Need help removing spyware

thesniper60

OSNN Newbie
Joined
15 May 2006
Messages
9
I have been having all kinds of ads that keep poping up on my computer and I cant seem to get rid of them. I have ran lavasoft adware, a-squared, AVG anti virus, ewido anti-malware, Spybot, and Xoft Spy with no sucess. I also cant find anything in HJT. I would appreciate any help.

Logfile of HijackThis v1.99.1
Scan saved at 4:16:41 PM, on 5/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\atmclk.exe
F:\WINDOWS\system32\nvraidservice.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\System32\wbem\unsecapp.exe
F:\WINDOWS\system32\dcomcfg.exe
C:\Download\System & Utilities\AD Ware & Antivirus\hijackthis\HijackThis.exe

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - F:\WINDOWS\system32\hpF5A5.tmp
O4 - HKLM\..\Run: [NVRaidService] F:\WINDOWS\system32\nvraidservice.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
O20 - Winlogon Notify: winrvc32 - F:\WINDOWS\SYSTEM32\winrvc32.dll
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

PS Each program that I run detects and removed some files but it just keeps comming back
 
Last edited:
This latest Vundo infection seems to be making the rounds.

Please download VundoFix.exe to your desktop.
1. Double-click VundoFix.exe to run it.
2. Put a check next to "Run VundoFix" as a task.
3. You will receive a message saying vundofix will close and re-open in a minute or less. Click "OK".
4. When VundoFix re-opens, click the "Scan for Vundo" button.
5. Once it's done scanning, click the "Remove Vundo" button.
6. You will receive a prompt asking if you want to remove the files, click "YES".
7. Once you click yes, your desktop will go blank as it starts removing Vundo.
8. When completed, it will prompt that it will shutdown your computer, click "OK".
9. Turn your computer back on.
10. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
 
This one is a bastard... follow j79zlr's instructions. try this before using Vundofix. Caution: take your time while doing this procedure.

Download the F-Secure BlackLight http://www.f-secure.com/blacklight/try.shtml

* Save to a folder of your choice or the desktop.
* Start the program by double-clicking on its icon.

Note: While scanning, it is important to observe the following precautions:

1. Close all browser, program and Explorer windows.

2. Disconnect from the internet to prevent background programs from autoupdating during the scan.

3. Do not touch your computer (mouse & keyboard) or have any programs running other than BlackLight

* Click Accept
* Click Scan - see Note
* When the scan is complete, press Next
* Only rename C:\WINDOWS\qaz4.txt if present, even if other hidden items are found
* Close all other programs before continuing, and then select Next -> Finish.
* Select Restart now to reboot the computer so the changes take effect
* After the reboot, the hidden items should be renamed and visible on the computer.
* Re-run BlackLight to verify that C:\WINDOWS\qaz4.txt is no longer found.

BlackLight beta creates a log file fsbl-<date-and-time>.log in the same directory as the blbeta.exe.

2. Stop and delete the service DP1112 via the command prompt

* Click start -> Run -> type cmd -> Click OK
* Type or paste sc stop DP1112 at the command prompt
* Hit enter
* Type or paste sc delete DP1112 at the command prompt
* Hit enter
* Close the command prompt window

3. Reboot to make the Vundo files visible to Windows and HJT

4. Confirm DP1112 is no longer present in the Device Manager

* Right-click My Computer
* Click Properties -->Hardware --> Device Manager
* On the toolbar menu, click View--> Show Hidden devices.
* Double-click Non-Plug and Play Drivers
* Verify that DP1112 is no longer present in the list of drivers

5. Enable viewing of hidden files and folders

6. Delete the file C:\WINDOWS\qaz4.txt.ren which is the the renamed file C:\WINDOWS\qaz4.txt

7. Delete C:\WINDOWS\system32\Drivers\DP.sys


Now follow j79zlr's instructions...
 
I think that did the trick. Thanks alot.:)



Logfile of HijackThis v1.99.1
Scan saved at 6:04:58 PM, on 5/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Mozilla Firefox\firefox.exe
C:\Download\System & Utilities\AD Ware & Antivirus\hijackthis\HijackThis.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
 
Jusr have HJT fix:

O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)

Reboot and you should be ok, post the new log.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back