*Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.


Ad-Aware SE FULL SCAN:
Go to your Start Menu >> Programs >> Lavasoft Ad-Aware SE >> then choose Ad-Aware SE Personal.

When the main window opens look in the bottom right corner and click on Check For Updates Now then click Connect and download the latest reference files.

From main window:
*Click Start then under Select a scan Mode check Perform Full System Scan.
*Next deselect Search for negligible risk entries.
*To scan just click the Next button.

When the scan has finished mark everything for removal and get rid of it.
(Right-click the window and choose select all from the drop down menu and click Next)
The program will ask if you want to fix/delete selected items, choose yes/fix.

Empty Your Recycle Bin.

Reboot your machine and post a new HJT log, by clicking "Post Reply"

I noticed that you are not running any anti-virus software programs, you should get one. There are a couple of free ones that are available. Grisoft AVG, is one that I have suggested.
Your Windows OS XP is SP1, you may want to update this as well.
One last note, your system clock is two days ahead, have you noticed this.
 
You willneed to rescan again with hijack, insert a check next to each of the following, close all other opened windows then in hijack, click "fix checked"


O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe

O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgd.exe

O4 - HKLM\..\Run: [Task Help] wualcts.exe

O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe

O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe

O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe

O4 - HKLM\..\Run: [msrepair] msrepair.exe

O4 - HKLM\..\Run: [UkbGbatR] C:\WINDOWS\fuoapvvt.exe

O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgd.exe

O4 - HKLM\..\RunServices: [Task Help] wualcts.exe

O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe

O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe

O4 - HKLM\..\RunServices: [msrepair] msrepair.exe

O4 - HKLM\..\RunOnce: [Task Help] wualcts.exe

O4 - HKLM\..\RunOnce: [msrepair] msrepair.exe

O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgd.exe

O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] IEEXPLORE.exe

O4 - HKCU\..\Run: [Task Help] wualcts.exe

O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe

O4 - HKCU\..\Run: [msrepair] msrepair.exe

O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe

O4 - HKCU\..\RunOnce: [Task Help] wualcts.exe


Then set the system to show hidden files and folders http://www.spyware911.net/showhiddenfiles.htm

Reboot into safe mode http://www.spyware911.net/safemode.htm

Open windows explorer, find then delete:
C:\WINDOWS\System32\IEEXPLORE.exe
C:\WINDOWS\system32\defragfatx.exe
C:\Program Files\ISTsvc
C:\Program Files\Admanager Controller
C:\WINDOWS\fuoapvvt.exe

navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin


Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore on all Drives.


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.


Then Download TDS-3 trojan scanner from http://tds.diamondcs.com.au/index.php?page=download

Then you will need to manually update it so follow the instructions given here
http://tds.diamondcs.com.au/index.php?page=update

Now open the program, pasue until its finished its mini test then click system testing / full scan

If anything is found, right click and select delete to each when the scan completes itself.


Post a fresh hijack log.
 
Ropponmatsu, do you still need help? If we don't see an answer by tomorrow I will conclude that you have found help elsewhere and close this thread. Liz
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
A
Can't Install Windows 10 Updates - Tried Everything
Replies
3
Views
2K
Rohit
Rohit
Back
Top Bottom