• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Need help removing spyware

thesniper60

OSNN One Post Wonder
#1
I have been having all kinds of ads that keep poping up on my computer and I cant seem to get rid of them. I have ran lavasoft adware, a-squared, AVG anti virus, ewido anti-malware, Spybot, and Xoft Spy with no sucess. I also cant find anything in HJT. I would appreciate any help.

Logfile of HijackThis v1.99.1
Scan saved at 4:16:41 PM, on 5/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\atmclk.exe
F:\WINDOWS\system32\nvraidservice.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\System32\wbem\unsecapp.exe
F:\WINDOWS\system32\dcomcfg.exe
C:\Download\System & Utilities\AD Ware & Antivirus\hijackthis\HijackThis.exe

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - F:\WINDOWS\system32\hpF5A5.tmp
O4 - HKLM\..\Run: [NVRaidService] F:\WINDOWS\system32\nvraidservice.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
O20 - Winlogon Notify: winrvc32 - F:\WINDOWS\SYSTEM32\winrvc32.dll
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

PS Each program that I run detects and removed some files but it just keeps comming back
 
Last edited:

j79zlr

Glaanies script monkey
Political User
#2
This latest Vundo infection seems to be making the rounds.

Please download VundoFix.exe to your desktop.
1. Double-click VundoFix.exe to run it.
2. Put a check next to "Run VundoFix" as a task.
3. You will receive a message saying vundofix will close and re-open in a minute or less. Click "OK".
4. When VundoFix re-opens, click the "Scan for Vundo" button.
5. Once it's done scanning, click the "Remove Vundo" button.
6. You will receive a prompt asking if you want to remove the files, click "YES".
7. Once you click yes, your desktop will go blank as it starts removing Vundo.
8. When completed, it will prompt that it will shutdown your computer, click "OK".
9. Turn your computer back on.
10. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
 

tdinc

█▄█ ▀█▄ █
Political User
#4
This one is a bastard... follow j79zlr's instructions. try this before using Vundofix. Caution: take your time while doing this procedure.

Download the F-Secure BlackLight http://www.f-secure.com/blacklight/try.shtml

* Save to a folder of your choice or the desktop.
* Start the program by double-clicking on its icon.

Note: While scanning, it is important to observe the following precautions:

1. Close all browser, program and Explorer windows.

2. Disconnect from the internet to prevent background programs from autoupdating during the scan.

3. Do not touch your computer (mouse & keyboard) or have any programs running other than BlackLight

* Click Accept
* Click Scan - see Note
* When the scan is complete, press Next
* Only rename C:\WINDOWS\qaz4.txt if present, even if other hidden items are found
* Close all other programs before continuing, and then select Next -> Finish.
* Select Restart now to reboot the computer so the changes take effect
* After the reboot, the hidden items should be renamed and visible on the computer.
* Re-run BlackLight to verify that C:\WINDOWS\qaz4.txt is no longer found.

BlackLight beta creates a log file fsbl-<date-and-time>.log in the same directory as the blbeta.exe.

2. Stop and delete the service DP1112 via the command prompt

* Click start -> Run -> type cmd -> Click OK
* Type or paste sc stop DP1112 at the command prompt
* Hit enter
* Type or paste sc delete DP1112 at the command prompt
* Hit enter
* Close the command prompt window

3. Reboot to make the Vundo files visible to Windows and HJT

4. Confirm DP1112 is no longer present in the Device Manager

* Right-click My Computer
* Click Properties -->Hardware --> Device Manager
* On the toolbar menu, click View--> Show Hidden devices.
* Double-click Non-Plug and Play Drivers
* Verify that DP1112 is no longer present in the list of drivers

5. Enable viewing of hidden files and folders

6. Delete the file C:\WINDOWS\qaz4.txt.ren which is the the renamed file C:\WINDOWS\qaz4.txt

7. Delete C:\WINDOWS\system32\Drivers\DP.sys


Now follow j79zlr's instructions...
 

thesniper60

OSNN One Post Wonder
#5
I think that did the trick. Thanks alot.:)



Logfile of HijackThis v1.99.1
Scan saved at 6:04:58 PM, on 5/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Mozilla Firefox\firefox.exe
C:\Download\System & Utilities\AD Ware & Antivirus\hijackthis\HijackThis.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
 

j79zlr

Glaanies script monkey
Political User
#6
Jusr have HJT fix:

O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)

Reboot and you should be ok, post the new log.
 

Members online

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,013
Latest member
Pdawgintown