Nothing Seems To Work (Spyware Problem)

[Bill Latif]

First of all i have limited computer knowledge so i would appreciate your patience and apoligise if i am leaving some information out or overlooking a simple answer.


couple days ago i stupidly downloaded a program, unzipped it and doubleclicked on the .exe file. as soon as that happened i realised this is untrustworthy and deleted it but too late.
what i found is new items on my desktop (free wallpapers etc) and my firefox browser kept redirecting the page im currently looking at to an advertisement. not only that decreases the size of my browser. so every couple of minutes im finding myself pushing the back button and maximising the browser again.

ive tried scanning with the following programs:
norton
AVG
ad-aware
Ewido
search and destroy
ive also uninstalled norton and downloaded kaspersky on the advice of a friend. now im using kaspersky for my virus protection.

all of these programs have found many dangerous files on my harddrive and after cleaning them up the problem still persists. firefox is still directing me away and popping up all these ads.

the other thing i tried is deleting suspicious files from my c: and my c:/windows.

im working on windows xp home edition

i hope someones got an answer cos it seems like ive asked so many people and whatever program they suggest ive tried it...


Thanks a million

[bill latif]

actually since ive posted that message, ive realised it hasnt happened for a while.

i dont think ive been redirected for the past 15-30 minutes.

woops actually forget about that. it just happened. i was just gonna say maybe the problem went away haha but no its still here. the site this time was www.ad-a-w-a-r-e.com if that helps

[Bill Latif]

ok sorry for so many posts in a row but i just thought of one more thing...

ever since ive uninstalled norton and downloaded kaspersky antivirus personal it has given me this message three times tonight:

Attention! your computer has been attacked from the internet.

Network attack 'Helkern' from adress 291.146.145.36 has been successfully repelled.

again, hope this helps

[GX1_Man]

You may be so badly FUBAR'ed that a complete reinstall would be in order. This should be followed by better prevention and maintenance.

A format and reinstall cures most Windows problems...for a while.

[Fed]

Run all of your scans in safe mode with system restore turned off.
If the problem still persists download, update & run cwshredder.
If the problem still persists, download & run Hijackthis & post the logfile in here.

Of course a fresh install is hard to beat.  

[Bill Latif]

thanks for the suggestions. a complete restore means i will lose all my files right? if so that would be my last resort.

ill try your suggestion FED and we'll take it from there.

thanks again,

Bill

[GX1_Man]

You will lose your files and your problems with a restore. You should back up any needed data first.

[dl65]

Bill Latif.......First of all , why did you remove Norton .....?
Have you run a scan using M/S antispyware Beta ?

If the problem still persists, download & run
Hijackthis & post the logfile in here.

d/l and save hijackthis on your desktop and then post the log it generates here ........as Fed has suggested ...... You have been hijacked ......
BTW ...what firewall are you using ?



What happens if you use IE ?


dl65  

[bill latif]

i removed norton because my friend advised me to stop using it and use kaspersky instead. so far im liking kaspersky it uses up less memory and seems to be less fancy more productive if that makes sense lol.

im going to download hi-hack this ill post the report shortly.

im using internet explorer now. ads are still coming up however they are pop up i have not been redirected away from my current page. and some of the pop ups are still firefox, but not all.

GX1_Man what does FUBAR'd mean lol

im not sure what my firewall is but it is on. in the windows security center in my control panel it says windows firewall is ON.

ill post again shortly,
in the meantime thanks for your time and patience,
Bill Latif

[Bill Latif]

Logfile of HijackThis v1.99.1
Scan saved at 10:05:26 PM, on 23/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TEcA\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Battery miser\batterymiser.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\On Screen Display\Hotkey.exe
C:\Program Files\RMan\RMan.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\system32\wtdxregp.exe
C:\WINDOWS\system32\ysysvr6r.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\lg_swupdate\tmcheck.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\LG\Desktop\HijackThis.exe

[Bill Latif]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
R3 - Default URLSearchHook is missing
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - C:\PROGRA~1\MINICL~1\MINICL~1.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [batterymiser] C:\Program Files\Battery miser\batterymiser.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [RMan] C:\Program Files\RMan\RMan.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPO3] "C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\wtdxregp.exe MS001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\ysysvr6r.exe MS001
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\ysysvr6r.exe
O4 - Startup: Zstart.lnk = C:\WINDOWS\system32\cxdxregt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

[Bill Latif]

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BE19DDB-DCAB-4C88-B0B9-A9F5024575E6}: NameServer = 213.42.20.20
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\jtj0071me.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TEcA\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

[GX1_Man]

FUBAR= fu**ed up beyond all recognition

By your description this system is so badly infested and compromised with browser "enhancements", QuickTime, hijack links, messenger, etc. I would reformat without hesitation. The final solution, I know, but guaranteed to work.

You may get it going in some fashion with these other solutions that will be forthcoming, and I wish you luck, but if it were me....

[Bill Latif]

Wow. i had no idea it would be this bad. this is a new laptop ive had it for a couple of months. everything was fine until i clicked on the .exe file a couple of days ago.

im sorry for sounding persistent but is there anything i else i can try before reformatting? anything i can fix based on the HiJack This Log?

and if i do reformat what would be ur suggestion in the future? no quicktime or messenger and these types of programs? because i have used em for so long and so has everyone else i know...

the symptoms arent even that bad, i mean my previous computers have been stuffed up even worse than this in the past. i would have presumed this current problem was going to be easy to fix.
other than the advertisements my pc is running fine.

i'd really like one last attempt before resorting to a reinstall/reformat...

-Bill Latif

[GX1_Man]

I'm sure DL65 will be back soon with his solution.