System suddenly full of adware

p4radox · 9 Dec 2006 at 20:01

I don't know what's going on, but my system is suddenly full of Adware pop ups and unwanted utilities. I was running my weekly Spybot Search and Destroy Scan and I downloaded the latest definitions. It seems that along with all the new definitions, I've got a load of crap too. Spybot seems unable to get rid of it, and so does Windows Defender. Note: I don't use torrents, warez or any file-sharing utilities. The only way I can think this stuff has got in is through Spybot S&D which is quite ironic really.

I've unchecked all the unwanted stuff on msconfig's startup tab, and uninstalled everything I can find on Add/Remove programs. What else can I do to rid my PC of all this crap?

modo77 · 9 Dec 2006 at 20:35

It won't have been from spybot!

Run hijackthis and paste the results into www.hijackthis.de and that will point anything dodgy out. (or post it here).

rickyt · 9 Dec 2006 at 21:26

Run two of the most popular anti-spyware programs to start with . First is Spybot [which you have ] second is Ad-aware . What one misses the other finds and visa-versa. Another good one is Spysweeper by Webroot [not a freeby] but is very good and currently scans for 145,000 items of crap .

just Scott · 9 Dec 2006 at 21:31

AVG Anti Spyware 7.5

and

Adaware SE Personal

They should sort it out.

p4radox · 9 Dec 2006 at 21:40

thanks for the replies.

I've already done another Spybot scan, and an Adaware scan, and another Windows defender scan. Everytime I scan something new is detected! :eek:

I'm now downloading AVG anti-spyware, and I've run the HijackThis Log file creator as recommended by modo77. Here is what it came up with:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 21:34:49, on 09/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\CTsvcCDA.EXE
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\WINDOWS\system32\rundll32.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Windows Defender\MSASCui.exe
G:\Program Files\Detector\CTDetect.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
F:\WINDOWS\System32\svchost.exe
F:\DOCUME~1\Danny\APPLIC~1\SMANTE~1\mmc.exe
G:\Program Files\WallMaster\wallmast.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\system32\ISHOST.EXE
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Common Files\??sks\?ervices.exe
F:\WINDOWS\system32\ismini.exe
F:\WINDOWS\explorer.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Microsoft Office\Office\WINWORD.EXE
G:\Program Files\firefox.exe
F:\DOCUME~1\Danny\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.google.co.uk/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {9DCDFB64-35A5-2E18-835B-6F7364320393} - F:\WINDOWS\system32\gvgnivo.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Safety Bar - {18668683-731c-48fa-b1b9-ad013748fb00} - F:\Program Files\Safety Bar\SafetyBar.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - F:\PROGRA~1\COMMON~1\{38B44~1\Bar888.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CTDrive] rundll32.exe F:\WINDOWS\system32\drvhar.dll,startup
O4 - HKLM\..\Run: [sruusxm.dll] F:\WINDOWS\system32\rundll32.exe F:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\RunOnce: [AAW] "G:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Creative Detector] G:\Program Files\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AtiTrayTools] "F:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [Euedcb] F:\Program Files\Common Files\??sks\?ervices.exe
O4 - HKCU\..\Run: [Econ] "F:\DOCUME~1\Danny\APPLIC~1\SMANTE~1\mmc.exe" -vt ndrv
O4 - Startup: WallMaster.lnk = G:\Program Files\WallMaster\wallmast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - [url]http://85.255.114.166/1/rdgGB2404.exe[/url]
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - [url]http://207.226.177.98/gba851.exe[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:       
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: gloomily - {9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f} - F:\WINDOWS\system32\mlraakb.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe

On the online logfile analysis there are 3 'nasty', 1 'possibly nasty', and a few 'unknown'.

Just to add insult to injury, I can't open IE7 anymore as it crashes everytime, so I'm using Firefox.

bikes · 9 Dec 2006 at 23:34

^^ Im not suprised you got a few nastys matey, according to the HijackThis report website it says you dont have any firewall or AV running. Might be an idea to start using them

p4radox · 9 Dec 2006 at 23:41

bikes said:
^^ Im not suprised you got a few nastys matey, according to the HijackThis report website it says you dont have any firewall or AV running. Might be an idea to start using them

I've never run a firewall or AV and never had any problems before - and I know how noobish that sounds

. I just used Spybot once a week or so and it very rarely detected anything and if it did it dealt with it. Then all this happened. I had Avast once but it just seemed to slow everything down needlessly.

Could you recommend any free AV software, if there is such a thing?

I've now run a scan on all the recommended antispyware packages and nothing has cleared the major problems. I still have random icons flashing at me in the taskbar and IE keeps crashing. :mad:

just Scott · 9 Dec 2006 at 23:46

p4radox said:
I've never run a firewall or AV and never had any problems before - and I know how noobish that sounds . I just used Spybot once a week or so and it very rarely detected anything and if it did it dealt with it. Then all this happened. I had Avast once but it just seemed to slow everything down needlessly.

Could you recommend any free AV software, if there is such a thing?

I've now run a scan on all the recommended antispyware packages and nothing has cleared the major problems. I still have random icons flashing at me in the taskbar and IE keeps crashing.

Best free AV software is probably AVG.

Get it from www.grisoft.com I believe.

modo77 · 10 Dec 2006 at 00:38

Forget the free av for now as it sounds like you have a virus. I'd download a trial of nod32 (which is the best paid for av). That way it should give you a better chance of detecting/removing it

Update nod32, and your antispyware apps. reboot in safe mode. without the net connected, and run a full scan on everything. also run hijackthis again and fix those entries if you don't know that they are (it can give false poisitives).

The reboot and prey. I won't bother telling you off for not having protection

Let us know how it goes.

1337z0r · 10 Dec 2006 at 01:03

Avast for some users doesent work so well, i would use AVG as i notice avast has slowed down my pc a bit. But im switching to AVG either on sunday or monday. When i have reformatted

.

Final8y · 10 Dec 2006 at 01:06

p4radox said:
I've never run a firewall or AV and never had any problems before - and I know how noobish that sounds . I just used Spybot once a week or so and it very rarely detected anything and if it did it dealt with it. Then all this happened. I had Avast once but it just seemed to slow everything down needlessly.

Could you recommend any free AV software, if there is such a thing?

I've now run a scan on all the recommended antispyware packages and nothing has cleared the major problems. I still have random icons flashing at me in the taskbar and IE keeps crashing.

Comodo Firewall 2.3 Rated Top Overall Personal Firewall
Jersey City, NJ (Dec 4, 2006) - Comodo, a leading provider of Identity and Trust Assurance Management solutions, today announced that Comodo Firewall 2.3 has been rated as the top firewall product in a recent independent test of the security capabilities of major personal firewalls. The analysis, conducted by security specialists Matousec,http://www.matousec.com/projects/wi...ysis/leak-tests-results.php#firewalls-ratings tested 21 of the most popular firewall programs available (including paid versions from Norton, Zone Alarm and McAfee) with an array of leak testing programs to determine which product provided the best protection. The results confirm that Comodo Firewall 2.3 is the most secure personal firewall solution in the marketplace. Comodo Personal Firewall 2.3 is currently available with a free license. This highly rated security product is designed to be easy to use "out of the box"
http://www.comodogroup.com/news/press_releases/04_12_06.html
The firewall is ace & the AV has not let me down yet & they have other free stuff as well.

bikes · 10 Dec 2006 at 12:06

modo77 said:
I'd download a trial of nod32 (which is the best paid for av)

You sure about this?

Ive had Nod32 & now use Kaspersky

modo77 · 10 Dec 2006 at 12:27

bikes said:
You sure about this?

Ive had Nod32 & now use Kaspersky

Well they are both as good as each other. And nod has come out top of the monthly detection figures for about 40 months running.

rickyt · 10 Dec 2006 at 12:45

Your really asking for PC problems by not using an Anti-virus program . You could maybe get away with it years ago , but not now . You will eventually get hit .There's all sorts of things lurking on servers and webpages nowadays. Spybot and the likes dont check for virus's .........they check for spyware , different thing. I would recommend AVG as a freeby , this is good and will detect most things.I use Zone Alarm for a firewall and is good but ,I do like the sound of this Comodo though . I'll have to check it out.

ps. if you download lots of stuff like I do , why run the chance of losing it all by not haveing an anti-virus & firewall ? . If you have a hard drive full of stuff and you get a virus , you could lose the lot . Not worth it taking the chance m8.

bledd · 10 Dec 2006 at 13:17

turn off system restore
ccleaner slim
nod32 trial
defender
adaware
spybot

i dont use any av either, but do have a router + firewall, just careful what i do

Duke · 10 Dec 2006 at 13:24

ewido and hitman pro are good as well as above