Spyware infestation

[sjt269]

Also, download and install AOL Activevirus shied frm here http://www.activevirusshield.com/antivirus/freeav/index.adp? and then uninstall existing AV software and install that one. It's basically Kaspersky 6 for free, and it's the best for detection and cleaning.

It worked!


It got rid of all the .dll files I've been fighting with, and so far (only had the PC on for 30 minutes) I've not had any popups...

HiJack this log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:16:43, on 01/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steven\My Documents\My Downloads\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - (no file)
O2 - BHO: (no name) - {24180B00-2EB6-11d7-BD6F-004854603DCE} - (no file)
O2 - BHO: (no name) - {31917F9D-39AD-498E-8969-236DC820334C} - (no file)
O2 - BHO: (no name) - {49B9430B-A360-41FB-82F1-96269C5C7FE1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6148028B-D532-4417-8C0B-5A4A0B745393} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140383823342
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140383813889
O17 - HKLM\System\CCS\Services\Tcpip\..\{18A2ACBA-25B0-4B9A-B990-3740361B79A5}: NameServer = 192.168.0.1
O20 - Winlogon Notify: ljjkkjh - ljjkkjh.dll (file missing)
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5844 bytes






As you can see (if you put it into hijackthis.de) there are some 'unncessary' entries in there, which I presume is a result of me deleting anything vaguely looking like spyware instead of healing it...I dunno if I desperately need to replace the files or anything, but the PC seems to be working fine, with no popups or anything.


Thanks a lot, to everyone who's been helping

 

[Richdog]

Ok, now re-run Hijackthis and put a tick next to all the following entries:

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - (no file)
O2 - BHO: (no name) - {24180B00-2EB6-11d7-BD6F-004854603DCE} - (no file)
O2 - BHO: (no name) - {31917F9D-39AD-498E-8969-236DC820334C} - (no file)
O2 - BHO: (no name) - {49B9430B-A360-41FB-82F1-96269C5C7FE1} - (no file)

O2 - BHO: (no name) - {6148028B-D532-4417-8C0B-5A4A0B745393} - (no file)

O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)

O20 - Winlogon Notify: ljjkkjh - ljjkkjh.dll (file missing)

O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll (file missing)

Then click the "Fix Checked" button to nuke them.

Now ensure you installed Spyware Blaster from here http://www.download.com/SpywareBlaster/3000-8022_4-10486084.html, update it and enable full protection.

You should now ONLY have AOL Active shield installed as a real-time (active) scanner... NOTHING else AT ALL. You can add extra scanners if you like but they must be "on-demand" (passive) or they will increase the load on your system and conflict.

Now you should be pretty much good to go. The Kaspersky engine IS the best bar none, though some other AV's are a close second and offer better system performance, so just keep that AOL Active shield on your system and ensure it's running sweetly and you should now be fine.

 

[sjt269]

Done. The system is looking good, and I'm installing that other program right now. You've saved me £30 on a new hard drive, and a lot of time reformatting. Thanks.

 

[Richdog]

Yeah, when I hear people say "it's easier to reformat" I really do scratch my head in wonderment... why go to such extreme lengths and inconvenience when it can be done so much simpler? All it takes is a good AV program and someone with knowledge of removing items via Hijackthis etc. I used to work as support for an AV company so i've cleaned up some systems that were a right state, with literally thousands of serious infections.

 

[MarcLister]

Yeah, when I hear people say "it's easier to reformat" I really do scratch my head in wonderment... why go to such extreme lengths and inconvenience when it can be done so much simpler? All it takes is a good AV program and someone with knowledge of removing items via Hijackthis etc. I used to work as support for an AV company so i've cleaned up some systems that were a right state, with literally thousands of serious infections.

Depends. They may not feel up to fixing it themselves. They might also want a clean install of Windows for some reason and this is the time to do it.

But also if someone uses something like nLite or Ghost/Acronis TrueImage then its not such an inconvienience when it only takes a few minutes.

 

[Richdog]

But also if someone uses something like nLite or Ghost/Acronis TrueImage then its not such an inconvienience when it only takes a few minutes.

Hmm to be honest i'm a bit crap when it comes to backup etc... but how do you re-install windows then simply "plop" all of your previous data over it? You still have to re-install all of your programs and all of your games etc do you not?

 

[MarcLister]

Hmm to be honest i'm a bit crap when it comes to backup etc... but how do you re-install windows then simply "plop" all of your previous data over it? You still have to re-install all of your programs and all of your games etc do you not?

Depends when you image your PC I believe. Some people I think image their PC immediately after installing Windows so that they can go back to that state if the PC gets fubared. Some others like to install everything (Windows, Games, Progs etc) and then image it. As long as you've got space to store the image on such as another HDD, DVDs, external disk, networkable storage you can image as much as you want.

What I plan to do over the summer is nLite my XP CD to hell so I have only the functionality and features I need. This'll give me a nice small ISO to store somewhere. I can make this ISO install quicker by inserting my XP key and forcing the install to be fully automated. Then I'll buy/trial Acronis TrueImage and image my XP as it is when its installed. Then install all of my stuff and put the settings the way I want them and then image again.

So I'll have an nLite XP ISO, XP after install image and XP after programs etc image. Should mean I'm relatively safe in terms of backup but also means I can drastically reduce the time I'm out of action if something borks my PC, like me!!