Help with spyware removal. thanks

[cardart]

hey guys thanks for reading, i have this very annoying virus/spyware that always freezes up IE if 2 IE are opened up at the same time and annoying pop ups.

heres the log for hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 7:28:30 PM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Airlink101\AWLH5025\WLService.exe
C:\Program Files\Airlink101\AWLH5025\WLanCfgG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\khfdd.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.lyricshosting.com
O15 - Trusted Zone: http://cache.ysbweb.com
O15 - Trusted Zone: http://www.ysbweb.com
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://titanium.fullerton.edu/mcweb/awswax.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://F:\content\include\XPPatchInstaller.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/w.../popcap/bejeweled2/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66C1121F-52A0-4F82-9CC4-9E762CCD421C}: NameServer = 206.13.29.12 206.13.30.12
O20 - Winlogon Notify: khfdd - C:\WINDOWS\system32\khfdd.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: MIMO XR TM PCI Adapter WLService (MIMO XR TM PCI WLService) - Unknown owner - C:\Program Files\Airlink101\AWLH5025\WLService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

thanks guys

 

[UlricT]

noticed you have Spybot. Did you update it and run a thorough scan? Also, get microsoft antispyware. Its good.

 

[hans030390]

Originally posted by: UlricT
noticed you have Spybot. Did you update it and run a thorough scan? Also, get microsoft antispyware. Its good.

Yeah, it's surprisingly good.

to the OP, did you check out the sticky in the Software forum that we're in about removing this stuff? its like "security consdf.d.df.. something"

Check that out

 

[cardart]

Hey guys, thanks for reading.

I run spybot with the latest updates, and i also run adaware. I also run AVG anti virus. All with the latest updates but it couldnt find it.

Its really annoying. Now its starting to hide my address bar, i cant see even tho i enabled it in toolbars. Annoying pop ups that bypass my popup blockers and freezes up IE. Only firefox and opera work correctly. IE just sux. Firefox is good but kinda slow, so i am running on Opera right now.

I've read that thread on how to remove it. Its a really long thread and i am downloading all of those stuff at 56k speed.

I thought posting the hijackthis log to you guys would be the best method because i believe that manual removal is the best and i can learn something while at it.

I did regedit...and nothing shows up in software/ms/windows/current version/run.
Nothing funny shows up in msconfig either.

Is it possible that the virus/spyware is embedded into a legit process and so hides behind that process? I've heard of some virus that can do that.

any help with this manual removal is appreicated it.

ps. i am using win xp/service pack 2

thanks

 

[xgsound]

If all your problems are with the browser, perhaps "BHO Demon" can help. This is a program that specifically detects "browser helper objects" and allows you to disable thier startup. This "feature" has been misused often. A more thorough explaination of this and other malware removal is at http://www.theflyingpenguin.com/penguin_blog.shtml#spyware-removal


Jim

 

[mechBgon]

Try this too: right-click this text file, save it, and follow the directions precisely, step by step.

 

[Ike0069]

Originally posted by: cardart
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\khfdd.dll

This is common to the winfixer spyware monster that is running around.

See THIS THREAD for help with removing.

 

[cardart]

Thanks Ike and others for the advice.

Ike, I followed the instructions and removed winfixer and after i removed i did a hijackthis scan and that line shows:

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\khfdd.dll (file missing)

So is it removed?

I still cant get my address bar to work tho. It says "address" in a box next to the "Links" box but theres no place to enter in the address or a place to enter it, and it doesn't allow a way for me to drag the box in such a way to make it work. The address bar is available in fullscreen mode tho.

is IE pernamently damaged?

I run spyware doctor in safe mode and it detected 50+ infected files and cant delete 2 of them. it doesnt say which one but goes on to say it will delete them on the next start up. so i restarted and it does another scan before window loads up and once again detected 50+ infected files but still cant delete 2 of them. apparently, it didnt delete them or it got reinfected in safe mode and before window loads up again. weird

any ideas?
thanks

 

[NotquiteanooB]

Did you turn off 'System Restore" before the Safe mode scans ? You maybe are reloading the 50+ viruses/spywares from the restore feature.

 

[Ike0069]

Run HijackThis again (in normal Windows mode) and check the box next to that line. Also check the box next to "O20 - Winlogon Notify: khfdd - C:\WINDOWS\system32\khfdd.dll " also if it is there. (It would also have the "(file mising)" at the end). The click "Fixed Checked".

Now as for the address bar problems, I never had that issue or have I heard of that problem asociated with Winfixer. So my guess is that you have some other problem that is causing this.

I'm not familar enough with the HijackThis logs to tell if what other lines are bad, but hopefully someone can help you out there.

If spyware doctor tells you the name of the two it can't delete, simply do a google search and normally you will find a fix for them somewhere.

 

[Dethfrumbelo]

Save yourself some trouble by dumping IE. Go with Opera or Firefox, get a good firewall like Kerio or Outpost, and run AdAware to clean out the remaining trash.

 

[mechBgon]

Originally posted by: mechBgon
Try this too: right-click this text file, save it, and follow the directions precisely, step by step.

cardart, did you try this too? I updated the text file yesterday with an enhanced approach, btw.

 

[cardart]

Hey thanks for all the great replies guys. I appreicated it.

As of now, all of my scans (spybot, adaware, antivir, cwshredder, crapcleaner, spy sweeper,spyware doctor, avg antivirus) confirms thats there no infection! and hijackthis shows file missing on the winlogon notify in O2O and O20. and i have no moer freeze up and no more pop ups

HOWEVER the address bar is still missing! &*(&$%^&%^ IE!!!!!!

mechbgon: i am going to try that now. thanks

dethfrumbelo: i have firefox and opera, and sygate personal FWand i am using it now. BUt i would like to still fix this annoying problems.

NotquiteanooB: yes my system restore is turned off.

Some other things i noticed: when in safe mode, IE address bar is there, and also when in fullscreen mode in regular window load up.

thanks again

 

[mechBgon]

AVG is relatively weak compared to McAfee's stuff, so I will feel better once you've run the McAfee scanner too.

As for the missing address bar, I hope this isn't a dumb question but have you tried right-clicking the empty area of the IE header to see if the Address Bar just needs a checkmark?

 

[cardart]

of course i checked mark the address bar. it even say "address" on the upper right corner, just no place to enter in the address.

Anyways i finnaly fixed it. registry problem. did some search on google and found that Microsoft had article out about it.

here

thanks for all ur replies guys.