spyware etc.

Terry

my friend dropped his pc over to me because he was having problems with it. i'm no expert, but i do know one or two things.
the problem here is that after removing everything i could (both manually and with the help of AVG, adaware and spybot) there are still a few things remaining that shouldn't be there.

your help with this would be appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 21:59:01, on 27/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1525
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nknoba.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1525
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nknoba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nknoba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nknoba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1525
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [keyboard] C:\\kybrdd_5.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmd_5.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1034DBAF-57C7-4AA1-9F41-6C59F9EC7422}: NameServer = 62.231.32.10,62.231.32.11
O20 - AppInit_DLLs: C:\WINDOWS\System32\dvdplay.dll
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\en2ul1f91.dll
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Kg\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE



note: i am aware that he doesn't have service pack 2 installed. i plan on installing this as soon as i have removed all the problems.

Ruu_Old

O4 - HKLM\..\Run: [keyboard] C:\\kybrdd_5.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmd_5.exe

The above two are spyware for a start anyway. Click start->run->msconfig and then the Startup tab (untick the box for those two entries). Restart in safe mode, locate and delete them.

Also go into Control Panel->Add/Remove Programs and see if theres anything like "NewDotNet" installed, if so then remove it.

DonkeyRhubarb

Theres a nifty little program that sorted me out. I was in your situation with a mates PC and found a program.

Do a search for 'Hitman Pro'.

Its a combination of a number of free programs and it does EVERYTHING automatically. It will take forever to do everything it does, took 4 hours in my case, but the system will be nearly clean as a whistle! Hope this helps!:D

Terry

ok. i've removed pretty much everything malicious. the browser hijacking has stopped and all now seems to be running smoothly (until my friend takes the pc home and starts looking at dodgy porn sites again).

there's just one problem left and that is the progress bar (i think that's what it's called. the one at the bottom of the page with the blue bar thingy) is missing from firefox, which i have just now reinstalled.
i have no idea how to get this back.
anyone?

Ruu_Old

Click View and select Status Bar.

Terry

and the award for the most computer illiterate person goes to...


thanks, ruu.
job done.

Ruu_Old

Hope you're getting paid for this or at least a few pints.

Terry

20 smokes.
he's a miserable bastard.

K.O.Kiki

At least you got something out of it.
I have to deal with my dad's friend, 1-2hrs a day on the phone, and he will read out every single line on-screen, hoping that I can form a mental picture & find the magical answer to his problems (pop-ups etc)...
And I'm doing this for free...

...goddamned hate Windows...

Ruu_Old

K.O.Kiki wrote:

At least you got something out of it.
I have to deal with my dad's friend, 1-2hrs a day on the phone, and he will read out every single line on-screen, hoping that I can form a mental picture & find the magical answer to his problems (pop-ups etc)...
And I'm doing this for free...

...goddamned hate Windows...

Let me guess, your dad "volunteered" you for the job?

majiktripp

I know how you guys feel,when you work in a service industry where basically a computer is used by most familys every day,all be it for basic internet / music / word doc's etc,but they have no idea of how much time and frustration goes into cleaning upo an infested machine.But its alright because you love computers....,you love to clean this stuff up....,and sure he's a nice lad,give him a tenner.....I dont like this mentaility at all,if a plumber comes round,a carpenter,an electrician do you think they'd spend just as much time as you do on a job for a €10 and a smile....Thats just my experience with "some" people,others I have found very understanding and very aware of the time and effort that goes into the IT industry and making sure it all works ok.

K.O.Kiki

Ruu wrote:

Let me guess, your dad "volunteered" you for the job?

Well, I built the rig for €100 (free money!), but I really should have taught him about the internet before he started... or maybe I shouldn't have volunteered of my own free will ...