Yo...

My friend's pc is totally infected with spyware

I wanted to help him but I'm not sure what to delete so you guys are (again) the only who can help

this is his last hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:48:25 PM, on 3/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\atiptaxx.exe
D:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\buh\Alex's stuff\QMAgent.exe
D:\PROGRA~1\Toolbar\PIB.exe
D:\PROGRA~1\Toolbar\TBPSSvc.exe
D:\Program Files\Common Files\WinTools\WSup.exe
D:\Program Files\Common Files\WinTools\WToolsS.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\psskibll6.exe
D:\PROGRA~1\Toolbar\TBPS.exe
D:\Program Files\Common Files\WinTools\WToolsA.exe
D:\Documents and Settings\admin\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D88FD7F-58F1-C862-6C77-150EC1D61470} - (no file)
O2 - BHO: (no name) - {829E82E2-C4E4-9751-D214-BC949F591B50} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - D:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {9796A318-F3D5-ADCD-D69B-2204E5303049} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [QMusic2] "C:\buh\Alex's stuff\QMAgent.exe"
O4 - HKLM\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinTools] D:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [__GSCAdditionalInstallation__] "C:\games\alexander\SetupDemo.exe" -AdditionalInstall
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O10 - Hijacked Internet access by New.Net
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Unknown owner - c:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE (file missing)
O23 - Service: kigtetxzfqrz (jaxuetmb6) - Unknown owner - D:\WINDOWS\System32\psskibll6.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - D:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - D:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: Remote Procedure Call (RPC) Helper (�%AF�����) - Unknown owner - D:\WINDOWS\system32\sdkmh.exe (file missing)

Thanks in advance!

You've got a few things going on here so this may take a few steps. Let's get rid of Wintools first. It's the most disruptive.

Wintools may have an entry in the Add/Remove Programs Control Panel. If so, it may be easy to get rid of. If not, there are still ways to remove it from your system.

For either solution:


Reboot into Safe Mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.


Once in Safe Mode:
Click on the Start Button, Control Panel. Double-click on Administrative Tools then on Services.
Look for a service called Wintools for IE Service. double-click it to open, then click the Stop button and change the "Startup type" to Disabled.
(If the service is not there, no worries...all the better!)

Next, right-click on the Windows Taskbar and select Task Manager.
In the Processes tab, look for WToolsA.exe, WToolsS.exe and WSup.exe. If any or all of these exist, right-click on each one and select End Process Tree, and answer affirmatively to any confirmation questions.

At this point, you can check the Add/Remove Programs Control Panel. If there is an uninstaller for Wintools, try running it now. I would still recommend proceeding through the rest of this fix even if there is an uninstaller, however.

Now, please open a command prompt (Start button -> Run, type cmd and click "OK"). at the prompt, type
regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll" then <ENTER>.
Then type exit to close the command prompt window.

Now, we can proceed to delete these directories, located at:

C:\Program Files\Common Files\WinTools <-- Delete the BOLD directory.
C:\Program Files\Toolbar <-- Delete the BOLD directory.


Reboot and post a new hijackthis log.

Thank you very much for the quick reply Buckeye_Sam!

We've followed all your instructions, wintools is gone now :thumbsup:

This is his new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:35 PM, on 3/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\atiptaxx.exe
D:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\buh\Alex's stuff\QMAgent.exe
D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\admin\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D88FD7F-58F1-C862-6C77-150EC1D61470} - (no file)
O2 - BHO: (no name) - {829E82E2-C4E4-9751-D214-BC949F591B50} - (no file)
O2 - BHO: (no name) - {9796A318-F3D5-ADCD-D69B-2204E5303049} - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [QMusic2] "C:\buh\Alex's stuff\QMAgent.exe"
O4 - HKLM\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [__GSCAdditionalInstallation__] "C:\games\alexander\SetupDemo.exe" -AdditionalInstall
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Unknown owner - c:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper (�%AF�����) - Unknown owner - D:\WINDOWS\system32\sdkmh.exe (file missing)

Good job!


Download cwsserviceremove.zip:
http://lineofire.geekstogo.com/cwsserviceremove.zip

After unzipping, a cwsserviceremove.reg file is created inside the folder. Double click on the cwsserviceemove.reg Answer �Yes� when asked to have its contents added to the Registry.



Download LSPFix from http://www.cexx.org/lspfix.zip and run it.

Check the I know what I'm doing box.

In the Keep box you should see one or more instances of the following files.

aklsp.dll
dolsp.dll

Select every instance of these 2 files, but no others, and move each one to the Remove box by clicking the >> button.

When you are done click Finish>>.



Reboot and post a new hijackthis log. How are things running after these two fixes?

Yo Buckeye_Sam... Yesterday while I was waiting for your reply I tried to solve the rest of the problem. I already had this LSPfix here (from another infection :D) so I tried using it to remove those DLL's... It worked just fine and everything is ok now.

Thank you once again for your help. It's very nice to know that some people still help others simply for the pleasure of helping in this f***ed-up capitalist world... :thumbsup:Thank you buddy.