Can somebody please help me remove my spyware. I've tried Ad-Aware and Spybot and even Virus Scans (Norton), and still there is spyware. I've scanned and made a log from HijackThis.exe and now I need somebody to tell me what to delete/remove. Thanks in advance.
------------------------------------------------------------------------------
Logfile of HijackThis v1.99.0
Scan saved at 6:56:16 PM, on 12/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\DeltTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?110
2136324155
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) -
http://h20179.www2.hp.com/psgna/caller/SysQuery.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program
Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program
Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation -
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe
+ Reply to Thread
Results 1 to 27 of 27
-
"The statement below is True,
The statement above is False" -
Follow these directions
Please print this out and follow these directions carefully.
This is a new CoolWebSearch (CWS) hijack infection and is hard to remove.
Note: Every time you reboot the files multiply and change names. This process is like exterminating cockroaches.
Please download the tool called about:buster from
http://www.downloads.subratam.org/AboutBuster.zip
or
http://www.majorgeeks.com/download4289.html
Unzip it to your desktop.
In WinME/XP turn off System Restore.
http://www.arnoldco.com/help/html/disable_restore.html
Then reboot into Safe Mode by tapping F8 key repeatedly during bootup.
Enable System Restore after the infection is removed.
Double click aboutbuster.exe, click OK, click Start, then click OK.
This will scan your computer for the bad files and delete them.
Now start Hijack this and tick the boxes next to these items..
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cablevision Optimum Online
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {9C634B68-DBF0-4646-9BB9-30CCC95A0D6E} - C:\WINDOWS\SYSTEM\BJCIKGA.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.google.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O18 - Filter: text/html - {5690C826-AA8F-454F-9A8F-3496E72386A7} - C:\WINDOWS\SYSTEM\BJCIKGA.DLL
O18 - Filter: text/plain - {5690C826-AA8F-454F-9A8F-3496E72386A7} - C:\WINDOWS\SYSTEM\BJCIKGA
Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running the tool.
Then reboot.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://www.it-mate.co.uk/support/idsuite.asp
Insure that Index.dat Suite is Setup to empty the Temp folders especially C:\WINDOWS\TEMP then run the Find and create the run.bat and reboot to have it remove what it finds.
Install the prevention protection below and help your friends from being infected in the Internet.
Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm
Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then [B]keep them up to date[\B] as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html
Once the tool is done scanning, reboot and copy the aboutbuster log and paste it into your thread. -
I didn't read that entire post but I noticed coolwebsearch.
When that infected me I got some help here............
http://www.spywareinfo.com/~merijn/downloads.html
The second time I was infected I used that and also Adaware together.
____________ -
The instructions I gave will fix it.
I did the procedure on a friends computer. -
Well, lets see here, I followed bazooka's instructions but.... I still have Adware. And some of the things you posted to tick in Hijackthis.exe, were not in my log. But the Buster didn't really do anything.
As for the CoolWebsearch removal tool, that said it couldn't find it on my system.
I dont know if it helps but every time I start my computer up this happens.
An exception occurred while trying to run ""C:\WINDOWS\system32\parfos.dll",UMonitor"
But everytime I start up, where it says "parfos.dll", its always different.
Also, I'm pretty sure I got spyware called "VX2", I've already Googled it many times, and unfortunately I have not gotten rid of it yet.
As for my Hijack log, this is the new one:
----------------------------------------------------------
Logfile of HijackThis v1.99.0
Scan saved at 7:27:00 PM, on 12/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hits.clickandtrack.net/cgi-bin/hit?page=9648-1100721388301256
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.c...?1102136324155
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h20179.www2.hp.com/psgna/caller/SysQuery.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"The statement below is True,
The statement above is False" -
The about buster program is supposed to go into the hijack this folder.
It will work, but it is a lengthy process. -
Hmmm.... I still have the same spyware though. My computer must really be infected.
"The statement below is True,
The statement above is False" -
But some of the things you told me to tick were not in my log though. Are they supposed to show up after a while?
"The statement below is True,
The statement above is False" -
Damn, Also now my computer is restarting by itself.
"The statement below is True,
The statement above is False" -
I used CWShredder, and used the "Fix" option, and it said it removed a couple of them, and then I scanned it again, and it was back on there.
?????????????????????????????"The statement below is True,
The statement above is False" -
When you go into the control panel under add-remove programs, do you see a program called search extender?
You may have those programs set to start when windows boots up.
You may need to do msconfig and regedit from the run command and shut that junk off. -
I check that everytime I reboot my computer, so I've made sure none of that is in the Add/Remove list, and out of my msconfig boot list.
Damn, I was just doing some research about this CoolWebSearch, and it looks pretty bad. It says its almost impossible to delete with the exception of re-installing the OS. (Which I do not want to do!)
**Sigh**
Should I maybe run a virus scan? (I've done some earlier, but it didn't do much.)"The statement below is True,
The statement above is False" -
I'd also recommend running MSCONFIG and pulling out anything that you don't recognize or find in google as NOT spyware.
Nothing can stop me now, 'cause I don't care anymore. -
Originally Posted by lowlow42
The second infection was worse, with a newer version, like
bazooka said.
After using shredder, I used an updated version
of Adaware. That solved it.
I tried to remove that crap manually from the registry
but it popped back, like you said.
I wish I could be of more help, and I wish you luck.
_________________ -
Goober brings up a good point. Are you running AdAware6 or AdAware SE?
Nothing can stop me now, 'cause I don't care anymore. -
AdAware SE.
Nothing is working though. Including Spybot, Virus Scans, CWShredder, Hijackthis, Aboutbuster, etc.
It seems like I have to re-install everything, but I dont want to, but if I have to, I will do it."The statement below is True,
The statement above is False" -
Try unchecking everything unnecessary in MSCONFIG, restarting and running all your spyware apps again .
Nothing can stop me now, 'cause I don't care anymore. -
If you get rid of it, I suggest you start using Mozilla Firefox as your browser.
You will then be spyware free. -
Try unchecking everything unnecessary in MSCONFIG, restarting and running all your spyware apps again .
If you get rid of it, I suggest you start using Mozilla Firefox as your browser"The statement below is True,
The statement above is False" -
Originally Posted by lowlow42
-
Lol, its ok. I just rebooted my computer and still the Spyware is running somehow after I've made sure nothing should be.
Please keep in mind that everytime I restart my computer this error is popping up, but the file is always changing.
"The statement below is True,
The statement above is False" -
go to www.spywareinfo.com and post your log. those guys are the freaks that deal with spyware everyday all day.
PhenII 955@3.74 - GA-790XTA-UD4 AM3 - 2x4 Corsair Vengeance@1600 - Radeon 5770 - Corsair 550VX - OCZ Agility 3 90GB WD BLACK 1TB - LiteOn 24x - Win 8 Preview - Logi G110+G500 -
Makes you wonder how the companies that make / distribuet this stuff manage to avoid legal action.
Nothing can stop me now, 'cause I don't care anymore. -
go to www.spywareinfo.com and post your log. those guys are the freaks that deal with spyware everyday all day."The statement below is True,
The statement above is False" -
Well, they didnt help at all, BUT... I did fix my problem. Spyware is all gone. Thanks to a little program called KillBox.
Thanks for all of you guys help though, and thanks for the link "glockjs"!"The statement below is True,
The statement above is False"
Similar Threads
-
Super Video converter... browser hijack
By ranchhand in forum Newbie / General discussionsReplies: 2Last Post: 21st Mar 2011, 05:16 -
Hijack this log Scour.com virus help needed
By Kaugustino in forum ComputerReplies: 11Last Post: 7th Jan 2011, 07:36 -
help slow computer, Hijack this report
By maxamillion in forum ComputerReplies: 13Last Post: 21st Apr 2009, 23:38 -
Log Me In
By Lucifers_Ghost in forum ComputerReplies: 3Last Post: 6th Jun 2008, 07:02 -
Log in
By MintyJ in forum ffmpegX general discussionReplies: 3Last Post: 15th Mar 2008, 17:18