Spyware infestation

sjt269 · 28 Apr 2007 at 15:07

While I'm in this part of the forum, I might as well try to get this stuff fixed as well...

Anyway, for the past few weeks, my PC has been horribly clogged with spyware. Not entirely sure how it got on, though I have my suspicions about a downloaded .exe file that wasn't what it was meant to be (and it wasn't anything dodgy either, it was a recording program app). So, I keep getting popups asking me if I'm in debt, need a loan, or telling me I'm infected with spyware. No kidding!

So, spyware scans almost always show up positive for trojans, tracking cookies and other nasties, but I can't get rid of them. When I tell my spyware programs to 'fix selected problems', they do it. But the problems reappear pretty quickly. Also, AVG periodically pops up to tell me it's discovered a trojan or two.

So far, I've used Ad-Aware SE, Spybot S&D, AVG, and a squared. They each show up with different types of spyware, and none of them can definitively get rid of it. I don't want to have to reformat the PC, so what else can I do? System restore is turned off, since I heard something about how trojans etc can 'hide' in there without being detected.

Thanks
tTz

MarcLister · 28 Apr 2007 at 15:09

Hmm if you've used programs like that and you can't get rid of the spyware then it isn't looking too good I'm afraid. In the future get Spywareblaster. That will stop spyware getting on the system. Although if you don't know how the spyware got onto your PC this time around it may not have prevented it, but it should reduce the risk of this happening again.

From what you've said a reformat is the only option I can think of.

sjt269 · 28 Apr 2007 at 15:11

Damn. I was really hoping I wouldn't have to do that.

:edit:

Also, explorer.exe is behaving really strangely, and it's been doing it since the start of the spyware problem. I'm maybe just being paranoid though, I dunno.

jackassuk56 · 28 Apr 2007 at 15:14

dont tell avg to heal. move the stuff to the vault.

i had this, avg would say it healed it but did nothing and it popped back up.

the best thing would be a reinstall realy. i have not been impressed with any spyware removers.

jackassuk56

MarcLister · 28 Apr 2007 at 15:15

Yeah 'tis bad news that. With the software you're running, if you can't get rid of the spyware, you probably won't with anything else. That is why the format is the best solution I'm aware of.

PobodY · 28 Apr 2007 at 15:17

Have you tried looking for specific fixes for the spyware that's plaguing you?

I had smitfraud a while ago and AVG couldn't touch it. However I found a specific tool for removing it by googling.
I lost the contents of my \temp\ directory, but I didn't loose any other data on the drive... better than a format anyway.

sjt269 · 28 Apr 2007 at 15:18

Just a thought, but as most of the popups are via IE, and I use Firefox, could I just uninstall IE to get rid of them? I know its not a full solution (I'm petrified of going anywhere near my online banking details atm on this PC in case any logins get stolen) but it could be a start.

:edit:

Funnily enough, smitfraud is one of the persistent ones. I don't have names for the others though.

MarcLister · 28 Apr 2007 at 15:19

Er IE7? You can't really uninstall IE, at least not the subsystem that will be infected.

hp7909 · 28 Apr 2007 at 15:20

tTz said:
{snip}I don't want to have to reformat the PC, so what else can I do?{snip}

Re-run those programs in 'Safe Mode'.

Do you have Malicious Software Removal Tool? Installs with Windows Updates.

Could also try (but not in Safe Mode) HijackThis

sjt269 · 28 Apr 2007 at 15:30

I've got HijackThis, I just don't know what I'm looking for. Tried an online analyser thing, but it didn't work.

Checking the other stuff now...

MarcLister · 28 Apr 2007 at 15:32

tTz said:
I've got HijackThis, I just don't know what I'm looking for. Tried an online analyser thing, but it didn't work.

Checking the other stuff now...

Post your HijackThis log here and someone will take a look at it and see what they think is spyware.

hp7909 · 28 Apr 2007 at 15:35

tTz said:
I've got HijackThis, I just don't know what I'm looking for. Tried an online analyser thing, but it didn't work

http://hijackthis.de/

sjt269 · 28 Apr 2007 at 15:37

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:35:11, on 28/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\uCheat\uCheat-1.6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Photoshop Elements\PhotoshopElements.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Documents and Settings\Steven\My Documents\My Downloads\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Trellian BHO Impl - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\Toolbar\toolbar.dll (file missing)
O2 - BHO: (no name) - {49B9430B-A360-41FB-82F1-96269C5C7FE1} - C:\WINDOWS\system32\jandyxha.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6148028B-D532-4417-8C0B-5A4A0B745393} - C:\WINDOWS\system32\ljjkkjh.dll
O2 - BHO: (no name) - {6F1EB372-4EAF-47EC-80B6-7F98A917D5B0} - C:\WINDOWS\system32\ssqrp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\otcdcnln.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\nyknfboq.dll",realset
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uCheat\uCheat-1.6.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140383823342
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140383813889
O17 - HKLM\System\CCS\Services\Tcpip\..\{18A2ACBA-25B0-4B9A-B990-3740361B79A5}: NameServer = 192.168.0.1
O20 - Winlogon Notify: ljjkkjh - C:\WINDOWS\SYSTEM32\ljjkkjh.dll
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6745 bytes

That's the log. Gibberish to me, but maybe someone out there can understand it.

sjt269 · 28 Apr 2007 at 15:38

hp7909 said:
http://hijackthis.de/

Funnily enough, that was the one I used last time, and even funnier, this time it worked. And right enough, there be malware lurking in my PC.

MarcLister · 28 Apr 2007 at 15:42

I've put that into the HijackThis.de site and there are one or two things its picked up on. Also why have you got AVG Antivirus and NOD32 on your system?

What is uCheat.exe?
Did you install the Trellian toolbar? Sounds dodgy to me.
C:\WINDOWS\system32\ljjkkjh.dll - looks really really dodgy.
As does C:\WINDOWS\system32\ssqrp.dll
and C:\WINDOWS\system32\otcdcnln.dll
and C:\WINDOWS\system32\nyknfboq.dll

sjt269 · 28 Apr 2007 at 15:45

As far as I know:

uCheat is a torrent program

Trellian toolbar is a part of an HTML editor I had installed, but have now uninstalled. Funnily enough, that's something that comes up in spyware scans quite often. I thought I'd got rid of it though.

About the .dll files, how do I get rid of them? Is it as simple as navigating to the folder and deleting them?

As for AVG and NOD, no idea. Must've installed NOD a while back and forgot about it.

MarcLister · 28 Apr 2007 at 15:48

tTz said:
As far as I know:

uCheat is a torrent program

http://www.google.co.uk/search?hl=en&safe=off&q=uCheat+%2Btorrent&btnG=Search&meta= doesn't return any torrent results so I might get rid of that.

tTz said:
Trellian toolbar is a part of an HTML editor I had installed, but have now uninstalled. Funnily enough, that's something that comes up in spyware scans quite often. I thought I'd got rid of it though.

About the .dll files, how do I get rid of them? Is it as simple as navigating to the folder and deleting them?

As for AVG and NOD, no idea. Must've installed NOD a while back and forgot about it.

Hmm

DLL, yes try and delete them manually. They may be "in use" so give http://ccollomb.free.fr/unlocker/ a go if needs be. That will "unlock" files so you can delete them.

If you've got a licence for NOD then I'd keep that instead of AVG, unless you have a major preference for AVG for whatever reason.

sjt269 · 28 Apr 2007 at 15:50

Great, I'll have a look.

I *think* uCheat is a modded version of uTorrent (it was recommended by a mate on another forum who's used it for ages), though what exactly the mods are, I've no idea...I might get rid of that and just use plain old uTorrent again.

I'll let you know how the rest goes on. Thanks!

MarcLister · 28 Apr 2007 at 15:52

tTz said:
Great, I'll have a look.

I *think* uCheat is a modded version of uTorrent (it was recommended by a mate on another forum who's used it for ages), though what exactly the mods are, I've no idea...I might get rid of that and just use plain old uTorrent again.

I'll let you know how the rest goes on. Thanks!

Yeah even if uCheat is a modded version of uTorrent, I'd get rid of ANYTHING that looks even SLIGHTLY dodgy. When you've fixed the spyware issue either by removing the offending files or a format then you can try out uCheat again.

hp7909 · 28 Apr 2007 at 16:18

tTz said:
{snip}As for AVG and NOD, no idea. Must've installed NOD a while back and forgot about it.

2 anti-virus programs is a no-no. Have to uninstall 1. Basically you're system is not protected!