posted
The past couple of weeks I've been battling spyware. I have constant pop ups, new stupid little programs that suddenly appear out of no where, mysterious icons on my desktops, and who knows what else. Sometimes windows just briefly bluescreens and restarts itself. It's insane.
I have both adaware and spybot (both updated) and have been running them all the time. I'll run adaware, find hundreds of files, delete everything, and run it fifteen minutes later and have hundreds of items again. Sometimes some of the things it finds just add themselves to its ignore list!
I just ran adaware once again, and it found over 700 objects. I got rid of them, but I'm sure they'll find their way back soon.
I am *this close* to going completely insane everytime I use this computer. Please help!
This all started shortly after I decided to let my sister use my computer. I should have known better!
Posts: 4292 | Registered: Jan 2001
| IP: Logged |
posted
Sorry, Jeni -- it was the only advice I had. I mean, hey... worked for me. Er, I mean, it worked for this friend of mine. Yeah.
Posts: 6213 | Registered: May 2001
| IP: Logged |
You should also use msconfig to see what runs at startup, in case there is anything running on startup.
Posts: 1132 | Registered: Jul 2002
| IP: Logged |
posted
I have been trying to kill the processes. Sometimes it works, but usually it either tells me that access is denied or it ends but then starts back up again.
I will check out the startup items.
Posts: 4292 | Registered: Jan 2001
| IP: Logged |
Instead of using the Windows Task Manager, I recommend Process Explorer (Win 98/2000/XP). That might give you a decent picture of what's running on the computer.
The safest thing to do would be to backup and nuke, but you could probably figure out if anything fishy is going on without doing that.
Make your friend run a software firewall, such as ZoneAlarm, scan the computer with Spybot Search & Destroy and Ad-Aware, and run an anti-virus scan. Also, check to see what is starting up with the computer (You can use Merijn's StartupList)
From this post, Process Explorer and StartupList would be most useful. Use these along with processlibrary.com (or just a google search for whatever process name you have running that you don't know about.)
StartupList can find things that are starting up that don't show up on msconfig.
Posts: 1592 | Registered: Jan 2001
| IP: Logged |
posted
What kind of anti virus prog you have? What other system info can you give too? What kind of security settings you have on your internet options?
Posts: 2845 | Registered: Oct 2003
| IP: Logged |
posted
Okay, what you have is a downloader trojan. Ad Aware doesn't catch it because it isn't meant to. What it does is this, every time you get onto the Internet, the virus does two things, makes a new version of itself and downloads a bunch of spyware. The easiest way to get rid of these things is to use something like AVG's Free virus scanner. That's the one I use at work, and it tends to find more stuff than norton or McAfee or just about any virus scanner I've seen (However, I've noticed that it is a little buggy sometimes when you try to update the virus definitions. Luckilly, you can download the file directly from Grisoft and update from that file). Since you use Firefox, it's probably going to be pretty simple to get rid of this thing. However, if you were to go into IE and check the homepage, you'll probably find that it has been changed to something that you've never seen before in your life. If that happens, I'd suggest never ever using IE after that, because the virus is stored in a very well hidden file that is taking over your IE browser. It probably won't perpetuate itself fully until you open IE again after everything is removed with the virus scanner. Removing that file, if it exists, is sometimes a pain in the neck. Sometimes you get lucky and the virus scan grabs it.
Posts: 3003 | Registered: Oct 2004
| IP: Logged |
I ran the AVG scan and it found 17 downloader trojan objects. After it took care of them, it prompted me to restart the computer, which I did. Now Windows won't load! I get a screen telling me that Windows did not start successfully, but it's ok because they apologize for any inconvenience. As if an operating system not starting would ever NOT be an inconvenience.
Anyway, it gives me a choice to start windows normally, but that just takes me back to the same screen. I can also start it with the last good configuration, but will that just reverse everything that AVG just fixed?
What OS are you running? (i.e. Windows XP Home, Service Pack 1)
What I would say to do is get the computer working again. Try booting into Safe Mode. If that works, shut down, then try to boot normally again. If that doesn't work, use the last known configuration.
Then, download a program called HijackThis. (link) It scans your computer for things that are "hijacking" your browser, etc. Run it and post the log that it generates here. Somebody here can tell you what on that list you need to get rid of.
If you have a CoolWebSearch trojan, you're going to need CWS Shredder.
But your first priority is to get it working again. Try the last known working configuration.
Posts: 1592 | Registered: Jan 2001
| IP: Logged |
Okay, we're up and running again. I tried HijackThis, it shows a whole bunch of stuff but then encounters and error and is forced to close. I don't have the CoolWebSearch thing.
posted
You have some REALLY deep stuff running, Jeni. Did you have to restore everything the way it was, or did everything just start working?
Posts: 3003 | Registered: Oct 2004
| IP: Logged |
posted
I was so inundated with crud that my computer was next to unusable. I ran virus checks, adware, all that stuff and nothing helped.
I went to Computer City and bought Spy Sweeper, by Webroot. I ran a deep virus check, ran Spy Sweeper twice and have had no problems for the last two months. I swear by it.
Hope this helps. I read the suggestions from others on this thread--I'm sorry, but most of the time it was like trying to read a foreign language. If you just want your computer to run, not necessarily know how it works, try this. It kept me from commiting real violence.
Posts: 13 | Registered: Jan 2005
| IP: Logged |
quote: I ran a deep virus check, ran Spy Sweeper twice and have had no problems for the last two months. I swear by it.
This would work great, except that there are viruses on her system, as well as registry values, that are capable making XP inoperable only when removed. These are a little nastier than what you had, I'm willing to bet, and Spy Sweeper will likely cause the same thing to happen.
Jeni, I would suggest starting your computer in safe mode (hit f8 right before the Windows XP splash screen pops up and select safe mode from the menu). While in safe mode, try running Hijack This from there. Hijack this is a little tough to work with sometimes, because you might accidentally shut down something you want, so be careful when using that.
Once that is done, run both AVG and Ad Aware while in safe mode. Use Ad Aware's full system scan rather than the smart scan. Run AVG first, but DO NOT reboot until both programs have finished their work. Once that is done, reboot. If the same thing happens again, you're probably looking more at a wipe and reinstall situation (If you can get what files you need backed up) than anything else. However, someone else may have more knowledge than me in virus removal, so I'd wait until I get some more input before going that far.
Posts: 3003 | Registered: Oct 2004
| IP: Logged |
posted
Boris, I followed your instructions. Hijack This did the same thing in safe mode. I still ran AVG and AdAware, both completed successfully and healed or deleted whatever they found. I rebooted with no problems. All seemed well until I connected to the internet and opened firefox. Constant pop ups!
For whatever reason, though, Hijack This can now complete successfully. log
I don't recall seeing sp.dll, but I will take a look.
posted
Whew, you got lotso baddies on your computer...Here's a list of items you should have Hijack This fix...
R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing) O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [casc] C:\WINDOWS\system32\casc.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [s77O38j] d3drpres.exe O4 - HKCU\..\Run: [dwoERUHng] cryxcl35.exe O4 - HKCU\..\Run: [prutict] C:\WINDOWS\System32\prutict.exe O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V1.0\EzButton.exe O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com O15 - Trusted Zone: http://www.neededware.com O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - (These last few look tricky to me, if you have something that you use from neededware.com, don't disable these)
Also, I typically tell Hijack this to fix all the R1 and R0 instances, as doing so more or less resets IE to its default navigation settings, and there can be some bad things in there as well.
This one: O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
Looks suspicious to me, as I don't recognize the file name as being necessary.
This: O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe Also looks suspicious to me, since I've seen processes with a similar name running on all computers, but never inside a Hijack This log file. (In fact, now that I think about it, this file should be fixxed, since it has its own directory, and any system file that resembles this one's file name is hard coded into the OS and wouldn't show up in the registry like this one does. I would do the same with the other file I listed as Suspicious, but if you have Divx and it stops running after that one gets turned off, restore it)
Finally, it also looks like you have an LSP problem. I'm not real familiar with this, but I have seen issues where Hijack this returns LSP errors. I just looked it up for info and I think this might be the cause of some of your problems. LSP tells your computer how to send information. This can be hijacked and used to send information to an outside source for marketing, spying, what have you. Go here to get a program that can fix this problem.
I have three entries listed for my computer in this program. They are: mswsock.dll winrnr.dll rsvps.dll
You have two files that Hijack This is screaming at that are going to show up with this program... aklsp.dll calsp.dll
Remove those two for sure, if there are more than the three I listed as running on my computer, I would personally remove those as well.
Also make sure and delete these directories in safe mode after you get Hijack this and LSP fix to repair everything (Boot into safe mode immediately after these programs do their job, as the whole process isn't done yet)... C:\WINDOWS\System32\vmss\ C:\WINDOWS\System32\wsxsvc\ C:\Program Files\AutoUpdate\ C:\PROGRA~1\COMMON~1\WinTools\ C:\Program Files\ltmoh\ C:\Program Files\EzButton System V1.0\ (I don't know if you use anything called EzButton, but it's a suspect in my mind) C:\Program Files\CxtPls\
That should cover everything, but once these files are deleted, run both Ad Aware and AVG again in safe mode before you do a final reboot. Also, make sure you are disconnected from the internet while you do all this, as being connected can cause everything to perpetuate itself. If it still does the same thing after you get through it with all this work, it may be better to reformat. If you have to reformat, the February 2005 edition of Maximum PC has a good article on bottling up your computer, if you can find a copy.
Posts: 3003 | Registered: Oct 2004
| IP: Logged |
posted
Whew, you got lotso baddies on your computer...Here's a list of items you should have Hijack This fix...
R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing) O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [casc] C:\WINDOWS\system32\casc.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [s77O38j] d3drpres.exe O4 - HKCU\..\Run: [dwoERUHng] cryxcl35.exe O4 - HKCU\..\Run: [prutict] C:\WINDOWS\System32\prutict.exe O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V1.0\EzButton.exe O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com O15 - Trusted Zone: http://www.neededware.com O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - (These last few look tricky to me, if you have something that you use from neededware.com, don't disable these)
Also, I typically tell Hijack this to fix all the R1 and R0 instances, as doing so more or less resets IE to its default navigation settings, and there can be some bad things in there as well.
This one: O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
Looks suspicious to me, as I don't recognize the file name as being necessary.
This: O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe Also looks suspicious to me, since I've seen processes with a similar name running on all computers, but never inside a Hijack This log file. (In fact, now that I think about it, this file should be fixxed, since it has its own directory, and any system file that resembles this one's file name is hard coded into the OS and wouldn't show up in the registry like this one does. I would do the same with the other file I listed as Suspicious, but if you have Divx and it stops running after that one gets turned off, restore it)
Finally, it also looks like you have an LSP problem. I'm not real familiar with this, but I have seen issues where Hijack this returns LSP errors. I just looked it up for info and I think this might be the cause of some of your problems. LSP tells your computer how to send information. This can be hijacked and used to send information to an outside source for marketing, spying, what have you. Go here to get a program that can fix this problem.
I have three entries listed for my computer in this program. They are: mswsock.dll winrnr.dll rsvps.dll
You have two files that Hijack This is screaming at that are going to show up with this program... aklsp.dll calsp.dll
Remove those two for sure, if there are more than the three I listed as running on my computer, I would personally remove those as well.
Also make sure and delete these directories in safe mode after you get Hijack this and LSP fix to repair everything (Boot into safe mode immediately after these programs do their job, as the whole process isn't done yet)... C:\WINDOWS\System32\vmss\ C:\WINDOWS\System32\wsxsvc\ C:\Program Files\AutoUpdate\ C:\PROGRA~1\COMMON~1\WinTools\ C:\Program Files\ltmoh\ C:\Program Files\EzButton System V1.0\ (I don't know if you use anything called EzButton, but it's a suspect in my mind) C:\Program Files\CxtPls\
That should cover everything, but once these files are deleted, run both Ad Aware and AVG again in safe mode before you do a final reboot. Also, make sure you are disconnected from the internet while you do all this, as being connected can cause everything to perpetuate itself. If it still does the same thing after you get through it with all this work, it may be better to reformat. If you have to reformat, the February 2005 edition of Maximum PC has a good article on bottling up your computer, if you can find a copy.
Posts: 3003 | Registered: Oct 2004
| IP: Logged |
quote:Boris said: This one: O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
Looks suspicious to me, as I don't recognize the file name as being necessary.
Yeah, that's one to get rid of. Just Google search for a process name if you don't recognize it; that usually comes up with something.
Posts: 1592 | Registered: Jan 2001
| IP: Logged |
Printer-friendly view of this topic
![[Smile]](smile.gif)
![[Wink]](wink.gif)
