Desparatly need your advise!!

Discussion in 'Windows Desktop Systems' started by Herfstp, Apr 30, 2006.

  1. Herfstp

    Herfstp OSNN One Post Wonder

    Messages:
    5
    I am trying to get rid of what apears to be a common spyware/addware infection, but after installing and running Defender, Spybot, Spyware Doctor, and Notron AV with latest updates, I have not managed to remove this annoyance. I'm also not sure how damaging this will continue to be on my machine - everytime I run each of the aforementioned tools they seem to find more adware/spyware vulnerabilities, I'm just not sure of their usefulness at this point. I have run the Hijackthis and created a log in case someone can help. Your exert advice at this stage would be most welcome. Btw the adware/spyware seems to continously load itself into my system tray and bring up warnings about adware/spyware, it then launches web sites of all kinds. I ran msconfig and literally tried to boot the system with the bare minimum required system/program files and the adware/spyware program is still there, so I'm not sure where it has embedded itself, but wherever it is the removal programs mentioned above cannot get rid of the pest?


    PLEASE SEE LOG BELOW:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:46:48 PM, on 4/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dcomcfg.exe
    C:\WINDOWS\system32\atmclk.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\InterVideo\DVD5R\SchSvr.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
    D:\Software\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: (no name) - {4368A581-4A1F-44B0-64A5-3746E791DF99} - C:\WINDOWS\system32\zueweqr.dll (file missing)
    O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp382A.tmp
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\DVD5R\SchSvr.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121090104017
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121090471966
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
    O17 - HKLM\System\CCS\Services\Tcpip\..\{24CE4994-5B86-49CD-8223-D1A0724619A4}: NameServer = 211.29.132.12,198.142.0.51
    O17 - HKLM\System\CS1\Services\Tcpip\..\{24CE4994-5B86-49CD-8223-D1A0724619A4}: NameServer = 211.29.132.12,198.142.0.51
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winnzy32 - C:\WINDOWS\SYSTEM32\winnzy32.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  2. technokid88

    technokid88 Part of a System Folding Team

    Messages:
    741
    Location:
    In a world without windows
  3. Herfstp

    Herfstp OSNN One Post Wonder

    Messages:
    5
    Have already run ad-ware without any success, is anyone able to disect the Hijacklog file I posted, if so is there anything obvious. I have looked for the Pesttrap files on my computer, no sign of the suggested infection, so does not apear to be that - anymore ideas would be welcome, thanks
     
  4. technokid88

    technokid88 Part of a System Folding Team

    Messages:
    741
    Location:
    In a world without windows
    Man its almost 7 i felt like resetting my laptop, and i got hit by what your talking about, poping up windows style messasges saying you have problems. I'm trying ad-ware now.. Then im going to try manaul stuff if i cant take care of it. Its running my computer slower too. This is something new I never seen this one before. ITs not the pesttrap one... some file called winsrv32.exe in the system folder is doing it i think. Then it trys to take you to anitspylap site
     
  5. Herfstp

    Herfstp OSNN One Post Wonder

    Messages:
    5
    Sounds familiar, as I mentioned I have literally tried most adware/spyware removal tools at this point, nothing is working - it some how uses a system startup file to execute its ongoing payload of web ads for spyware sw and porn sites from time to time - its just madning not being able to find it in the system, I have searched HKLM/HKCU strings with no luck either - let me know if you find a cure, thanks
     
  6. Herfstp

    Herfstp OSNN One Post Wonder

    Messages:
    5
    See attached screen capture of the pop ups in the system stray in the right hand corner - one of the warnings apears in red the other in yellow, both sporn ad web sites, some to do with adware others to do with porn sites!!
     

    Attached Files:

  7. technokid88

    technokid88 Part of a System Folding Team

    Messages:
    741
    Location:
    In a world without windows
    i just got it so im runing adware right now, i stopped deffender since i like adware better, after that im run this prog in safemode.

    after you open the program go into safemode by f8 and run the file runthis.bat in safemode. After its done restart back in the normal window.. see if that works.. Im try it after i get adawere done.
     
    Last edited by a moderator: Apr 30, 2014
  8. technokid88

    technokid88 Part of a System Folding Team

    Messages:
    741
    Location:
    In a world without windows
    From your pics its the same crap i got
    It also put a X on my NIS, but its on, i think it just puts the x on the program pic. This is a screen shot of my desktop
     

    Attached Files:

  9. Herfstp

    Herfstp OSNN One Post Wonder

    Messages:
    5
    What is SmitRem.exe, where is it from?
     
  10. technokid88

    technokid88 Part of a System Folding Team

    Messages:
    741
    Location:
    In a world without windows
    I found it on a forum awhile back and it worked for me before

    Also i noticed two programs trying to go out on my pc one was
    winsrv32.exe i blocked that and there was another one i let it go and now its all hell...
     
    Last edited: Apr 30, 2006
  11. technokid88

    technokid88 Part of a System Folding Team

    Messages:
    741
    Location:
    In a world without windows
    ADUENT virus is one of them i got. Other one im looking for
     
  12. technokid88

    technokid88 Part of a System Folding Team

    Messages:
    741
    Location:
    In a world without windows
  13. damnyank

    damnyank I WILL NOT FORGET 911

    Messages:
    2,359
    Location:
    Petal, Mississippi
    For what it is worth - I have had some luck with the Ewido antimalware program. Free full blown trail for 14 days and then you can buy it - or lose all the auto-updating etc and just manually update it and manually run scans with it!

    Click here!
     
    Perris Calderon likes this.
  14. ShepsCrook

    ShepsCrook Red Sox Fan!

    Messages:
    1,489
    Location:
    Knightdale
    I used Adaware, Spybot, and Spysweeper, but I did not have this problem. My machine generally stays secure...
     
  15. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    If you have not already, use CCleaner http://www.ccleaner.com/ccdownload.asp
    and Clean out any temp files and cookies.
    ------------------------------------------------
    You have some issues:
    Remove these lines

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...osearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com


    now...

    Uninstall this program via windows control panel add remove program

    Yazzle Sudoku by OIN

    and now delete this line from you hijack this log:

    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/Yazzl...cab?refid=1162


    ---------------------------
    you also have a smitfraud related trojan on you system..

    C:\WINDOWS\system32\atmclk.exe


    Download a-squared Free.
    http://www.emsisoft.com/en/software/download/

    Follow the instructions. Make sure you update to the latest definitions before you scan. Run a scan and see if it detects the "atmclk.exe" & its root. after a complete scan, remove the trojan.

    Also, before you do, Run CCleaner to remove cookies and temp file and repost a new log.
     
    Last edited: Apr 30, 2006
  16. technokid88

    technokid88 Part of a System Folding Team

    Messages:
    741
    Location:
    In a world without windows
    A-squared and ccleaner worked fine for me, took care of the problems.