Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Impossible to remove spyware

  • 12-12-2005 6:08pm
    #1
    Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭


    I'll give you the history:
    Tried to download a crack for a program (educational purposes) and I clicked on the wrong link and immediately my microsoft anti-spyware found it. But It was too late.

    There was loads of popups and my desktop wallpaper wasn't able to be removed (I said I had spyware), eventually got most of the spyware sorted.

    Removed Avast as anti-virus and installed a trial for Norton
    Updated Microsoft Anti-spyware
    Downloaded Spybot S&D
    Downloaded Ad-Aware SE Personal

    Ran all 4 of the things and got rid of most of the stuff.

    Now I'm stumped:
    I get an internet popup for some website
    I cannot remove tasks from my task manager (I downloaded "Security Task Manager" - pile of ****e!)

    So pissed off, I'm in my final year of college and the popups are really anoying. I've spent 2 days trying to get rid of the thing - Large HD's!
    What can I possibly do?


Comments

  • Registered Users, Registered Users 2 Posts: 7,816 ✭✭✭Calibos


    Is it spyaxe perchance?


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,583 Mod ✭✭✭✭Capt'n Midnight


    Not a security issue at all.

    try again in safe mode, turn off system restore, install / run firefox till you get IE cleaned, better still change internet options so IE can't connect to the internet until sorted.

    search the usual threads, there is an exploit in IE where a trojan downloads a new one every 5 minutes.


  • Registered Users, Registered Users 2 Posts: 6,949 ✭✭✭SouperComputer


    okay, im assuming you have disabled system restore and emptied out your temp files.

    Download and run hitman pro, it runs 6 different antispyware apps.

    After that, download hijack this and the guides.

    These two combined should have it sorted for you.


  • Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭Sniipe


    I'll download hitman pro and follow the HJT instructions. System restore is off all the time. I run Firefox and get the popups. Depends on whichever browser is head browser. It affects both.I had Norton AV. uninstalled that and installed AVG.In safe mode:Just after finishing deleting all the temp files I could think of.Ran AVG - found nothingRan Ad-aware - found nothingran MS anti-spyware - found nothingran spybot s&d - found klone virus and some other onemanually removed klone infected files.(I can't delete index.dat files in the likes of:C:\Documents and Settings\Rory\Local Settings\Temp\Temporary Internet Files\Content.IE5 for example)


  • Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭Sniipe


    wow, that hitman is a really neat package. I got rid of the popup. So many trojans and spyware found... Hopefully I've gotten rid of the nasty piece of ****. I can spend tomorrow on college work. Cheers SouperComputer and co :D nice job. I'd still be pulling hair out of my head.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭Sniipe


    *FRIG* - No gone totally yet. I still have no control over my task manager. I'll run the program again over the night. Hopefully it will catch some more...


  • Registered Users, Registered Users 2 Posts: 6,949 ✭✭✭SouperComputer


    did you use hijack this?

    also, go to www.eset.com and download NOD32 antivirus trial.

    Of course you should be running all this in safe mode and also in each user profile.

    If a particular file wont even move, even from command prompt in safe mode, download knoppix or a similar linux distro and give it some GNU lovin'

    HTH


  • Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭Sniipe


    Logfile of HijackThis v1.99.1
    Scan saved at 13:32:43, on 13/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Selom Ofori\BlackMoon FTP Server\FTPService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Java\j2re1.4.2_10\bin\jucheck.exe
    C:\mysql\bin\mysqld-nt.exe
    C:\oracle\ora92\bin\omtsreco.exe
    C:\oracle\ora92\bin\agntsrvc.exe
    C:\oracle\ora92\Apache\Apache\apache.exe
    C:\WINDOWS\system32\cmd.exe
    C:\oracle\ora92\BIN\TNSLSNR.exe
    c:\oracle\ora92\bin\ORACLE.EXE
    C:\oracle\ora92\bin\dbsnmp.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\oracle\ora92\Apache\Apache\apache.exe
    C:\oracle\ora92\jdk\bin\java.exe
    C:\oracle\ora92\jdk\bin\java.exe
    c:\oracle\ora92\bin\isqlplus
    C:\HJT\HijackThis.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_10\bin\jusched.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{165048C4-7219-4BAD-A16D-52F6E0965DBF}: NameServer = 192.111.39.1,192.111.39.4
    O17 - HKLM\System\CS1\Services\Tcpip\..\{165048C4-7219-4BAD-A16D-52F6E0965DBF}: NameServer = 192.111.39.1,192.111.39.4
    O17 - HKLM\System\CS2\Services\Tcpip\..\{165048C4-7219-4BAD-A16D-52F6E0965DBF}: NameServer = 192.111.39.1,192.111.39.4
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: BlackMoon FTP Service (BMFTP-RELEASE) - Selom Ofori - C:\Program Files\Selom Ofori\BlackMoon FTP Server\FTPService.exe
    O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe (file missing)
    O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing)
    O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
    O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
    O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
    O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice (file missing)
    O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
    O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
    O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
    O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceSNIIPE - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe (file missing)
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - G:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)


  • Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭Sniipe


    normally when I want to get rid of the likes of java with task manager it works. I also don't like the look of cmd.exe, etc
    I'll download nod32.exe now, I think I have knoppix around somewhere on CD, but don't know which files to budge yet.


  • Registered Users, Registered Users 2 Posts: 10,245 ✭✭✭✭Fanny Cradock


    i know that you probably don't wan't another programme installed on your system, but you should definitely try www.ewido.net

    it's an excellent programme and it should hopefully help you out


  • Advertisement
  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    sniipe wrote:
    Tried to download a crack for a program (educational purposes)

    the program, or the crack? :v:


  • Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭Sniipe


    The crack.

    I ran everything in safe mode!

    I am after using Nods, it found nothing. There is definately something there. I have a cmd.exe in my task manager along others and access is denied when I try to remove it.
    Gonna download www.ewido.net now and see what that does for me. My laptop is after dieing and I've only this machine. I have a big report due tomorrow so I'll run that program quick and then I'll have to use this machine. - The virus/spyware one.


  • Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭Sniipe


    so far that program found Adware.Shorty. The things keep multiplying. I'll prob reboot again in safe mode then launch in this order:

    Hitman pro
    Ewido
    AVG
    Nods32

    ... hold the phone! ewido found 109 adware, mainly in Firefox... interesting. Perhaps after it finishes a reboot then check the task manager again.


  • Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭Sniipe


    no joy. I am just finished with the whole thing now. I still have something blocking some of my processes in task manager. I don't like that...
    I'm re-installing windows, which is a shame; had it working sweetly!


  • Registered Users, Registered Users 2 Posts: 6,949 ✭✭✭SouperComputer


    I still have something blocking some of my processes in task manager

    what exactly do you mean by this?


  • Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭Sniipe


    I open task manager;
    click on a task like apache or java (which are normally stoppable)
    end process
    I get a popup saying
    "Unable to Terminate Process" <-title
    "The operation could not be completed."
    "Access is denied."
    [ok]

    Perhaps things have changed and I can't remove those applications.
    here is a quick flavor:
    cmd.exe <- access denied
    isqlplus <- access denied
    java.exe <- access denied
    mysqld-nt.exe <- access denied
    oracle - I can remove this
    lsass.exe <- This is a critical process. Task manager could not end this process


  • Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Download RootkitRevealer from www.sysinternals.com


    And this is better suited to Computers.


  • Registered Users, Registered Users 2 Posts: 2,933 ✭✭✭Sniipe


    lol another 1 :-) sure why not. I'll try it when I get back to Dublin tomorrow
    cheers


  • Closed Accounts Posts: 2,349 ✭✭✭nobodythere


    If it's a Coolwebsearch variant (some of which are ****ing impossible to remove arrrrg!!!!) download CWS Shredder.


Advertisement