Author Topic: Spyware help (Read 34127 times)

krez · « **on:** May 26, 2007, 10:12:13 AM »

I got these annoying popups, dont know where they came from. Ive done spyware scans with adaware, spybot, symantec antivirus and microsoft antispyware. The popups keep coming and its annoying as hell. Anyone know what to do? If I could only get my hands around the neck of the person who coded this shit.

Quest · « **Reply #1 on:** May 26, 2007, 10:42:13 AM »

http://www.switch2firefox.com/

nuff said.

ĄƦçɧąɳɠҾԼ · « **Reply #2 on:** May 26, 2007, 02:49:55 PM »

Get HijackThis from the link below, then run a scan and save the log and close it.

[BTF] Reflex · « **Reply #3 on:** May 26, 2007, 03:58:38 PM »

I just get really good at reinstalling windows

DWxchzrles · « **Reply #4 on:** May 26, 2007, 04:33:43 PM »

Quote from: [BTF] Reflex on May 26, 2007, 03:58:38 PM

I just get really good at reinstalling windows

Kingsize · « **Reply #5 on:** May 26, 2007, 06:06:58 PM »

Quote from: krez on May 26, 2007, 10:12:13 AM

I got these annoying popups, dont know where they came from. Ive done spyware scans with adaware, spybot, symantec antivirus and microsoft antispyware. The popups keep coming and its annoying as hell. Anyone know what to do? If I could only get my hands around the neck of the person who coded this shit.

Might be those messenger popups.Go to Start/Run and type services.msc then find under name messenger in the services window,right click then properties.Under the general tab click stop and startup type disabled,apply,ok.

krez · « **Reply #6 on:** May 27, 2007, 10:54:09 AM »

Thanks for the replies, ive installed firefox and they have stopped. Id still like to get this shit off my comp though, ill wait until some of the spyware finders get more advanced or something

ĄƦçɧąɳɠҾԼ · « **Reply #7 on:** May 27, 2007, 02:11:03 PM »

If you scanned with the program I linked you to and gave me the log to look at, we might be able to get rid of them completely $:-\$

DWxchzrles · « **Reply #8 on:** May 27, 2007, 02:46:43 PM »

i use opera

never had a problem

krez · « **Reply #9 on:** May 27, 2007, 08:04:25 PM »

Quote from: Solo_Senshi on May 27, 2007, 02:11:03 PM

If you scanned with the program I linked you to and gave me the log to look at, we might be able to get rid of them completely $:-\$

Logfile of HijackThis v1.99.1
Scan saved at 10:01:52 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
D:\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\ASUS\Ai Booster\OverClk.exe
C:\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Winamp\winampa.exe
C:\AIM\aim.exe
C:\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\svchost.exe
C:\mIRC\mirc.exe
C:\Ventrilo-New\Ventrilo.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\GameSpy\GameSpy.exe
C:\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 129.24.17.70:3124
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5481359c-b031-444d-8b1e-6ead81cff902} - C:\WINDOWS\system32\adsdru.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp34.tmp.dll (file missing)
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SmcService] C:\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\bywwxv.dll",realset
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\POWERP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FACCDE9D-E427-43D2-A579-BC48A3D8C9BE}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: c:\windows\system32\pmkjjif.dll
O20 - Winlogon Notify: adsdru - C:\WINDOWS\SYSTEM32\adsdru.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - D:\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - D:\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O24 - Wallhack: C:\Quake2\baseq2\undetectable.exe

console · « **Reply #10 on:** May 27, 2007, 08:34:29 PM »

Quote from: krez on May 27, 2007, 08:04:25 PM

O24 - Wallhack: C:\Quake2\baseq2\undetectable.exe

Thanks for the laugh

ĄƦçɧąɳɠҾԼ · « **Reply #11 on:** May 27, 2007, 10:22:52 PM »

Ok, I want you to boot into safe mode and run the scan again and check the following lines and click fix, then reboot.

O2 - BHO: (no name) - {5481359c-b031-444d-8b1e-6ead81cff902} - C:\WINDOWS\system32\adsdru.dll

krez · « **Reply #12 on:** May 28, 2007, 11:52:31 AM »

Quote from: Solo_Senshi on May 27, 2007, 10:22:52 PM

Ok, I want you to boot into safe mode and run the scan again and check the following lines and click fix, then reboot.

O2 - BHO: (no name) - {5481359c-b031-444d-8b1e-6ead81cff902} - C:\WINDOWS\system32\adsdru.dll <--- Not sure about this one, if you know what it is and it is ok then don't delete it.

O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp34.tmp.dll (file missing)

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\bywwxv.dll",realset <---- Very odd looking

O20 - AppInit_DLLs: c:\windows\system32\pmkjjif.dll

O20 - Winlogon Notify: adsdru - C:\WINDOWS\SYSTEM32\adsdru.dll <--- Goes with the first one

I couldn't find any information on "adsdru.dll", so I'm not sure what that is, but it doesn't look right to me.

Hey thanks man, im gonna try that when I get home. I appreciate the help.

krez · « **Reply #13 on:** May 28, 2007, 11:53:17 AM »

Quote from: console on May 27, 2007, 08:34:29 PM

Quote from: krez on May 27, 2007, 08:04:25 PM
O24 - Wallhack: C:\Quake2\baseq2\undetectable.exe

Thanks for the laugh

haha, I wondered if someone would notice. Good eye

krez · « **Reply #14 on:** May 28, 2007, 06:28:28 PM »

grr. These 3 couldnt be removed

O2 - BHO: (no name) - {5481359c-b031-444d-8b1e-6ead81cff902} - C:\WINDOWS\system32\adsdru.dll
O20 - AppInit_DLLs: c:\windows\system32\pmkjjif.dll
O20 - Winlogon Notify: adsdru - C:\WINDOWS\SYSTEM32\adsdru.dll

that file adsdru.dll is in use even in safe mode, and when I tried to remove pmkjjif.dll hijackthis gave me an error

Im on winxp, i cant get to a pure dos prompt and go to that directory and manually delete the file via typing commands like you could on win95/8 can I?

Author Topic: Spyware help (Read 34127 times)

El Box de Shoutamente