Spyware!

**suffering boy** · 2005-12-17, 23:26

My computer is infected with some sort of spyware that keeps making me download some new spyware removal tool. THe hijack file looks like this:
Logfile of HijackThis v1.99.1
Scan saved at 5:21:44 PM, on 12/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\crrt.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\apisk32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NavNT\VPC32.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\System32\hp1553.tmp
O2 - BHO: Class - {6F4AA1CD-0529-44EE-B9DA-6790B9FEE37D} - C:\WINDOWS\system32\atlfq32.dll
O2 - BHO: Class - {A1721474-060F-02FE-322F-375BB4E0598B} - C:\WINDOWS\system32\ipvv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [115.tmp] C:\DOCUME~1\SAADM~1.WAS\LOCALS~1\Temp\115.tmp.exe
O4 - HKLM\..\Run: [114.tmp] C:\DOCUME~1\SAADM~1.WAS\LOCALS~1\Temp\114.tmp.exe
O4 - HKLM\..\Run: [115.tmp.exe] C:\DOCUME~1\SAADM~1.WAS\LOCALS~1\Temp\115.tmp.exe
O4 - HKLM\..\Run: [114.tmp.exe] C:\DOCUME~1\SAADM~1.WAS\LOCALS~1\Temp\114.tmp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [apisk32.exe] C:\WINDOWS\system32\apisk32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [crfd32.exe] C:\WINDOWS\system32\crfd32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crrt.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Please help. Thanks!

**LonnyRJones** · 2005-12-21, 01:00

Hi

I suggest you print out these instructions for later referance

Download cwshredder, dont use it yet
http://www.trendmicro.com/cwshredder/

Download smitRem.exe << and save the file to your desktop. (By noahdfear.)
Double click on the file to extract it to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite here:
install then from within the program check for updates BUT dont scan yet
ewido security suite: http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.
Do NOT run a scan yet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items if there, then click FIX CHECKED:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\makiq.dll/sp.html#93256%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\System32\hp1553.tmp
O2 - BHO: Class - {6F4AA1CD-0529-44EE-B9DA-6790B9FEE37D} - C:\WINDOWS\system32\atlfq32.dll
O2 - BHO: Class - {A1721474-060F-02FE-322F-375BB4E0598B} - C:\WINDOWS\system32\ipvv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [115.tmp] C:\DOCUME~1\SAADM~1.WAS\LOCALS~1\Temp\115.tmp.exe
O4 - HKLM\..\Run: [114.tmp] C:\DOCUME~1\SAADM~1.WAS\LOCALS~1\Temp\114.tmp.exe
O4 - HKLM\..\Run: [115.tmp.exe] C:\DOCUME~1\SAADM~1.WAS\LOCALS~1\Temp\115.tmp.exe
O4 - HKLM\..\Run: [114.tmp.exe] C:\DOCUME~1\SAADM~1.WAS\LOCALS~1\Temp\114.tmp.exe
O4 - HKLM\..\Run: [apisk32.exe] C:\WINDOWS\system32\apisk32.exe
O4 - HKLM\..\Run: [crfd32.exe] C:\WINDOWS\system32\crfd32.exe
============

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on
screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your
operating system is installed. Please post that log along with all others requested in your next reply.

Open Spybot check for and fix any problems found.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Run Cwshredder click fix not scan only

Close Ewido
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Restart back to a normal windows session
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if
present.
Get this free onlines scan and post the results
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
Post a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add
Reply.
Let us know if any problems persist

**tashi** · 2005-12-24, 12:42

suffering boy, do you still need assistance?

**tashi** · 2005-12-28, 15:11

This topic will be archived.
If you need it re-opened please send a message to myself or a malware removal helper with a link to this thread.

Thread: Spyware!

Thread Tools

Display

Spyware!

Posting Permissions