1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

problem with spyware

Discussion in 'Virus & Other Malware Removal' started by guy123, Feb 13, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. guy123

    guy123 Thread Starter

    Joined:
    Jan 3, 2005
    Messages:
    31
    hello, i recently re-formatted my pc and i seem to have picked up a browser hi-jacker, do not ask me where i got it from because i honestly dont know, i dont look at porn, and have not been on any wierd websites.

    but i seem not to be able to use internet explorer, because it keeps re-directing me to a webpage called "about:blank" with lots of ****** search options. also i get a hulleva lot of popups even when internet explorer is not runing, this is annoyin beause everytime i get one it kicks me out of my game, and when i play alot of online games i tend to be killed alot because im too busy trying to get rid of a popup.

    i have run adaware se, and spybot search and destroy but so far no help. they both get a load of spyware coming up, so i get rid of it and when i run the test again its there again.

    and wahey i got another popup, aaarrrggg they are anoying.

    please help

    Guy
     
  2. guy123

    guy123 Thread Starter

    Joined:
    Jan 3, 2005
    Messages:
    31
    hello, this spyware is getting annoying.

    i have run adaware se, and spybot search and deetroy, and i delete the files they find but i still get popups on my screen all the time, not neccacarily when im using the internet! and if im not connected i get error messages because the spyware cant reach the internet.

    and it hijacked my internet explorer browser so i now have to use mozilla!!

    please please help!

    Guy
     
  3. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Your language will NOT be tolerated here. I've changed your thread title to something more appropriate for our site! :mad:
     
  4. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Go to http://www.thespykiller.co.uk/downloads.htm and download 'Hijack This!'.

    First make a folder on your computer in my documents called Hijackthis and then Unzip it to that folder.
    Then doubleclick the Hijackthis.exe.

    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here
    in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.

    Someone here will be happy to help you analyze the results.
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Create a permanent folder on your hard drive like c:\program files\hjt.
    Download Hijackthis and click "Save", direct it to the permanent folder you created. Double click on hijackthis.exe and select "Do a system scan and save a logfile". This log will open in notepad. Copy and paste the log back here for review.
    Don't make any changes until instructed to do so.

    **Note this is a new version of HJT so please do the download.
     
  6. guy123

    guy123 Thread Starter

    Joined:
    Jan 3, 2005
    Messages:
    31
    here is the hjt file.

    -------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 20:39:57, on 18/02/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\sstray.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\VM_STI.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Guy\LOCALS~1\Temp\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Guy\LOCALS~1\Temp\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {97FFBEBC-3088-4F36-9CCD-CBDEBDCF1F22} - C:\WINDOWS\System32\kaof.dll
    O3 - Toolbar: iMesh Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Guy\LOCALS~1\Temp\se.dll,DllInstall
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Filter: text/html - {3389E5EA-CBF7-45C5-9DB7-866027F7B2AA} - C:\WINDOWS\System32\kaof.dll
    O18 - Filter: text/plain - {3389E5EA-CBF7-45C5-9DB7-866027F7B2AA} - C:\WINDOWS\System32\kaof.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Guy\LOCALS~1\Temp\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Guy\LOCALS~1\Temp\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O2 - BHO: (no name) - {97FFBEBC-3088-4F36-9CCD-CBDEBDCF1F22} - C:\WINDOWS\System32\kaof.dll
    O3 - Toolbar: iMesh Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Guy\LOCALS~1\Temp\se.dll,DllInstall
    O18 - Filter: text/html - {3389E5EA-CBF7-45C5-9DB7-866027F7B2AA} - C:\WINDOWS\System32\kaof.dll
    O18 - Filter: text/plain - {3389E5EA-CBF7-45C5-9DB7-866027F7B2AA} - C:\WINDOWS\System32\kaof.dll

    Close all applications and browser windows before you click "fix checked".

    Restart in safe mode

    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

    Go to Control Panel, add/remove programs and remove MySearch and iMesh5.

    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\Guy (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


    Go to Internet Options, Programs
    Click the "Reset Web Settings" Button to reset your home and search pages.

    Reboot.

    Download AdAware SE Personal: http://www.lavasoftusa.com/support/download/

    Install the program and launch it.

    On the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    In the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Reboot and post another log.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330053

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice