Impossible to remove spyware

Sniipe · 12-12-2005 7:08pm #1

I'll give you the history:
Tried to download a crack for a program (educational purposes) and I clicked on the wrong link and immediately my microsoft anti-spyware found it. But It was too late.

There was loads of popups and my desktop wallpaper wasn't able to be removed (I said I had spyware), eventually got most of the spyware sorted.

Removed Avast as anti-virus and installed a trial for Norton
Updated Microsoft Anti-spyware
Downloaded Spybot S&D
Downloaded Ad-Aware SE Personal

Ran all 4 of the things and got rid of most of the stuff.

Now I'm stumped:
I get an internet popup for some website
I cannot remove tasks from my task manager (I downloaded "Security Task Manager" - pile of ****e!)

So pissed off, I'm in my final year of college and the popups are really anoying. I've spent 2 days trying to get rid of the thing - Large HD's!
What can I possibly do?

Calibos · 12-12-2005 9:38pm

Is it spyaxe perchance?

Capt'n Midnight · 13-12-2005 12:23am

Not a security issue at all.

try again in safe mode, turn off system restore, install / run firefox till you get IE cleaned, better still change internet options so IE can't connect to the internet until sorted.

search the usual threads, there is an exploit in IE where a trojan downloads a new one every 5 minutes.

SouperComputer · 13-12-2005 12:28am

okay, im assuming you have disabled system restore and emptied out your temp files.

Download and run hitman pro, it runs 6 different antispyware apps.

After that, download hijack this and the guides.

These two combined should have it sorted for you.

Sniipe · 13-12-2005 12:42am

I'll download hitman pro and follow the HJT instructions. System restore is off all the time. I run Firefox and get the popups. Depends on whichever browser is head browser. It affects both.I had Norton AV. uninstalled that and installed AVG.In safe mode:Just after finishing deleting all the temp files I could think of.Ran AVG - found nothingRan Ad-aware - found nothingran MS anti-spyware - found nothingran spybot s&d - found klone virus and some other onemanually removed klone infected files.(I can't delete index.dat files in the likes of:C:\Documents and Settings\Rory\Local Settings\Temp\Temporary Internet Files\Content.IE5 for example)

Sniipe · 13-12-2005 1:59am

wow, that hitman is a really neat package. I got rid of the popup. So many trojans and spyware found... Hopefully I've gotten rid of the nasty piece of ****. I can spend tomorrow on college work. Cheers SouperComputer and co

nice job. I'd still be pulling hair out of my head.

Sniipe · 13-12-2005 2:37am

*FRIG* - No gone totally yet. I still have no control over my task manager. I'll run the program again over the night. Hopefully it will catch some more...

SouperComputer · 13-12-2005 9:02am

did you use hijack this?

also, go to www.eset.com and download NOD32 antivirus trial.

Of course you should be running all this in safe mode and also in each user profile.

If a particular file wont even move, even from command prompt in safe mode, download knoppix or a similar linux distro and give it some GNU lovin'

HTH

Sniipe · 13-12-2005 2:33pm

Logfile of HijackThis v1.99.1
Scan saved at 13:32:43, on 13/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Selom Ofori\BlackMoon FTP Server\FTPService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Java\j2re1.4.2_10\bin\jucheck.exe
C:\mysql\bin\mysqld-nt.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\oracle\ora92\jdk\bin\java.exe
C:\oracle\ora92\jdk\bin\java.exe
c:\oracle\ora92\bin\isqlplus
C:\HJT\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{165048C4-7219-4BAD-A16D-52F6E0965DBF}: NameServer = 192.111.39.1,192.111.39.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{165048C4-7219-4BAD-A16D-52F6E0965DBF}: NameServer = 192.111.39.1,192.111.39.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{165048C4-7219-4BAD-A16D-52F6E0965DBF}: NameServer = 192.111.39.1,192.111.39.4
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackMoon FTP Service (BMFTP-RELEASE) - Selom Ofori - C:\Program Files\Selom Ofori\BlackMoon FTP Server\FTPService.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe (file missing)
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceSNIIPE - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - G:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)

Sniipe · 13-12-2005 2:35pm

normally when I want to get rid of the likes of java with task manager it works. I also don't like the look of cmd.exe, etc
I'll download nod32.exe now, I think I have knoppix around somewhere on CD, but don't know which files to budge yet.

Fanny Cradock · 13-12-2005 2:49pm

i know that you probably don't wan't another programme installed on your system, but you should definitely try www.ewido.net

it's an excellent programme and it should hopefully help you out

Martyr · 13-12-2005 5:33pm

sniipe wrote:

Tried to download a crack for a program (educational purposes)

the program, or the crack? :v:

Sniipe · 13-12-2005 6:03pm

The crack.

I ran everything in safe mode!

I am after using Nods, it found nothing. There is definately something there. I have a cmd.exe in my task manager along others and access is denied when I try to remove it.
Gonna download www.ewido.net now and see what that does for me. My laptop is after dieing and I've only this machine. I have a big report due tomorrow so I'll run that program quick and then I'll have to use this machine. - The virus/spyware one.

Sniipe · 13-12-2005 6:10pm

so far that program found Adware.Shorty. The things keep multiplying. I'll prob reboot again in safe mode then launch in this order:

Hitman pro
Ewido
AVG
Nods32

... hold the phone! ewido found 109 adware, mainly in Firefox... interesting. Perhaps after it finishes a reboot then check the task manager again.

Sniipe · 13-12-2005 9:32pm

no joy. I am just finished with the whole thing now. I still have something blocking some of my processes in task manager. I don't like that...
I'm re-installing windows, which is a shame; had it working sweetly!

SouperComputer · 14-12-2005 12:07am

I still have something blocking some of my processes in task manager

what exactly do you mean by this?

Sniipe · 14-12-2005 5:18am

I open task manager;
click on a task like apache or java (which are normally stoppable)
end process
I get a popup saying
"Unable to Terminate Process" <-title
"The operation could not be completed."
"Access is denied."
[ok]

Perhaps things have changed and I can't remove those applications.
here is a quick flavor:
cmd.exe <- access denied
isqlplus <- access denied
java.exe <- access denied
mysqld-nt.exe <- access denied
oracle - I can remove this
lsass.exe <- This is a critical process. Task manager could not end this process

WizZard · 14-12-2005 9:53am

Download RootkitRevealer from www.sysinternals.com

And this is better suited to Computers.

Sniipe · 16-12-2005 3:35pm

lol another 1 :-) sure why not. I'll try it when I get back to Dublin tomorrow
cheers

nobodythere · 20-12-2005 1:36pm

If it's a Coolwebsearch variant (some of which are ****ing impossible to remove arrrrg!!!!) download CWS Shredder.

Impossible to remove spyware

Comments