so i got hit with spyware...

E

elmer91

Member
thinking it was from a flash drive. some one was using it, and he said when he plugged in his flash drive, limewire popped up. (i dont have limewire). it blocked some things, like task manager. rebooted, and two profiles popped up, only have one on the computer. the background was saying that i had spyware. think it is savable? as soon as i saw the background, the computer went back off. no, i didnt have any firewall, i couldnt get anything to work with my computer.
 
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.

Click here[/color] to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 
here is that report, starting on the second part of everything.


SDFix: Version 1.187
Run by Administrator on Wed 06/04/2008 at 10:15 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MsSecurity1.209.4

Path :
C:\WINDOWS\444.470 service

MsSecurity1.209.4 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\ddcAQgFx.dll - Deleted
C:\WINDOWS\system32\ddcAQgFx.dll - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\WINDOWS\x.exe - Deleted
C:\WINDOWS\y.exe - Deleted
C:\WINDOWS\accesss.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\avpcc.dll - Deleted
C:\WINDOWS\clrssn.exe - Deleted
C:\WINDOWS\cpan.dll - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\ctrlpan.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\editpad.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\iedll.exe - Deleted
C:\WINDOWS\iexplorer.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\loader.exe - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msconfd.dll - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mssys.exe - Deleted
C:\WINDOWS\msupdate.exe - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\mtwirl32.dll - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\notepad32.exe - Deleted
C:\WINDOWS\olehelp.exe - Deleted
C:\WINDOWS\qttasks.exe - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll16.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\sistem.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\systeem.exe - Deleted
C:\WINDOWS\systemcritical.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\users32.exe - Deleted
C:\WINDOWS\waol.exe - Deleted
C:\WINDOWS\win32e.exe - Deleted
C:\WINDOWS\win64.exe - Deleted
C:\WINDOWS\winajbm.dll - Deleted
C:\WINDOWS\window.exe - Deleted
C:\WINDOWS\winmgnt.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\xxxvideo.hta - Deleted



Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed
Folder C:\WINDOWS\system32\vntiho18 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 22:30:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\rundll16.exe 24064 bytes
C:\WINDOWS\rundll32.vbe 25856 bytes
C:\WINDOWS\searchword.dll 31744 bytes
C:\WINDOWS\users32.exe 24064 bytes
C:\WINDOWS\waol.exe 17920 bytes
C:\WINDOWS\win32e.exe 14592 bytes
C:\WINDOWS\win64.exe 12800 bytes
C:\WINDOWS\winajbm.dll 15360 bytes
C:\WINDOWS\window.exe 29696 bytes
C:\WINDOWS\default.htm 2019 bytes
C:\WINDOWS\msconfd.dll 27904 bytes
C:\WINDOWS\winmgnt.exe 31744 bytes
C:\WINDOWS\x.exe 28416 bytes
C:\WINDOWS\xplugin.dll 24320 bytes
C:\WINDOWS\xxxvideo.hta 25856 bytes
C:\WINDOWS\y.exe 13056 bytes
C:\WINDOWS\olehelp.exe 29184 bytes
C:\WINDOWS\qttasks.exe 22784 bytes
C:\WINDOWS\quicken.exe 12800 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 19


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\x.exe Found
C:\WINDOWS\y.exe Found
C:\WINDOWS\accesss.exe Found
C:\WINDOWS\astctl32.ocx Found
C:\WINDOWS\avpcc.dll Found
C:\WINDOWS\clrssn.exe Found
C:\WINDOWS\cpan.dll Found
C:\WINDOWS\ctfmon32.exe Found
C:\WINDOWS\ctrlpan.dll Found
C:\WINDOWS\default.htm Found
C:\WINDOWS\directx32.exe Found
C:\WINDOWS\dnsrelay.dll Found
C:\WINDOWS\editpad.exe Found
C:\WINDOWS\explore.exe Found
C:\WINDOWS\explorer32.exe Found
C:\WINDOWS\funniest.exe Found
C:\WINDOWS\funny.exe Found
C:\WINDOWS\gfmnaaa.dll Found
C:\WINDOWS\helpcvs.exe Found
C:\WINDOWS\iedll.exe Found
C:\WINDOWS\iexplorer.exe Found
C:\WINDOWS\inetinf.exe Found
C:\WINDOWS\internet.exe Found
C:\WINDOWS\loader.exe Found
C:\WINDOWS\msconfd.dll Found
C:\WINDOWS\msspi.dll Found
C:\WINDOWS\mssys.exe Found
C:\WINDOWS\msupdate.exe Found
C:\WINDOWS\mswsc10.dll Found
C:\WINDOWS\mswsc20.dll Found
C:\WINDOWS\mtwirl32.dll Found
C:\WINDOWS\notepad32.exe Found
C:\WINDOWS\olehelp.exe Found
C:\WINDOWS\qttasks.exe Found
C:\WINDOWS\quicken.exe Found
C:\WINDOWS\rundll16.exe Found
C:\WINDOWS\rundll32.vbe Found
C:\WINDOWS\searchword.dll Found
C:\WINDOWS\sistem.exe Found
C:\WINDOWS\svchost32.exe Found
C:\WINDOWS\svcinit.exe Found
C:\WINDOWS\systeem.exe Found
C:\WINDOWS\systemcritical.exe Found
C:\WINDOWS\time.exe Found
C:\WINDOWS\users32.exe Found
C:\WINDOWS\waol.exe Found
C:\WINDOWS\win32e.exe Found
C:\WINDOWS\win64.exe Found
C:\WINDOWS\winajbm.dll Found
C:\WINDOWS\window.exe Found
C:\WINDOWS\winmgnt.exe Found
C:\WINDOWS\xplugin.dll Found
C:\WINDOWS\xxxvideo.hta Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 16 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 22 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c23140ab2b4cffaee396a230df8b1229\BIT5.tmp"
Mon 22 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e7d26e5776f9930c6ad9dff351940707\BIT4.tmp"
Tue 6 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT1.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\My computer\Application Data\U3\temp\Launchpad Removal.exe"

Finished!
 
Well!

Well, Download "superantispyware" if you didn't get rid of it. It is really good. Oh and one more thing if it does not detect anything you will have to update "superantispyware".
 
ok, i think it is slowly getting worse. here is what i have done. i have tried avast, it did a little bit. i tried to find hijackthis, but that link wouldnt work for me. tried to search for it, but it wont let me on google, or other search engines. i then downloaded Norton, it cant find anything. any more ideas? i need help and quick.

i found out what happened, and the name of the adware. someone got onto my computer while i was in class, and downloaded lime wire, 2 hours later he downloaded something and that is when it started. the name of it is coolwebsearch. found a website that rated it a level 10, 10 being the worst. is this true, and has anyone dealt with this before?
 
Coolwebsearch is a *beep*. As Mr. Tlkarkin mentioned, it is best to back up your files while you can. My old eMAchines had to be completely formatted/reinstalled. Limewire.
 
Wow so many Trojans...
Don't worry, I'm a different timezone but we'll get this through.
We'll be able to fix these infections but I found a Trojan.w32. Small which is registered as a Trojan Backdoor.
This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. If you're doing any banking or something important on your computer, I suggest clean reformat/reinstall. To do that you can follow this article:
http://www.cyberwalker.com/article/454/45#reinstallxp

Now if you'd like to remove those files without doing the reformatting, follow the next steps:

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\y.exe
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\ctfmon32.exe Found
C:\WINDOWS\ctrlpan.dll Found
C:\WINDOWS\default.htm Found
C:\WINDOWS\directx32.exe Found
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\cpan.dll
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.
 
will it be safe to back up my music and pictures with out the possibility of it infecting the external hard drive? tell me, and if it is, i will save those, then just the computer be. that is all i want is the pictures, and music. and i need to remove photoshop.
 
i dont think so if there were viruses yes it might infect the external hard drives cause they might have reproduced into that file but scence they are trojens it will be safe because none of them are located in the files you want to back up also wow! you had a lot of trojans! this will also help me for when i have some problums with this and if you want you can even find out when the person was on your computer to help find who it was
 
You're planning to reformat?
It could be safe to back-up your music, especially if it's not downloaded with LimeWire...
Pictures, well probably also safe and Trojans wouldn't stick on a file; true, they are all in Windows/Windows/System32.

Back-up the files you want and you can reformat your computer.
The thing is, you may choose not to do so, and then do as I suggested step further.
It's a security procedure as we don't know how many data did the hacker gain.
Also, I don't believe I mentioned this very clear: If you're doing any banking or have any important passwords on your computer, be sure to change them, if necesery-contact your bank.
 
i do not plan on formatting the computer. i plan on taking what i need off of it, then destroying the computer. the file that was downloaded from limewire was saved to a flash drive. that should mean my music and pics should be fine, right? should i be able to take the existing ram in my computer out, and it still be safe to use? (i would donate it to my school, they use the same computer as i do). and one last thing, if my external hard drive does become infected, would the warranty cover it?
 
elmer91 said:
i do not plan on formatting the computer. i plan on taking what i need off of it, then destroying the computer. the file that was downloaded from limewire was saved to a flash drive. that should mean my music and pics should be fine, right? should i be able to take the existing ram in my computer out, and it still be safe to use? (i would donate it to my school, they use the same computer as i do). and one last thing, if my external hard drive does become infected, would the warranty cover it?
Click to expand...

The parts inside your computer will be fine to use.

Music downloaded from limewire - no good!
Photos and everything else should be fine - i recommend reformatting your flash drive though.....
 
cohen said:
The parts inside your computer will be fine to use.

Music downloaded from limewire - no good!
Photos and everything else should be fine - i recommend reformatting your flash drive though.....
Click to expand...


thanks. i was not the one who downloaded limewire, or anything from it. my friend did without permission, and while i was in class. only one thing was downloaded, and it was save to the flash drive, which was his. i wouldnt download any music anyway, i always buy my cd's.

one question, for when i go to put this on the external drive, if, for some reason, it does get infected, would it be covered by the warranty. it is about 8 months old, and is a Western Digital passport, 160GB. i would look on the box for more info, but it is not with me. Thank you, and everyone for all the help.
 
ok, gonna try the external drive thing. then try on a crappy computer i got at my house, in case something goes wrong.
 
i just put the documents onto my old computer, everything is fine. now to start looking at laptops, and get one over the weekend.
 
You must log in or register to reply here.
Back
Top