Spyware

[PlasmaBomb]

Could someone help me, my computer is currently infected with -
180 Search assistant
Apropos
Internet Optimizer
ISTBar
SideFind

I have run Adaware and Spybot multiple times, and removed this junk, only to have it reinstall itself at start up. Anybody got any ideas?

 

[furie27]

Try Spybot in safemode.

 

[PlasmaBomb]

Cheers, I did it removed them... then they reinstalled on start up. Darn things. Deleting any stuff i dont recognise, would a system restore help? Any other ideas?

 

[furie27]

If you want the fool prooth method, back up your data and reformat. I've found that to be the only way on some computers, depending on how bad the infections were.

 

[bovinda]

Get a Hijack This log (using the newest Hijack This version...which I believe is version 1.99.1 and can be found at http://www.spywareinfo.com/~merijn/downloads.html) and post it here. Someone will be able to help you figure out what you have on there and get rid of it. Whatever you do though, don't just go fixing things in Hijack This until you get someone's knowledgable input about it, 'cuz you can really f things up if you "fix" the wrong stuff.

I recognize some of those spyware. Those things are damn persistant.

 

[Stonesoldier]

Try counterspy
click link for a online scan
you can also get a 15 day freebie at the same site
do that before you do something drastic like reformating
http://www.sunbelt-software.com/dell/scan.cfm

also this site has tools such as Hijack this , startup list , CWshredder
http://www.spywareinfo.com/~merijn/downloads.html

Good luck
let us know how the pest removal goes

 

[spherrod]

You might also want to try Microsoft's Anti-Spyware tool

 

[Zolty]

I would just reinstall windows, but that is me
1800 search assist is horrid to get rid of

 

[mechBgon]

I'd try this:

1) install SpywareBlaster, update & immunize (link to downloads)

2) uninstall whatever antivirus you have now, and install Kaspersky trial antivirus software, update it, and configure it as shown here: http://www.omnicast.net/~tmcfadden/guides/build/kaspersky.html Don't launch a scan just yet.

3) install Microsoft AntiSpyware Beta and update it. Don't launch a scan just yet.

4) disable System Restore

5) run the Microsoft AntiSpyware scan now that System Restore is disabled. Do the full scan, not the Quick Scan. Have it Remove all the items it found...

6) ...and now reboot into Safe Mode, not normal mode and run an exhaustive Kaspersky antivirus scan, because Downloaders and Trojans are frequently part of the spyware's master plan.

7) reboot into normal mode after Kaspersky is done, scan again with Microsoft AntiSpyware, and see how it goes.

 

[FlyingPenguin]

Please follow the detailed instructions for spyware removal on my blog here: http://www.theflyingpenguin.com/penguin_blog.shtml#spyware-removal

You probably have a spyware app that's attached to IE as a BHO Helper object. Nasty shit. After you clean it if you open ANY Explorer window (My Computer, IE, whatever) it re-infects you (thank you Microsoft for imbedding IE into the OS).

You want to run BHODemon first, before doing any spyware removal, to eliminate all evil BHOs. I explain this in the link above and where to download it.

I do this for a living (I must do 12 spyware cleanings a week).

Hope this helps...

 

[genius99]

Run Spybot first, clean up anything it finds.

Restart into safe mode and use HijackThis.
Use this tutorial and delete any foreign objects found.
http://www.spywareinfo.com/~merijn/htlogtutorial.html

Delete all files in your temp directories on your hard drive.

Delete all IE history, cookies, and files.

Then restart your computer.

 

[intogamer]

1. If you have a second computer bring your hd over to the second as slave and virus scan it and do all the spyware program removal stuff.
Then back up.
2. Backup files to external hd, cd, etc. load to secondary comp or format system hd load back backed up files and virus scan and use spyware removal.

 

[PlasmaBomb]

Here is the hijack this log. Thanks for your continued help guys
Unfortunately I will be away on work for the next two weeks, so it may take some time to sort this out...

Logfile of HijackThis v1.99.1
Scan saved at 10:20:13, on 15/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\qhfixjc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cedwards\My Documents\Programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.qub.ac.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe
O4 - HKLM\..\Run: [SsHgaPBa] C:\WINDOWS\qhfixjc.exe
O4 - HKLM\..\Run: [Qtyytoc] C:\Program Files\Espse\Iyaw.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [exgr] C:\WINDOWS\exgr.exe
O4 - HKLM\..\Run: [378P38T] hlibject.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kwff] C:\PROGRA~1\COMMON~1\kwff\kwffm.exe
O4 - HKCU\..\Run: [IwrFRUf3j] grpdecod.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\cedwards\My Documents\FireFox Downloads\CWShredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe


Trojan hunter found \kwff\kwffa.exe which i thought was suspicious but didnt delete it...

Trojan hunter results

Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc

Removed registry key HKEY_CURRENT_USER\Software\IST

Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA

Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSL Installer

Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\TSA\update
Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\TSA

Renamed file C:\Program Files\Common Files\kwff\kwffl.exe to C:\Program Files\Common Files\kwff\kwffl.exe.tcf
Renamed file C:\Program Files\Common Files\kwff\kwffp.exe to C:\Program Files\Common Files\kwff\kwffp.exe.tcf
Renamed file C:\Program Files\Espse\Iyaw.exe to C:\Program Files\Espse\Iyaw.exe.tcf
Renamed file C:\WINDOWS\SYSTEM32\lig_hook.exe to C:\WINDOWS\SYSTEM32\lig_hook.exe.tcf
Trojan cleaning finished.

should I delete these new .tcf files.

 

[Calin]

Originally posted by: spherrod
You might also want to try Microsoft's Anti-Spyware tool

It's not perfect, but it is pretty good. I remember having that 180 search assistant, but it wasn't hard to get rid of. You might have some program that installed it (adware) and that install it again and again

 

[daniel49]

C:\Program Files\ISTsvc\istsvc.exe nasty

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.qub.ac.uk/ nasty

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing) missing file

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll nasty

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe nasty

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe nasty

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" nasty

O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe nasty


go here to check
http://hijackthis.de/

 

[FlyingPenguin]

As I said, follow the instructions in my blog, but it woundn't hurt to boot into safemode first and disable the following suspicious startups before doing your cleaning:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SsHgaPBa] C:\WINDOWS\qhfixjc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKCU\..\Run: [kwff] C:\PROGRA~1\COMMON~1\kwff\kwffm.exe

 

[superkdogg]

These solutions are the preferred and more elegant ones. Whenever I have a nasty spyware/virus issue though, it's usually best to assess the situation thusly: What's the fastest way to return the system to normal? In some situations and for some people that is a reformat. You still can get into windows, so backing up shouldn't be bad. It's situations like this that have lead to me installing windows on its own partition.

 

[FlyingPenguin]

Sorry, I posted the wrong link for my spyware removal instructions. Here you go: http://www.theflyingpenguin.com/penguin_blog.shtml#spyware-removal

 

[PlasmaBomb]

Cheers for all your help guys, seems to have gotten the lot.

 

[imported_thomash]

Did you try Add/Rmove programs in Control Panel first, you can normally uninstall the crap from there??

Microsoft antispyware will get rid of lots of rubbish. I've found after using it recently for the first time.

I usually use: HijackThis, SpyBot Search & Destroy, Adaware, CWShredder, SpywareBlaster(VERY useful as it stops the install in the first place).

PS. Theres a removal tool for 180SearchAssistant if it is still bothering you.http://securityresponse.symantec.com/avcenter/Fix180Sh.exe

Hope this helps if your not already sorted.

 

[imported_JFG]

FORMAT & RELOAD. Only way you can be sure it's all gone

 

[imported_thomash]

Format and reload is a waste of time.
No offence - the amount of effort backing up data and reloading windows + updates and software isn't worth it when software can remove it properly.