1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

spyware removal problems (with HJT log)

Discussion in 'Virus & Other Malware Removal' started by Darkmind, Jul 17, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Darkmind

    Darkmind Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    5
    Hi, I thought a few times I got rid of some spyware programs, but it seems they just keep coming back, so I decided to finally register myself and ask for help. I run Windows XP SP2, and the spywares that give me trouble mostly are sysprotect, and win antivirus. And for some reason, my explorer sometimes closes down for no reason (as in taskbar, start menu, desktop icons just dissappear and the explorer.exe is no longer in the task menu). Here's the HiJackThis log

    Logfile of HijackThis v1.99.1
    Scan saved at 9:54:02 PM, on 7/16/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winnt\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winnt\system32\blank.htm
    F2 - REG:system.ini: Shell=explorer.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/bd3f7565113f122b41a36bc6b3b82374_35.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
    O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://zllin.info/n/us48/48.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EE86197B-7ABC-4679-AD83-12FDA1AE92DC}: NameServer = 68.94.156.1,68.94.157.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O21 - SSODL: altmannsberger - {210b4043-35ca-4aa0-8796-191f9663dfb3} - C:\WINDOWS\system32\vpxnk.dll (file missing)
    O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
    Hi and welcome to TSG,

    Why are you not running any anti-virus software???? :eek:
     
  3. Darkmind

    Darkmind Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    5
    ....Please just help me. I have lots of anti-virus and spyware removers on my computer. I just sometimes don't have them running in the background.
    Oh, and for some reason, my resident shields aren't working. I tried each antivirus program one at a time. I didn't run them all at the same time.
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
    Go to www.grisoft.com and down the free anti-virus program AVG. Then post a new HijackThis log.
     
  5. Darkmind

    Darkmind Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    5
    I used avg, xoftspy, trojanhunter, ewido, avast, vundofix, spybot, adaware, and other numerous programs. Also there's this devldr32 that seems to be a virus. No matter what I did (even when uninstalling creative drivers), it came back. I tried killbox on it, still couldn't delete it, it just keeps reloading itself. I also tried deleting awtsp.dll with killbox, no luck. Safe mode explorer shell closes on me, so safe mode doesn't work, even when running the task manager to run killbox, still cant delete it.

    BTW, the only remaining spyware i seem to have is 180search assistant/zango. So could someone help with this? Here's my latest hijackthis log.

    Logfile of HijackThis v1.99.1
    Scan saved at 3:05:09 PM, on 7/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\eDonkey2000\edonkey2000.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Documents and Settings\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EE86197B-7ABC-4679-AD83-12FDA1AE92DC}: NameServer = 68.94.156.1,68.94.157.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

    PS: I'm sorry if I come off rude... I appreciate what you guys do here, I thank you for trying to help.
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
    I will not work on a system that has no anti-virus program on board. It's a waste of time.

    Why do you refuse to install one?
     
  7. Darkmind

    Darkmind Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    5
    Please Look at what I said please.

    I still have those programs all on my system. It will not be a waste of time. I don't understand.. just because my hijackthis log doesn't say, doesn't mean I don't have them. I do have them.
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
    Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Don¬ít do anything with it yet!


    Click here for info on how to boot to safe mode if you don't already know how.


    Reboot into Safe Mode.


    Double click WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    Reboot back to Normal Mode!


    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Copy and paste WinPFind.txt in your next post here please.
     
  9. Darkmind

    Darkmind Thread Starter

    Joined:
    Jul 17, 2006
    Messages:
    5
    Hi guys, well none of that helped.. however! I figured it out how to delete awtsp.dll, and get rid of that pesky devldr32.exe on my own. For anyone that has tried ANYTHING and EVERYTHING to get rid of awtsp.dll and other associated drivers with it (the bad devldr32.exe file in system32, which both of those files and with others as well). They cause the popups of sysprotect, and win antivirus.

    Step 1: Download VundoFix 4.2.0.22, and download SmitRem

    Step 2: Run VundoFix. Wait for it to finish scanning, then click on remove vundo. It will now ask you to shutdown, click OK.

    Step 3: When you turn your PC back on, go into safe mode by pressing F8 just after the BIOS gets done with your memory scan and hard drive scans. Press enter on Safe Mode.

    Step 4: Run SmitRem. It will close down everything, that's OK! After it is done, reboot.

    Step 5: Run in safemode once again. Check your taskbar if you have devldr32 in processes. If not, good! Now go to your Windows\system32 folder, and delete awtsp.dll, and devldr32.exe. After that, run vundofix one more time to check just incase. If everything is all clear, it's A-OK! Reboot, start in normal mode. Your PC is now safe.
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,019
    None of what helped? We didn't do anything. :rolleyes:

    I'd still like to see a log from WinpFind.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/483845

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice