Help with spyware removal.

[Terp5324]

I ran into a nasty spyware earlier today, had my popup blocker off because of a game I was playing online, left the site and the next page I went to hit me with a popup. It slowed IE down and removed the popup blocker from the toolbar and toolbar list in the menu. My home page has changed to a random .dll and every time I delete the .dll it shows up as it creates another one and looks like this in the address bar... res://bsdcq.dll/index.html#96676

My hijackthis log goes as follows.

Logfile of HijackThis v1.97.7
Scan saved at 6:48:16 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RedLine\Taskbar.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\addjz.exe
C:\Program Files\Diablo II\Diablo II.exe
C:\Program Files\Diablo II\Diablo II.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\ipte32.exe
C:\Documents and Settings\Matt\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bsdcq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bsdcq.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bsdcq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bsdcq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bsdcq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bsdcq.dll/sp.html#96676
O2 - BHO: (no name) - {43F1D301-C547-8676-5D33-796564802D3D} - C:\WINDOWS\appel.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [msjg.exe] C:\WINDOWS\system32\msjg.exe
O4 - HKLM\..\Run: [ipte32.exe] C:\WINDOWS\ipte32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: restart_vs.lnk = E:\viewsonic.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab


Any help would be greatly appreciated, Ad-Aware and SBS&D cannot find the problem and AVG found two trojans that were successfully removed but that wasn't the problem apparently. Thanks in advance.

 

[neonerd]

Text

let me know if that doesn't help

 

[nanaki333]

also go to download.com and do a search for adaware

run both spybot and adaware and you should be pretty set.

 

[OZEE]

Please download and run
CWSShredder.. Let it fix anything it finds. Then run PestScan. Let it fix everything it finds. Then reboot and rescan with HJT and post back here and we'll see what else it needs.

 

[Terp5324]

Ran Spybot S&D, Ad-Aware, CWShredder, Pest Patrol and nothing helped. Ran a virus scan and there was nothing. I keep getting some random .dll as the homepage for IE. Ad-Aware found CoolWebSearch and removed it, after coming out of safe mode it hasn't found anything new. If I don't enter a full URL when trying to open a web page it brings me to another page that has a bunch of search categories but says Windows Help Center at the top. There is also an error on the page that says: you have entered the wrong URL into the address bar. Probably you were trying to enter the following address: http://www.google.com(or whatever I was trying to go to).

This one is really starting to tick me off so any help on what it might be is greatly appreciated!

 

[OZEE]

Just to let you know I'm not forgetting this ---

This particular hijack is fairly new (just discovered in the last couple of days) and the "experts" are still working on a solution. All of the methods we typically use aren't working. No matter what we try, it just comes back and we haven't entirely determined why.

A few more days of research will probably detect the cause, but until then ...

 

[Terp5324]

I figured it was something new because nothing was picking up on it. Could you possibly keep me informed and let me know if you find a solution. Hopefully it is figured out soon because trying to surf the net with popups running rampant again is hard :frown:

 

[OZEE]

Terp -- still having problems? If so, it looks like the good folks over at adaware may have found a solution. Update your adaware (to version later than 20.06.2004) and rescan with it. THen reboot and rescan with HiJackThis and repost the log here.

 

[Terp5324]

Actually I fixed it manually a few days ago just havn't had time to post because of work. I went to the Spywareinfo forums and they had a few possible solutions and one of them worked for me. Basically had to delete all of the random .exe files and .dll files that this hijacker was creating. Took a few trys to get them all but I eventually got it. I'm going to update adaware now and see if it catches anything that's left over. Thanks for your help and keeping me updated though!

 

[MBurke]

I have gotten this on my work computer. Is there any new news on the removel of this stuff ??

Thanks
Mike

 

[Wolfie]

MBurke,
Try going to CEXX They are the spy ware experts. At least I thought so when I had an issue a while ago.

But of course, before posting in the forums there, make sure you read The Admin post about what you need for them to help you thread.

Hope they can help yeah...

Wolfie

 

[MBurke]

Thanks and wish me luck
Mike

 

[UnoSigmaPi]

Originally posted by: neonerd
Text

let me know if that doesn't help

thanks! I was also looking for a program to remove spyware.

edit: this program didn't end up working for me. I keep getting error saying file were missing

 

[aknuj]

Hijakthis software did work well on my PC...