Ultimate spyware removal required

[BrenOS]

AVG is up to date. I've downloaded AdAware and TheCleaner and they're both not helping. I'm spyware-ed up to the hilt. I even get a nice tray bubble appear every 10 seconds (yes honestly, ten seconds) to remind me of this fact.

Please help, I cba re-installing again.

 

[The_KiD]

If your still having the problem, then please paste a HiJackThis log here and i will take a look for you.

It is important that you dont fix anything with HJT unless advised what to do by myself or someone else with HJT experience.

You can find people to trust in the ASAP link in my signature if you would prefer someone else's opinion.

 

[BrenOS]

Thanks, I'll do that in a bit.

I assume that won't get rid of this

If I click the bubble I get taken to http://www.pesttrap.com/?advid=270 in IE

Most of my popups are with IE. Infact I *think* they all are, yet FF is my default browser.

 

[BrenOS]

There was an AVG update at 9am and fingers crossed it seems to have nuked that tray icon

 

[markysparky]

"Shut down it entirely" what kind of english is that?

 

[BrenOS]

There was an AVG update at 9am and fingers crossed it seems to have nuked that tray icon

Alas, no.

 

[Rebel=UK=]

Spysweeper is great also i like Pestpatrol ( Free trial on website ) ...you have to pay for spysweeper tho. You can run a free scan i think http://www.webroot.com/

 

[The_KiD]

What you have then is a variant of the Smitfraud infection.

So here's what you need to do:

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Unzip it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

While in Safe Mode, please do the following:

Run Ewido, and run a full scan. Clean any infected files found, and save the log from the scan.

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Delete the following folders, if they exist:

C:\Program Files\Search Maid
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files


Download HiJackThis (www.merijn.org) and paste a log.

Then click FIX CHECKED and close HijackThis.

Reboot into normal mode.

Please run this online virus scan: ActiveScan - Save the results from the scan!

Restart your computer once more, and please post a new HijackThis log along with the log from Ewido, and the results from ActiveScan.

Note: This is for NT based systems, XP/2000 etc, iff you are on 98 or ME then let me know

 

[BrenOS]

I did that, but something went wrong. My computer would not start in safe mode. It would crash after the "Are you sure you want to be in safe mode" bit after logon. So I got technical on it and decided to turn it off and let it have a rest. After 20 minutes kip it's rebooted normally to a plethora of sirens from ewido. I've backed up incase it goes **** up but it looks to be OK at present, that's not even having ran a scan yet. We'll soon see.

 

[ShakenNstirred]

your biggest problem is AVG
its crap.
also try spyware doctor

 

[The_KiD]

AVG is crap? in what way?

 

[ShakenNstirred]

AVG is crap? in what way?

in the way that i have had at least 3 people using it send me virus`s.
all were upto date but the virus still got on the PC`s.
i had to email them and tell them to try another virus checker,
all ran trial versions of other checkers and it picked them up straight away
so i could never trust AVG after that

 

[Darkwave]

Run HijackThis and Spybot - Search & Destroy, if they don't kill all the spyware on your system then nothing will really. As for antivirus, I hear that Kaspersky is by far the best in terms of accuracy and range of detection.

 

[bledd]

btw, avg is crap


use nod32 or kaspersky def worth the money (i use nod32)

try windows defender or ewido for spyware removal, then uninstall them after they've done the job and just use common sense.

and use firefox

create a limited account and use that instead of using admin account, so you don't have install privalages and change the admin password from blank to something else

 

[BrenOS]

Still getting a fair bit of crap.

Here's a hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 13:58:12, on 20/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\MCROSO~1\POOLSV~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Windows Media Player\wmplayer.exe
D:\Backup\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {5305004C-98F2-DB04-A514-9E1CF7EEB0E0} - C:\WINDOWS\system32\xwwzebbe.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5305004C-98F2-DB04-A514-9E1CF7EEB0E0} - C:\WINDOWS\system32\xwwzebbe.dll (file missing)
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: (no name) - {71EC3111-0D1D-4EDA-86D9-B33C78462257} - C:\WINDOWS\system32\mlljg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [42369398.exe] C:\WINDOWS\system32\42369398.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Otts] "C:\PROGRA~1\ICROSO~1.NET\chkdsk.exe" -vt yazr
O4 - HKCU\..\Run: [Uxwyr] C:\WINDOWS\MCROSO~1\POOLSV~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wuaclt.dll
O20 - Winlogon Notify: mlljg - C:\WINDOWS\system32\mlljg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

 

[Otacon]

Let housecall have a butchers. And yes, ditch AVG, too many people come in here having been let down by it. Avast is a much better, free alternative.

I'll examine the log when I get home.

 

[Flibster]

Let housecall have a butchers. And yes, ditch AVG, too many people come in here having been let down by it. Avast is a much better, free alternative.

And has a XP64 version.

Simon/~Flibster

 

[ben_j_davis]

When i have trouble i always visit -

http://www.bleepingcomputer.com/forums/forum79.html

You'll need to sign up and sometimes they take a bit of time to reply but they have always sorted out my problems.

 

[Conrad11]

Have a look at his post

 

[BrenOS]

I ran SpyBot S&D and have changed AVG for avast! and I'm now clean. Very impressed. Thanks for help