| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 95560 | 2008-12-10 07:13:00 | So much spyware/other stuff I don't know where to start... | BasketballOSU (14267) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 727384 | 2008-12-10 07:13:00 | I'm not sure how it happened, but SOMETHING got onto my hard drive and now it seems to be exponentiating. I can't use the internet anymore without continuous popups and spyware flooding the screen. These include such titles as: Original-search.com, Antispywareguard, Registy Defender, advancedscanner, Antivirus2009, Numerous pages that pop up with simply jibberish, etc. These can be both popups or can open up new internet tabs on their own. Once again, these all came on very suddenly and just seem to get worse and worse. I ran a few scanners, including Malwarebytes, which said it detected a number of Trojans. I deleted what it popped up with and then restarted to delete the ones that needed to be restarted on reboot, but obviously it did not help anything. Here is a Hijackthis log file to begin with. I am re-running Malwarebytes in order to grab another log file from it and post it here, which I will do when it is done. Once again, I am completely in the dark on this one, as I can't even seem to identify which particular titles are the source of the problems. Any help or ideas are VERY VERY much appreciated. Thanks. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:12:47 AM, on 12/10/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\WINDOWS\eHome\ehRec.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\Program Files\McAfee\Common Framework\naPrdMgr.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\Sound Blaster Audigy 2\SB Performance Utility\CTPowUti.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webshots\webshots.scr C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\twext.exe, O2 - BHO: (no name) - {e5f6b72a-445e-4d96-98c9-8f8aa41f06d3} - C:\WINDOWS\system32\yuhoraki.dll (file missing) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTPerformanceUtility] C:\Program Files\Creative\Sound Blaster Audigy 2\SB Performance Utility\CTPowUti.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CPM6f6d0784] Rundll32.exe "c:\windows\system32\gopigede.dll",a O4 - HKLM\..\Run: [rajasipebu] Rundll32.exe "C:\WINDOWS\system32\zisopola.dll",s O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [rajasipebu] Rundll32.exe "C:\WINDOWS\system32\zisopola.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [rajasipebu] Rundll32.exe "C:\WINDOWS\system32\zisopola.dll",s (User 'NETWORK SERVICE') O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - www.update.microsoft.com O20 - AppInit_DLLs: C:\WINDOWS\system32\jetebemi.dll c:\windows\system32\mifolole.dll c:\windows\system32\gopigede.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gopigede.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gopigede.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 9256 bytes |
BasketballOSU (14267) | ||
| 727385 | 2008-12-10 07:22:00 | Here is the Malwarebytes log file. This is the same stuff that keeps popping up but does not get deleted whenever I try to delete them, even up rebooting. Malwarebytes' Anti-Malware 1.30 Database version: 1306 Windows 5.1.2600 Service Pack 2 12/10/2008 1:21:25 AM mbam-log-2008-12-10 (01-21-25).txt Scan type: Quick Scan Objects scanned: 56405 Time elapsed: 10 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 2 Registry Values Infected: 4 Registry Data Items Infected: 5 Folders Infected: 1 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: c:\WINDOWS\system32\gopigede.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\rajasipebu (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\gopigede.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\gopigede.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\syste m32\twext.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot. Files Infected: c:\WINDOWS\system32\gopigede.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot. C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot. C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot. C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully. |
BasketballOSU (14267) | ||
| 727386 | 2008-12-10 07:27:00 | Disable system restore FIRST Did malwarebytes pick anything up at all (is it up to date)? Tick the following, then tick fix checked Close browsers O2 - BHO: (no name) - {e5f6b72a-445e-4d96-98c9-8f8aa41f06d3} - C:\WINDOWS\system32\yuhoraki.dll (file missing) O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" Its probably these 2 files, screwing things up After you tick the entries in this log, reboot, then find these 2 files and delete them. It looks like one of these belong to trojan.vundo O4 - HKLM\..\Run: [CPM6f6d0784] Rundll32.exe "c:\windows\system32\gopigede.dll",a O4 - HKLM\..\Run: [rajasipebu] Rundll32.exe "C:\WINDOWS\system32\zisopola.dll",s O4 - HKUS\S-1-5-19\..\Run: [rajasipebu] Rundll32.exe "C:\WINDOWS\system32\zisopola.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [rajasipebu] Rundll32.exe "C:\WINDOWS\system32\zisopola.dll",s (User 'NETWORK SERVICE') O20 - AppInit_DLLs: C:\WINDOWS\system32\jetebemi.dll c:\windows\system32\mifolole.dll c:\windows\system32\gopigede.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gopigede.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gopigede.dll I would uninstall Mcafees and install something better, like Avast / NOD32 (not free). And uninstall Adaware, and use malwarebytes instead So, have you rebooted since Malwarebytes removed those entries? |
Speedy Gonzales (78) | ||
| 727387 | 2008-12-10 07:54:00 | Thanks, that appears to have calmed it down. Only issue I noticed now is that upon startup it provides me with error messages that c:\windows\system32\gopigede.dll" and "C:\WINDOWS\system32\zisopola.dll" could not be found... The two that I deleted are the ones it pops up with error messages for... |
BasketballOSU (14267) | ||
| 727388 | 2008-12-10 08:02:00 | Good at least theyre not on the system, they cant screw things up Did you tick the entries in my post then tick fix checked? Get trojan remover below, update it then scan. Then select all options under utilities I would also get ccleaner (www.ccleaner.com) install it then run it (leave out / untick the yahoo toolbar option, you dont need it) Then go to tools / startup. See if any of these are there (the first 2 maybe, highlight them then click on delete) O4 - HKLM\..\Run: [CPM6f6d0784] Rundll32.exe "c:\windows\system32\gopigede.dll",a O4 - HKLM\..\Run: [rajasipebu] Rundll32.exe "C:\WINDOWS\system32\zisopola.dll",s O4 - HKUS\S-1-5-19\..\Run: [rajasipebu] Rundll32.exe "C:\WINDOWS\system32\zisopola.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [rajasipebu] Rundll32.exe "C:\WINDOWS\system32\zisopola.dll",s (User 'NETWORK SERVICE') Then close browsers, then click on cleaner and click on run cleaner. It'll remove all the crap files / temp files on the hdd Then reboot again |
Speedy Gonzales (78) | ||
| 727389 | 2008-12-10 08:04:00 | Untick them on the startup tab in msconfig | Blam (54) | ||
| 727390 | 2008-12-10 08:07:00 | Nah better to remove them completely | Speedy Gonzales (78) | ||
| 727391 | 2008-12-10 08:16:00 | I thought it already was removed and that windows just though it was still there? | Blam (54) | ||
| 727392 | 2008-12-10 08:19:00 | Well yer the files have been removed . Thats why that error message is appearing . But youre right unticking them in msconfig will work . But you may as well delete their entries (instead of just unticking their entries) |
Speedy Gonzales (78) | ||
| 727393 | 2008-12-10 08:37:00 | Ah ok, misunderstoof ya:D | Blam (54) | ||
| 1 2 | |||||