Spyware problem, help please

Whappers · 19 May 2006 at 19:37

Hi there.

I just got back from uni today and low and behold my pc has been used by my parents. Problem: It's ridden with spyware, I have run adaware and spybot search and destroy. However it has not fixed my problem. The problem is that I keep getting messages appearing as little baloons in the bottom right hand corner of my screen telling me that I am infected etc (trust me, this isn't windows xp telling me this).

Also when I open an internet explorer browser, it always opens the website: http://www.topsecuritysite.com/ and I cannot change it at all. I have just ran a hijackthis scan and the log is posted below. Make what you can of it. Please help me get my pc back to normal!

Hijackthis log said:
Logfile of HijackThis v1.99.1
Scan saved at 19:32:12, on 19/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Stephen Graham\Local Settings\Temp\HijackThis.exe

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp10B4.tmp
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [AtiTrayTools] C:\Program Files\Radeon Omega Drivers\v2.6.53\ATI Tray Tools\atitray.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121202314031
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\PROGRA~1\RXTOOL~1\sfcont.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks

Whappers

pcmedicni · 19 May 2006 at 19:43

Have you tried Windows Anti-spyware or the newer Windows Defender?

Both free downloads at the windows update site,both work pretty well.

Richdog · 19 May 2006 at 21:20

Hmm can't see any BHO's on that log... odd.

But for goodness sake man get a decent AV package, Norton is god-awful. You want one like NOD32 or Kaspersky that have great scanning engines. Norton is about the worst of the major AV providers, ugh.

Do the following:

1) Download and install spywareblaster, update and enable full protection http://www.download.com/SpywareBlaster/3000-8022-10196637.html?part=dl-SpywareBl&subj=dl&tag=button as it will cut out 90% of spyware from getting on your PC.

2) Do a run of Panda Activescan and see what it picks up, though bear in mind it will not delete spyware http://www.pandasoftware.com/produc...5D4-4DA2-B310-B1DBEC2971F2}&NRCACHEHINT=Guest

3) Download and run SpySweeper and do a full clean http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html

4) Also run BHOdemon and see what (if anything) is having a hand in controlling IE http://www.spywareinfo.com/downloads/bhod/

SiriusB · 19 May 2006 at 21:27

Richdog said:
Hmm can't see any BHO's on that log... odd.

But for goodness sake man get a decent AV package, Norton is god-awful. You want one like NOD32 or Kaspersky that have great scanning engines. Norton is about the worst of the major AV providers, ugh.

Do the following:

1) Download and install spywareblaster, update and enable full protection http://www.download.com/SpywareBlaster/3000-8022-10196637.html?part=dl-SpywareBl&subj=dl&tag=button as it will cut out 90% of spyware from getting on your PC.

2) Do a run of Panda Activescan and see what it picks up, though bear in mind it will not delete spyware http://www.pandasoftware.com/produc...5D4-4DA2-B310-B1DBEC2971F2}&NRCACHEHINT=Guest

3) Download and run SpySweeper and do a full clean http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html

4) Also run BHOdemon and see what (if anything) is having a hand in controlling IE http://www.spywareinfo.com/downloads/bhod/

5) Password protect your PC

SiriusB

Richdog · 19 May 2006 at 21:32

SiriusB said:
5) Password protect your PC

SiriusB

Heh damn right.

Whappers · 19 May 2006 at 21:50

Richdog said:
Hmm can't see any BHO's on that log... odd.

But for goodness sake man get a decent AV package, Norton is god-awful. You want one like NOD32 or Kaspersky that have great scanning engines. Norton is about the worst of the major AV providers, ugh.

Do the following:

1) Download and install spywareblaster, update and enable full protection http://www.download.com/SpywareBlaster/3000-8022-10196637.html?part=dl-SpywareBl&subj=dl&tag=button as it will cut out 90% of spyware from getting on your PC.

2) Do a run of Panda Activescan and see what it picks up, though bear in mind it will not delete spyware http://www.pandasoftware.com/produc...5D4-4DA2-B310-B1DBEC2971F2}&NRCACHEHINT=Guest

3) Download and run SpySweeper and do a full clean http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html

4) Also run BHOdemon and see what (if anything) is having a hand in controlling IE http://www.spywareinfo.com/downloads/bhod/

Thanks a lot Richdog,

I'll try this in a little while (I'm on the laptop right now - the problem is on the desktop).

What AV package do you reccomend?

Thanks again!

Whappers

Richdog · 19 May 2006 at 22:03

Kaspersky and NOD32 are the best AV packages... Kasperskys detection is the best there is, with NOD32 a close second. However, I chose to subscribe to NOD32 because it's so light on resources you barely know its there, which is great for gaming. It has kept me clean for almost a year, and ive surfed some pretty dodgy sites.

All I use are:

SpywareBlaster (SB)
Adaware
NOD32

Once SB is installed every spyware scan I make only turns up about 4 objects, mostly legit cookes. I never get any problems no matter where I surf.

markysparky · 19 May 2006 at 22:04

Have you tried using system restore and restoring to an earlier date

Richdog · 19 May 2006 at 22:09

One tip I have learned: NEVER use system restore! It is complete crap and does as much har as it does good. Use it and see how many programs you can break...

bledd · 20 May 2006 at 08:14

delete the system restore points, and disable it

remove norton
download nod32 trial (or buy it), download ccleaner (lite), download windows defender, and maybe ewido if problems still occur, run full scans

HighlandeR · 20 May 2006 at 12:45

Format C:

Reload XP

Install Acronis True Image/Nod32 or Kaspersky

That way u never get this problem ever again

PS: sounds like u just got one of the smitfraud variants running out there try the smitrem tool here:
http://noahdfear.geekstogo.com/

Ive found a good up to date nod32/kaspersky and ewido/spybot/adware scan can also fix that type of spyware you have.

The_KiD · 20 May 2006 at 19:11

You have a version of the smitfraud virus.

Please download smitrem from : http://noahdfear.geekstogo.com/

Download smitRem.exe, saving the file to your desktop. Double click it to extract the contents to a

folder of it’s own. Restart your computer in safe mode, logon to the user account that is infected,

open the smitRem folder and double click the RunThis.bat file to start the tool.

Follow the prompts on screen and allow disk cleanup to complete.

Upon reboot, you can reset your desktop background. Note: XP users using the XP theme may ex-

perience a change to the Classic Windows theme. This can be changed on the themes tab of

desktop properties.

This is the line in the log that shows you have smitfraud:

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp10B4.tmp

Check the CLSID f79fd28e-36ee-4989-aa61-9dd8e30a82fa against the one logeed at CastleCops: http://castlecops.com/CLSID.html

Richdog · 20 May 2006 at 21:54

The_KiD said:
You have a version of the smitfraud virus.

Please download smitrem from : http://noahdfear.geekstogo.com/

This is the line in the log that shows you have smitfraud:

Check the CLSID f79fd28e-36ee-4989-aa61-9dd8e30a82fa against the one logeed at CastleCops: http://castlecops.com/CLSID.html

lol I must be going blind, I scanned the log about 3 times for the word "BHO" and didn't see anything... and I must look at those damn logs 5 times a day.

Tosk · 21 May 2006 at 19:11

i would use,

1. Kaspersky v5 or v6
2. Spybot - Search & Destroy
3. Ad-Aware SE Personal

and Window Washer to remove all the temp files

Spybot also lets you remove things from your startup.
under the advanced mode.

Whappers · 29 May 2006 at 01:29

Thank you very much guys.

Apologies for not getting back sooner. I've postponed dong this ever since I created the thread but I just got round to doing everything and I can happily say that I am spyware free now and the problems have gone away.

Thanks to all those who helped!

I uninstalled Norton, installed Kaspersky 6.0 and spysweeper, and had already ccleaner, spybot and adaware so I'm all kitted out now ready to let my parents back out into the unknown. Wonder how long it will be before it gets infected again (if ever)

I must say that Kaspersky is a great program and I am really impressed by it as well as spysweeper!

Thanks again

Whappers.

digitalwolf · 1 Jun 2006 at 12:33

Did you subscribe to spysweeper? It's just i've downloaded the program from that link and it won't delete anything because I need to subscribe :confused: