Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware removal.


  • Please log in to reply

#1
Goutetsu

Goutetsu

    New Member

  • Member
  • Pip
  • 3 posts
...but having downloaded every bit of anti-spyware software I can find, and following the instructions from various forums (including going to safe mode etc), I'm still having the same problem.

Basically I have four items in my favourites that shouldn't be there. The ubiquitous 'Seven days of free [bleep]', 'Only sex website', 'Search the web' and a folder called 'Sites about' full of typical spam.

Every time I load up Explorer, the task bar reverts to about: blank and my AVG keeps alerting me to all sorts of Trojans, which are installing themselves on my computer. I've disabled it for the sake of this exercise.

I've tried everything and I'm desperate for help. Could any kind soul take the time to point in the right direction? And, for the sake of interest, how does all this auto-downloading spyware work? Is this legal? What measures are being taken to eliminate the problem? Why hasn't some happy-go-lucky hacker made meals out of these gits? Thanks for your time.

Logfile of HijackThis v1.99.1
Scan saved at 01:39:48, on 21/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\netxn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Gareth John\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlhome.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {979ED9FE-798C-77B1-BF79-A3BC1983DD6E} - C:\WINDOWS\atlzf32.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ehgzeswqe] C:\WINDOWS\System32\hodrxeio.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [netxn.exe] C:\WINDOWS\netxn.exe
O4 - HKLM\..\RunOnce: [wintb.exe] C:\WINDOWS\wintb.exe
O4 - HKLM\..\RunOnce: [ipon.exe] C:\WINDOWS\system32\ipon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlhome.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by Goutetsu, 20 April 2005 - 07:05 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,353 posts
  • MVP
Follow the procedure in:

http://www.pchell.co...lythebest.shtml

The HijackLog entries that you will need to remove are:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xmdhb.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {979ED9FE-798C-77B1-BF79-A3BC1983DD6E} - C:\WINDOWS\atlzf32.dll
O4 - HKLM\..\Run: [ehgzeswqe] C:\WINDOWS\System32\hodrxeio.exe
O4 - HKLM\..\Run: [netxn.exe] C:\WINDOWS\netxn.exe
O4 - HKLM\..\RunOnce: [wintb.exe] C:\WINDOWS\wintb.exe
O4 - HKLM\..\RunOnce: [ipon.exe] C:\WINDOWS\system32\ipon.exe

Come back when done (or if you have any questions) and post your newest HijackThis log.

Ron
  • 0

#3
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,353 posts
  • MVP
To answer your question about somebody fixing it. The only program that currently gets rid of this garbage is aboutbuster which was written by a 15 year old kid who goes by the handle of Rubber Ducky.

http://www.networkte...2/interview.php

His Pay Pal link:

http://www.malwareby...php?page=donate

Looking a little more closely at your infection you may not need to do more than the HijackThis and AboutBuster. The rest of the stuff is for the newer version which yours does not appear to be.

Ron
  • 0

#4
suraphol

suraphol

    New Member

  • Member
  • Pip
  • 4 posts
Please refrain from replying to topics other than your own in the malware forum until you have been trained at GeekU
Thanks
Don

Edited by don77, 22 April 2005 - 08:50 PM.

  • 0

#5
suraphol

suraphol

    New Member

  • Member
  • Pip
  • 4 posts
suraphol, It is site policy that members reply only to their own topic in the malware forum, Goutetsu is in the very capable hands of RKinner. Again please refrain from replying to topics in the malware forum.
Thanks
Don

  • 0

#6
Goutetsu

Goutetsu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Big, genuine thank you's of the highest order. Everything is working 100% on my end and I'm insanely grateful. I understand that you guys do this on your own time, and I have nothing but respect for the effort you make.

Thanks again. I won't forget your generosity.

Gareth
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP