really bad spyware infection....

[SE14man]

This pc has been mad lately,

I know it's spyware because every single link clicked off a website which was typed in on the address bar is auto directing me to an advert website. So i tried some of my anti spyware tools and it's not letting me open the setups it just doing nothing when i double click on the setups.
Other setups work of other anti spywares but the actual app doesnt open when it's installed.
One time it did open though that was with AVG Anti Spyware and it wouldnt update it said failed to connect to (something).grisoft.com.

It's ridiculous....

Ne1 got ne idea of what this could be and how to shift it?

Nothing malicious is in taskmgr.

Cheers.

[hech54]

You've been hijacked.
Try to get rid of it in SAFE Mode.
Easiest way to SAFE mode is with Bootsafe:
http://www.superadblocker.com/bootsafe.html

Get some tools....downloaded from another computer to a memory stick.
HiJackThis (careful with this one)
SuperAntiSpyware(has BootSafe bundled with it)
Spybot
SpywareBlaster

[wtsinnc]

Hello SE14man;

Your first option should be to attempt a system restore to a point prior to the infection becoming manifest. If you are able to restore to a "pre-infection" time, you should still scan with both an antivirus and antispyware application.
If that doesn't provide a fix to your problem, boot into safe mode as advised by hech54. On many systems such as Dell and HP, you can boot into safe mode by tapping the F8 key when the boot screen appears.
In any event, you will want to boot into "safe mode". Depending on the severity of the infection, you may need to boot into the "safe mode with networking" option which gives more flexibility (link).
http://www.technologyquestions.com/technology/windows-xp/262203-safe-mode-vs-safe-mode...etworking.html

Once in safe mode or safe mode with networking, open the supplied link to Malwarebytes, download, and update if possible. Even if you cannot update, the application may have the ability to detect and remove the malware.
http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml

Superantispyware (also mentioned by hech54) has a solid reputation for success in malware removal. It certainly wouldn't hurt to also download it.
http://www.filehippo.com/download_superantispyware/

Safe surfing involves common sense plus using software which serves to minimize the possibility of picking up nasties. Be sure to use a good and properly configured firewall and if you're not already using it, try the Firefox web browser with Ad Block and NoScript add-ons.

Good luck !

[freebird73717]

I have had good luck getting rid of browser hijacks with CWShredder

Be sure to use a good and properly configured firewall and if you're not already using it, try the Firefox web browser with Ad Block and NoScript add-ons.

Very good advice.

[pepegot1]

Now you know why an image backup to an external drive is important-freedom!

[DereX888]

This pc has been mad lately,
/.../

Nothing malicious is in taskmgr.

Cheers.

The PC isn't mad... YOU ARE
(for using the buggiest browser ever created - Internet Explorer).
Install any other browser (I suggest K-Meleon).
Read Microsoft's own latest advisory on IE:
http://www.microsoft.com/technet/security/advisory/961051.mspx
(in short it comes to this: DON'T USE any version of IE until they figure out how to patch it LOL or in the meanwhile unregister some DLLs, reset this and that, etc etc - basically make IE unusable if you insist on using it, hahaha)

If you insist on 'fixing' this crappy browser (for now - until it get crapped all over again), get Search & Destroy SpyBot and check out Internet Explorer related settings there. Probably in your case all you need to do is to clear hosts file from redirections.
Reinstalling Windows because IE was hijacked is really stupid. Some people should be really restrained from giving any advices LOL


/edit:
I found this:
Safeguard IE against latest security holes. Its "plain english" explanation version of the Microsoft's security bulletin, with pics and steps to take.
Keep in mind that's not enough. You'd have to disable java scripting completely as well and have it enabled for some websites only (which is impossible to do in IE without going to settings all the time and enabling/disabling it - while in K-Meleon you just click ONE button to do so... really, just get K-Meleon and be gone with all those stupid Internet Explorer problems forever...)

Now you know why an image backup to an external drive is important-freedom!

Right, I should make a 3TB image backup every day just because stupid IE can be hijacked and is full holes all the times? Thanks, but no thanks! Its easier just to NOT TO USE IE AT ALL and have it squashed on the system

[SE14man]

Hi there

Ok have followed all instructions.

1. Downloaded spybot S7D in safe mode with networking and the app wont open after install.
Same with spyware blaster.
2. Hijack this also made no difference.
3. I select a restore point on the registry and it wont let me click next..............just nothing happens!
4. I have no system32 folder which is REALLY bizarre.

I really have no idea what to do next i have installed at least 8 different av's and spyware progs and none of them seem to have worked.
I can get into the registry though....

Can someone please help me......

Thanks btw for all your other help.

[Ethlred]

You haven't said what web site you are being redirected to. Google the web site. You may find a tool to remove the nasty that is sending you there.

Hijackthis doesn't do anything to the malware on its own. Its an information tool. You have to interpret the output.

I really have no idea what to do next i have installed at least 8 different av's and spyware progs and none of them seem to have worked.

All eight installed at the same time? If so how the heck can you even boot? Were any of them programs that popped up without your asking?

[SE14man]

Ok the sites im being redirected to are these:78.41.205.57 then it redirects me to this: http://bridge1.admarketplace.net/xtrk.php?version=1.0.0&enURL=OGsnqmLL8NaBnQJzQBNW9paY...nducive/l=COND

Like.......everytime.

even trying to access the system restore etc in safemode with command promt it gets me into the directory they'd usually be in bhuy then says invalid directory when i try to open the .exe file in command prompt. It's like the whole pc has been hijacked.

Pls help..

Cheers.


I installed/uinstalled them all individually mate i know about conflict n all that.

[hech54]

Run HiJackThis as instructed.....from the C: Drive
Create a log file.
Copy and Paste the log file in the appropriate spot on
www.hijackthis.de

It will show you what is causing the problem and may be able
to repair or remove(fix) the problem.
LEAVE HIJACKTHIS OPEN as you are analyzing the problem
via www.hijackthis.de.

Also I sincerely hope you are using Firefox.....

[SE14man]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:18:56, on 18/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Your Uninstaller 2008\uruninstaller.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mart\My Documents\Downloads\Spyware.Malware.Rogue.Removal. Pack.2008-11-06\Ad-Aware Personal 1.06r1.exe
C:\WINDOWS\system32\MSIEXEC.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - (no file)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

heres the log file mate...

[SE14man]

It got removeitpro which has found 13 bad things on my system32 folder.
all being dll but one is a .exe.
anyway in safe mode with command promt it says access denied to deleting them.
Any ideas?

[hech54]

Documents\Downloads\Spyware.Malware.Rogue.Removal. Pack.2008-11-06\Ad-Aware Personal 1.06r1.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

1)These two Ad-Aware entries look bogus....did you download these AFTER your hijack?
HiJackThis also says that they might be bogus. They are named wrong and in the wrong spot.

2) This is not a full log....you have HiJackThis in the wrong place.
HiJackThis.exe must be in it's own folder on the c: drive.

[hech54]

It got removeitpro which has found 13 bad things on my system32 folder.
all being dll but one is a .exe.
anyway in safe mode with command promt it says access denied to deleting them.
Any ideas?

As long as your computer is hijacked....you should NOT be downloading
everything under the sun to try to remove it. Stick with the programs
suggested above and TRY to download them from another computer if possible.

[hech54]

If there is a way to STOP your computer from accessing the internet
while you are attempting to remove a "nasty"....do that as well.

[SE14man]

Ad Aware was on here at the time mate, i installed that. I have replacd it now though with 'RemoveIT' which has given me an indication as to what some of these files are but i have no way of accessing them as i cant see my system32 folder and i cant access it through a command prompt.

I feel like i'm really stuck. I feel theres no way out of this.
I saw some package some bloke made up called 'Hiren's Boot CD' it had a spyware remover on it i dont know if that would help??
I havnt even downloaded it yet?
How likely isit to get infected if i download ito n this machine?

Cheers mate.

[SE14man]

There might be its all router though i dont know how to stop it accessing the net...spybot search and destroy wont open as the app it just hangs and then nothing....
spyware doctor wont even install properly it just hangs when i dbl lcick the setup.
Spysweeper was ok until a restart when it said the install was corrupt.
Tried system restore, selected the restore point but clicking next did absolutely nothing.
I'm getting a lot of lock ups when loading windows up and is resulting in a lot of pc resets which cant be too good for it!
ive downloaded this whole package of about 60 spyware removal programs and am trying them all one by one installiong and uninstalling one after the other but it's prob not the best thing to do i spose isit....
I'm just confused, ive had probsl ike this before but never as bad.
It's actually hidden the system32 folder completely and my folder options from control panel is also gone.
cant find folder otpions anywhere to unhide all my folders :S
this bastard must REALLY have it in for me lol.
Atm im using avast but asi m sureu know, i cant update it at all have done a few scans and it's found viruses in the svchost file.
Onbiously hasnt shifted it though cosi sitll have the problems. i just selected 'move all to vault'
it's not as bad as the beginning though, at the begiunning i couldnt even get into the registry. It errored everytime.
It seemsl ike a lot of work needs to go into this.
I really dont wanna have to reinstall windows but i can kinda see it heading that way...

Thanks 4 your help too guys, appreciate it.....

[Marvingj]

Ad Aware 2009 is great and will solve your problem...

[hech54]

Ad Aware was on here at the time mate, i installed that. I have replacd it now though with 'RemoveIT' which has given me an indication as to what some of these files are but i have no way of accessing them as i cant see my system32 folder and i cant access it through a command prompt.

I feel like i'm really stuck. I feel theres no way out of this.
I saw some package some bloke made up called 'Hiren's Boot CD' it had a spyware remover on it i dont know if that would help??
I havnt even downloaded it yet?
How likely isit to get infected if i download ito n this machine?

Cheers mate.

You still need to get a full HiJackThis log file and have
www.hijackthis.de analyze it for you. It will tell you what
to do with HiJackThis.
Also get CCleaner (Crap Cleaner).....use it....and the start-up
analyzer in the tools section to help stop what has hijacked you.

I had one nasty hijack on my last computer.....it took a while
but I finally broke through and got Spybot running and once that
happens it is pretty much smooth sailing from there if you keep
letting the other above recommended programs do their stuff too.

I'm not one for a Windows reinstall unless it is my last resort.....that
is just the way I am.

[ranchhand]

Hijack This: create a folder anywhere you like and move Hijack This into it. Rename the Hijack This file to seman14.exe. Reason: many baddies now recognize the name "Hijack This" and will either shut down to avoid detection, or will prevent you from running it.

Next download Malwarebytes from here: http://www.download.com/3001-8022_4-10984636.html?spi=b9ceb56b864455231c2a74cb849e74b0...rt=dl-10804572

Do not run it yet, but rename it same as you did with Hijack This.

Run your Hijack This log in full system mode, not in Safe Mode and post the log here.

[DereX888]

Ad Aware 2009 is great and will solve your problem...

NO it is NOT.
It omits (some say on purpose!) quite few things.
S&D Spybot does the same better - and more. And for free. It only doesn't have "the look".
What is the point to use worse app and pay for it?


@OP
Spybot and good antivirus (NOD32 is the only one left that haven't missed a single virus ever) and a REAL browser (again - K-Meleon is highly suggested, but actually *any* other than IE will do)
Thats all you need to browse comfortably and relatively safe.
Hijack this is just info tool, it helps only if you know what youre doing.
Crap Cleaner is very good tool as well.

[Bjs]

Possibly you need to reset security permissions > http://support.microsoft.com/default.aspx?scid=kb;en-us;313222 , reboot and check system32 appears

Alternative

Safe mode > start > run > type

cmd.exe

Type

attrib c:\Windows\system32 -a -h -r -s

Check for folder now

These things like playing havoc with system security to prevent you from removing them.

Take the drive out of this system and install it as a slave on another system for cleaning with malwarebytes and either avast or avg ... fingers crossed and it survives for the final clean out back in the original system it came from.

[DereX888]

C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MSIEXEC.exe
C:\WINDOWS\system32\MsiExec.exe

Three instances of microsoft installer running. That's not normal under regular conditions...

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
At least until you find out whats wrong you should have stop filesharing


O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - (no file)
THAT ONE IS FISHY IMHO. "Shared Task Scheduler" - it is not standard Task Scheduler that comes with windozes, thats for sure.

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
MOST LIKELY CULPRIT.
Starts as a service so you won't see it in task manager, and has "Im a malware" written all over it (I may be wrong ofcoz)

Another suspicious entrance IMHO:
C:\Program Files\Your Uninstaller 2008\uruninstaller.exe

Is it yours?:
C:\Documents and Settings\Mart\My Documents\Downloads\Spyware.Malware.Rogue.Removal. Pack.2008-11-06\Ad-Aware Personal 1.06r1.exe

explorer:
C:\WINDOWS\Explorer.EXE
its always EXPLORER.EXE or Explorer.exe, not Explorer.EXE (I'm just nitpicking)


log in as administrator (unless your logon already have administrative priviledges).
right-click My Computer.
Select "Manage" -> "Services and Applications" -> "Services"
right-click on every suspicious service that starts automatically, change it to Disabled (probably have to Stop it first).
Disable these two first:
SharedTaskScheduler
Remote Packet Capture Protocol

also

right-click My Computer.
Select "Manage" -> "Local Users and Groups" -> "Users"
right-click any empty space in the right pane and selecty "New User..."
Create new user for yourself (just for now)]
and give this user administrative priviledges

next time log in as this new user, see is it affected as well.

[Midzuki]

I'd recommend "gmer" --- Google for it.

gmer is generally capable of showing (and stopping/deleting as well)
all malware hidden processes, folders and files.

There might be its all router though i dont know how to stop it accessing the net

What about disabling/turning-off the network card

\\\

[INFRATOM]

It is possible that they put in a winsock and corrupted your TCPip and you even without knowing will be networked to some website too. Run the Trendmicro antivirus and anti malware in DOS it is free to download get the engine and definition and put in a folder on C drive boot into DOS or safe mode run the application. I personally suggest if you have all the drivers, softwares and windows key , Reformat and rebuild your computer. But if you are not up to it run the Trend micro also google for corrupt tcp ip from microsoft page go thru that repair. On the average it takes few hours to rebuild but messing with clean up could takes days without good result because if the change your security from within or write hidden files with non windows format it is next to impossible to clean. 60% of computers are zombies and most people don't know it, when attacker sends signal it wakes the hack and then they get your info.

[marvel2020]

For crying out loud, just do a complete format and reinstall, PROBLEM SOLVED!!!

To much farting about trying this and trying that, run this software and run that software to find that it hasn't helped.

[wtsinnc]

Hello SE14man;

It's beginning to look as if you're going to have to format and reinstall. Every hour of every day that your computer stays infected, you remain vulnerable to further attacks and the ever-increasing chance of loss/theft of personal data.
At this point in time, you cannot be guaranteed that any file from your current installation is clean and safe to transfer.

One other thing you might try is a dedicated antirootkit application.
The link will take you to a page which has direct links to a number of antirootkit applications.
http://wiki.castlecops.com/Lists_of_freeware_antirootkit

I recommend Avast (Beta) and Sophos because;
-They have detection and removal capability.
-Neither needs to download program updates.
-Both install and scan quickly.

Whether or not you are ultimately able to repair your current install, you need to employ a full backup solution, perhaps the free version of Acronis (called either "Discwizard" or "Maxblast") from the Seagate website.
http://www.seagate.com/www/en-us/support/downloads/

Either application will allow you to clone your hard drive in it's current state to another
drive. Should you (again) get infected beyond the point of repair/recovery, it will be easy to format and use the cloned drive to fully restore.
Both "Discwizard" and "Maxblast" are Vista, XP, W2K, Win ME, and Win 98 compatible.
Both work with ATA and SATA drives.
Both allow cloning to a smaller drive.

I have bought 40GB SATA drives for $20.00 or less on several occasions via EBAY.
Easily (in my opinion) the safest, most versitle, and most cost-effective backup and restore solution I've ever used.

Good luck !

[Bondiablo]

Shave the hair off one side, light the other side on fire and stab the little suckers as they run for cover. Or, just format and reinstall.

[MOVIEGEEK]

1.Turn off System Restore forever because it saves malware and spyware,use the Backup Utility instead.
2.Install SuperAntiSpyware and Avast antivirus then run them in safe mode.
3.If you are still infected do a clean install.

[DereX888]

This thread is almost week old. If you haven't clean your system yet, what are you waiting for - wipe out your system hard disk clean and fresh install new OS!

Every hour of every day that your computer stays infected, you remain vulnerable to further attacks and the ever-increasing chance of loss/theft of personal data.

Exactly as he said.