Options
Got some Spyware I can't get rid of
First of all, I'd like to say thanks for such a helpful site. I don't know where us less knowledgable folk would be without people such as yourselves (probably a mental asylum).
I had a problem with my browser automatically going to a site at www.bestwebslinks.com, then all sorts of weird stuff started happening to my computer. Anyway, I had a look through your site and saw some advice that you had given to a person who was having a similar problem. So I pretty much followed that advice and now I think the problem's fixed, but now I'm aware that I still have some more spyware and diallers on my computer that I don't know how to get rid of. Any help would be much appreciated.
Here's the steps that I took to get rid of my original problem. I think I've got all the reports if you want them posted, but some of the initial reports may have been overwritten by my latest scans, eg. HijackThis.
Firstly, I obtained HijackThis and ran a scan, saving the report, but then overwriting this report with a subsequent scan (silly me). Hopefully, you don't need to see the original report.
I then obtained and updated where necessary smitRem, Ewido Security Suite, and Ad-Aware. I then restarted the computer in Safe Mode and ran smitRem, then Ad-Aware, then Ewido Security Suite, cleaning everything that came up. I then restarted in Normal Mode and did a Panda ActiveScan on the internet. The Panda ActiveScan came up with about 20 or so spyware infections and 2 dialler infections.
I didn't know what to do then, so I decided to post a thread in the forum, but then noticed that you require Spybot S&D to be run as well. So I downloaded that program and updated it, rebooted in Safe Mode, then ran Ad-Aware and then Spybot, which picked up a few more things. I then rebooted into Normal Mode and did another Panda ActiveScan. Now there's about 15 or so Spyware left and the 2 diallers are still there.
Can anyone help get rid of these last infections? Some advice on what programs would be best to install to try and prevent future infections would also be much appreciated.
Here's my HijackThis log. I'll also post any other logs, including the ActiveScan one if requested.
Thank you so much.
Logfile of HijackThis v1.99.1
Scan saved at 11:58:21 p.m., on 26/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Winamp\Winampa.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Setup Files\HijackThis\HijackThis.exe
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "d:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O15 - Trusted Zone: http://www.asbbank.co.nz
O15 - Trusted Zone: http://www.backuptools.co.uk
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.ps2nfo.com
O15 - Trusted Zone: http://www.short-media.com
O15 - Trusted Zone: http://www.te.co.nz
O15 - Trusted Zone: http://www.trademe.co.nz
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E643525B-D0C8-4C6E-93CC-3A4C0710BC8C}: NameServer = 203.96.152.4,203.96.152.12
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Leadtek Driver Helper Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
I had a problem with my browser automatically going to a site at www.bestwebslinks.com, then all sorts of weird stuff started happening to my computer. Anyway, I had a look through your site and saw some advice that you had given to a person who was having a similar problem. So I pretty much followed that advice and now I think the problem's fixed, but now I'm aware that I still have some more spyware and diallers on my computer that I don't know how to get rid of. Any help would be much appreciated.
Here's the steps that I took to get rid of my original problem. I think I've got all the reports if you want them posted, but some of the initial reports may have been overwritten by my latest scans, eg. HijackThis.
Firstly, I obtained HijackThis and ran a scan, saving the report, but then overwriting this report with a subsequent scan (silly me). Hopefully, you don't need to see the original report.
I then obtained and updated where necessary smitRem, Ewido Security Suite, and Ad-Aware. I then restarted the computer in Safe Mode and ran smitRem, then Ad-Aware, then Ewido Security Suite, cleaning everything that came up. I then restarted in Normal Mode and did a Panda ActiveScan on the internet. The Panda ActiveScan came up with about 20 or so spyware infections and 2 dialler infections.
I didn't know what to do then, so I decided to post a thread in the forum, but then noticed that you require Spybot S&D to be run as well. So I downloaded that program and updated it, rebooted in Safe Mode, then ran Ad-Aware and then Spybot, which picked up a few more things. I then rebooted into Normal Mode and did another Panda ActiveScan. Now there's about 15 or so Spyware left and the 2 diallers are still there.
Can anyone help get rid of these last infections? Some advice on what programs would be best to install to try and prevent future infections would also be much appreciated.
Here's my HijackThis log. I'll also post any other logs, including the ActiveScan one if requested.
Thank you so much.
Logfile of HijackThis v1.99.1
Scan saved at 11:58:21 p.m., on 26/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Winamp\Winampa.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Setup Files\HijackThis\HijackThis.exe
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "d:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O15 - Trusted Zone: http://www.asbbank.co.nz
O15 - Trusted Zone: http://www.backuptools.co.uk
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.ps2nfo.com
O15 - Trusted Zone: http://www.short-media.com
O15 - Trusted Zone: http://www.te.co.nz
O15 - Trusted Zone: http://www.trademe.co.nz
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E643525B-D0C8-4C6E-93CC-3A4C0710BC8C}: NameServer = 203.96.152.4,203.96.152.12
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Leadtek Driver Helper Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
0