1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware problems

Discussion in 'Windows XP' started by JamesBone, Feb 2, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. JamesBone

    JamesBone Thread Starter

    Joined:
    Feb 6, 2000
    Messages:
    181
    I have problems with hijacks again.

    I ran spyblaster, spybot, adaware, with the latest updates.
    I ran AVG with latest updates, keeps showing viruses.
    I no longer have google toolbar, I'm how it got deleted.
    I have a few images attached of problems I having.
    There is a search bar that appears int eh bottom right, that is always there on reboot. I have to end its process "desktop.exe" to get it off.
    I have a "Connect To" area in my start menu that mysteriously appeared and has something strange to connect to. It was never there before.
    The culprits are in a hidden folder "isrvs" in Windows, but I can't delete them. And whats even worse, if you actually browse the "WINDOWS" directory, you can see a program called "edmond" start up.
    My google toolbar has disappeared off of IE.

    Here is my current hijack log. Trusted sites reappear, even after running certain scripts.

    Logfile of HijackThis v1.99.0
    Scan saved at 1:58:22 PM, on 2/2/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Software\APPLIC~1\AVG\avgcc.exe
    C:\WINDOWS\isrvs\desktop.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Software\APPLIC~1\AVG\avgamsvr.exe
    C:\Software\APPLIC~1\AVG\avgupsvc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Software\Graphics\Adobe\Photoshop 7.0\Photoshop.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Documents and Settings\Dell\My Documents\My Programs\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [AVG7_CC] C:\Software\APPLIC~1\AVG\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgupsvc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
     

    Attached Files:

  2. grahamd

    grahamd

    Joined:
    May 24, 2002
    Messages:
    61
    heres two brilliant programs for spyware etc www.noadware.net
    cwshredder.net
    although noadware is not free,try them
     
  3. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    download http://www.mvps.org/winhelp2002/DelDomains.inf - don’t run yet

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

    Print this and boot to safe mode

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute

    Fix these with HJT

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these folders

    C:\WINDOWS\isrvs

    START – RUN – key in %temp% - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log
     
  4. JamesBone

    JamesBone Thread Starter

    Joined:
    Feb 6, 2000
    Messages:
    181
    I've done that already, the deldomain that is

    I booted up into Safe Mode in Windows. Then went into the WINDOWS directory and deleted that file. Then I ran AVG, and Adaware and Spybot, while in safe mode. I got rid of all the stuff. And I ran hijack this and cleaned it out. Only the bad ones that had to do with that one folder. I still get them when I boot up.

    :edit: maybe its because I forgot to delelte the temp folder. Anyway, I had done the above mentioned stuff before except delete the temp. So I guess that my conclusion

    Anyway, here is my log now
    Logfile of HijackThis v1.99.0
    Scan saved at 5:06:25 PM, on 2/2/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Software\APPLIC~1\AVG\avgamsvr.exe
    C:\Software\APPLIC~1\AVG\avgupsvc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Documents and Settings\Dell\My Documents\My Downloads\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\Software\APPLIC~1\AVG\avgupsvc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
     
  5. JamesBone

    JamesBone Thread Starter

    Joined:
    Feb 6, 2000
    Messages:
    181
    A problem I still see. Everything looks ok, but after a lenght of time. I still get the same spyware loaded on my system.

    I left the computer on and came back in the room, and noticed that the same darn program was running again. Some porn thing called dddd.exe And those darn folders are back.
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    That last log was not a complete log and is dddd.exe the exact name??
     
  7. JamesBone

    JamesBone Thread Starter

    Joined:
    Feb 6, 2000
    Messages:
    181
    Yes, it is. the spacing is messed up on it. :p Sorry I edited it.

    Yes, dddd.exe is the name. Various stuff keeps showing up.

    I notice Iexplore is running in the background...um..no, its not. But it says it is on the processes.
    I get ad pop ups.
    A file called kalvdfo32 keeps popping up in the system32 folder, no matter how many times I try to clean stuff out.
    And last but not least, Elite Toolbar folder show up in the Windows dir

    I think I got everything I noticed.

    I thought I was clean, and I was doing some school work and after 30 minutes of typing away, dddd.exe popped up again.

    Anyway, the above log is invalid now because after so many minutes, or an hour, I get stuff again. Thats the log I'm aiming at, but it doesn't stay that way for long.
     
  8. JamesBone

    JamesBone Thread Starter

    Joined:
    Feb 6, 2000
    Messages:
    181
    I think I found it. Its Kalvsys virus? Possible someone got if from looking at porn using IE? Well, I don't ever use IE, so I know who to blame for this now.

    But there is so much information on this.

    Whats the direct way to get rid of this thing. I have read that someone was charged phonebills, I'm not sure if that has anything to do with it. But it was in the related topic I read.

    Edit:
    Ok, I got rid of the Kalv stuff. I deleted all the windows files, and the registry files. I still get a dddd.exe poping up. In fact, they sometimes get copied to the Windows directory. Mainly, everytime I boot, I get this running, and it trys dialing something. These files get created in the Documents and Setting folder in the user folder, in my case "Dell" .

    4gfgfg.exe
    commands.cfg
    dddd.exe
    dfe.exe
    eree.exe
    feee.exe
    htt.exe
    op.exe
    sfee.exe

    When those are made is when I get that extra network connection showing up too. So I'm not totally sure if I got rid of everything. I'm almost scared to open up IE to find out, knowing that that is what generates the kalv* files.
    When I do a search for created files for today, (specifically 9:30am-11:00am) because thats when the kalv files were created, I can't get anything but hijack logs and such.

    What is creating these above files? Its on a timely basis too it seems.

    Any help would be greatly apprieciated.
     
  9. JamesBone

    JamesBone Thread Starter

    Joined:
    Feb 6, 2000
    Messages:
    181
    Nothing is solved.

    Easiest way here is to dump my computer, but I want to refrain from having to do that.

    Suggestions?
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326009

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice