Stormed by adware

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

leom

Thread Starter
Joined
Jun 27, 2005
Messages
6
Ok, so yeah, I have some spyware/adware. Ive used "spybot", "adaware", and even "microsoft antispyware beta" to get rid of this junk but it just won't work. My desktop background can't be changed back to normal. These programs can't be deleted: desktop.exe and ceres.dll . 2 viruses too
Please help me out. Thanks in advance!


Logfile of HijackThis v1.99.1
Scan saved at 8:11:51 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Programs\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Programs\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Programs\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\Programs\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\LeoM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google.com/gmail/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nso5.dll
O2 - BHO: Cas - {B5F3970B-745E-46AC-B890-E08F69777D80} - C:\WINDOWS\System32\ca.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: Maxifiles - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Maxifiles\maxifiles.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Programs\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [\\UMBRELLA7\EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P35 "\\UMBRELLA7\EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O16 "IP_192.168.0.103" /M "Stylus C84"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\System32\snuninst.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [bvm] C:\WINDOWS\System32\bvm.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\umkrnk.exe reg_run
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [kxsdehyv] C:\WINDOWS\kxsdehyv.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\sex.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Doeb] C:\Program Files\woeu\auep.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ouum] C:\PROGRA~1\COMMON~1\ouum\ouumm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Sqmy] C:\WINDOWS\System32\??stem\spoolsv.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\sex.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: rpkd.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {016E5012-2508-2790-8AE9-5EE259B00388} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {05064B82-8B3A-7065-9C69-0AC835BE2C64} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {062DE08A-8DE0-68C8-20A6-40B369BC188F} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {0DC65708-1439-5786-4490-14584B54DCEA} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {0DE8356C-88CD-5E81-AB6A-7BB244B2AC0B} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {17C756B7-FA3D-3F78-5325-5A7B5C707FE4} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {195CEFE2-A5D2-705A-D3B6-26297140B1F8} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {199CF900-8F5A-12DC-06A2-551F6B476DBC} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {21BF376C-8223-464F-CAD0-28EB51089E0D} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {229D53A2-A02A-1667-7CA5-37D340A5343E} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {254826A9-C139-1F67-13FF-520C467E531A} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {25FB23A7-3B0E-13CC-3FF8-5F6B598EFC66} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {27650F90-001C-648C-BC37-10C10F64C6D7} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {282C090A-0068-7B82-D070-32152EA7070C} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {2AC98FDA-E45E-3A38-BB20-5EA90679A552} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {2C2B4297-C019-4BCE-A5A9-2978593EE416} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {2C5D92D5-7485-71CE-5356-77C1314A5C45} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {2F49E2B7-5F42-4AD2-23C0-591266298060} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {30EC1069-8D2D-378F-3EE5-756A13CCFF89} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {32D14786-5E8D-3B6F-55B7-55794EF9214F} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {39D92A91-14AA-359B-9D02-6E4C6A27C4A9} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3AED860D-03DF-6D36-CEC1-376E0222D90D} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3C95755B-29A7-1033-F8DE-47D51F5FFFDD} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3CC37F0E-C1A0-1E8C-EDB2-573A6310390C} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {3FA126A5-805F-7046-EE0A-3FF31BD44BCD} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {42AFBB6A-9EF2-2184-CFCE-4AF157EBB7E3} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {442EDD05-B5A9-1C84-8084-2D4D516F3EF8} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {44B4DFF8-5BF1-254A-120B-55D3302A1AFA} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {47684947-36B1-2D94-5E78-01563B8B8AC7} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0018.exe
O16 - DPF: {4820A8F1-E917-78F4-2338-4ED235ADE5E1} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {4AA1B0F8-8ED0-4482-2670-2BC2747CA7F7} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {4BD4663E-2D6A-5BB6-B28A-2FF26BA0157B} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {4C9A0AEA-703C-6569-A29B-0F80497EE874} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {4EC5B952-D22A-4231-8482-6D5A2D6966E9} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {5ADD59D2-15A8-046B-6C95-3761534382B1} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {5AF1D782-1677-6637-56CA-2EA84B026867} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {5F823469-581D-349B-3EEB-65E105D53755} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {61FA2F99-5FEF-2CF2-3EE7-54CF6B1F6F00} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {626DBD5E-38CF-0006-9FD2-5E11642ABD21} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {630B41D3-92E2-6DB6-F7B5-7A7356B3402E} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {63194E40-FBAD-59C6-FE6A-322B635520DA} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {63836471-A4F5-1BC1-25DB-355F6F993151} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1119921156189
O16 - DPF: {64FFD112-0168-3B88-D1F1-552E1C90AFFD} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {655E907B-45A7-2B4B-F5A2-73467FC07132} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {67A57828-F646-7E1F-F3B3-48493A5178AD} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {68ECBB10-9FFD-2286-CBB6-279E1E1DDCDD} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {708B8C53-37BE-18B8-7DB6-59A22D0FF235} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {71B7FDB5-9903-6568-5813-0DB37C8F449B} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {727BD495-88E5-5D12-5233-6DC52A625804} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {735A9309-FC0F-3403-0368-47CF77D06E82} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78BA02CC-D461-038A-A0AC-0AB617BBB1EA} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {7943832F-2C6F-5B54-F21D-4957417FC1FA} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {7AD5A63B-B6E9-2FC1-FB46-1973269D213F} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {7B05D2E6-8F10-5755-B776-43D62F2A0583} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {7B8AD97D-52DB-0D26-FF34-469D52B9A85F} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {7C04C02E-16E0-7302-02F0-1F2C0543ADF3} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {7C5544D3-9F4D-4AC3-A1CC-5CB72A077CE4} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {7CA372D9-56A1-4AB5-A6D3-547725DAF99B} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {7CA4A91C-E9D2-0B1B-3450-62D93737464F} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {7E74A710-F4F7-43C3-6238-1DEC3B769EA5} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {7EA1CD3D-D854-4692-E0DA-7E7A1A97E118} - http://67.19.178.86/1/rdgUS1742.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=3548
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0019.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\Programs\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Programs\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Programs\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\Programs\NORTON~1\SPEEDD~1\nopdb.exe
 

leom

Thread Starter
Joined
Jun 27, 2005
Messages
6
Please help me out, I relly don't know how to get rid of this adware spyware stuff. Thanks :)
 

leom

Thread Starter
Joined
Jun 27, 2005
Messages
6
Yes, they are, lol my brother can't access the internet on his computer so i posted a different thread for his machine. Everytime I run an ad-aware scan the one thing that it won't remove is desktop.exe. I have to run an ad-aware scan everytime i get on my computer, right after it boots up. If i cancel the scan, a bunch more adware gets downloaded (one example is this "180 search" thing). Thanks for replying to this thread, I'll be glad to get any help. :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top