Need help removing spyware

Discussion in 'Windows Desktop Systems' started by thesniper60, May 22, 2006.

  1. thesniper60

    thesniper60 OSNN One Post Wonder

    Messages:
    9
    I have been having all kinds of ads that keep poping up on my computer and I cant seem to get rid of them. I have ran lavasoft adware, a-squared, AVG anti virus, ewido anti-malware, Spybot, and Xoft Spy with no sucess. I also cant find anything in HJT. I would appreciate any help.

    Logfile of HijackThis v1.99.1
    Scan saved at 4:16:41 PM, on 5/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\WINDOWS\Explorer.EXE
    F:\WINDOWS\system32\atmclk.exe
    F:\WINDOWS\system32\nvraidservice.exe
    F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    F:\WINDOWS\System32\wbem\unsecapp.exe
    F:\WINDOWS\system32\dcomcfg.exe
    C:\Download\System & Utilities\AD Ware & Antivirus\hijackthis\HijackThis.exe

    O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - F:\WINDOWS\system32\hpF5A5.tmp
    O4 - HKLM\..\Run: [NVRaidService] F:\WINDOWS\system32\nvraidservice.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
    O20 - Winlogon Notify: winrvc32 - F:\WINDOWS\SYSTEM32\winrvc32.dll
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

    PS Each program that I run detects and removed some files but it just keeps comming back
     
    Last edited: May 22, 2006
  2. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    This latest Vundo infection seems to be making the rounds.

    Please download VundoFix.exe to your desktop.
    1. Double-click VundoFix.exe to run it.
    2. Put a check next to "Run VundoFix" as a task.
    3. You will receive a message saying vundofix will close and re-open in a minute or less. Click "OK".
    4. When VundoFix re-opens, click the "Scan for Vundo" button.
    5. Once it's done scanning, click the "Remove Vundo" button.
    6. You will receive a prompt asking if you want to remove the files, click "YES".
    7. Once you click yes, your desktop will go blank as it starts removing Vundo.
    8. When completed, it will prompt that it will shutdown your computer, click "OK".
    9. Turn your computer back on.
    10. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
     
  3. thesniper60

    thesniper60 OSNN One Post Wonder

    Messages:
    9
    I tried running the vundofix.exe but ive waited for 5 minutes and nothing happens.
     
  4. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    This one is a bastard... follow j79zlr's instructions. try this before using Vundofix. Caution: take your time while doing this procedure.

    Download the F-Secure BlackLight http://www.f-secure.com/blacklight/try.shtml

    * Save to a folder of your choice or the desktop.
    * Start the program by double-clicking on its icon.

    Note: While scanning, it is important to observe the following precautions:

    1. Close all browser, program and Explorer windows.

    2. Disconnect from the internet to prevent background programs from autoupdating during the scan.

    3. Do not touch your computer (mouse & keyboard) or have any programs running other than BlackLight

    * Click Accept
    * Click Scan - see Note
    * When the scan is complete, press Next
    * Only rename C:\WINDOWS\qaz4.txt if present, even if other hidden items are found
    * Close all other programs before continuing, and then select Next -> Finish.
    * Select Restart now to reboot the computer so the changes take effect
    * After the reboot, the hidden items should be renamed and visible on the computer.
    * Re-run BlackLight to verify that C:\WINDOWS\qaz4.txt is no longer found.

    BlackLight beta creates a log file fsbl-<date-and-time>.log in the same directory as the blbeta.exe.

    2. Stop and delete the service DP1112 via the command prompt

    * Click start -> Run -> type cmd -> Click OK
    * Type or paste sc stop DP1112 at the command prompt
    * Hit enter
    * Type or paste sc delete DP1112 at the command prompt
    * Hit enter
    * Close the command prompt window

    3. Reboot to make the Vundo files visible to Windows and HJT

    4. Confirm DP1112 is no longer present in the Device Manager

    * Right-click My Computer
    * Click Properties -->Hardware --> Device Manager
    * On the toolbar menu, click View--> Show Hidden devices.
    * Double-click Non-Plug and Play Drivers
    * Verify that DP1112 is no longer present in the list of drivers

    5. Enable viewing of hidden files and folders

    6. Delete the file C:\WINDOWS\qaz4.txt.ren which is the the renamed file C:\WINDOWS\qaz4.txt

    7. Delete C:\WINDOWS\system32\Drivers\DP.sys


    Now follow j79zlr's instructions...
     
  5. thesniper60

    thesniper60 OSNN One Post Wonder

    Messages:
    9
    I think that did the trick. Thanks alot.:)



    Logfile of HijackThis v1.99.1
    Scan saved at 6:04:58 PM, on 5/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\WINDOWS\Explorer.EXE
    F:\Program Files\Mozilla Firefox\firefox.exe
    C:\Download\System & Utilities\AD Ware & Antivirus\hijackthis\HijackThis.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
    O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
     
  6. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Jusr have HJT fix:

    O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)

    Reboot and you should be ok, post the new log.