Computer infested with spyware and adware

By gzevspero
Jan 8, 2005
Topic Status:
Not open for further replies.
  1. I get popups, searches I didn't ask for, homepages I didn't ask for, internet explorer window resizing, you name it... ran latest versions of spybot and adaware but they didn't help. Running Win2k on Athlon XP 1.4, 512 MB RAM. Attached is my hijackthis log file, any advice would be greatly appreciated...
    Thanks,
    gzevspero

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Take a look at the following thread by RBS it should help you.

    How to remove begin2search/coolwebsearch

    Follow the instructions exactly. It might be a good idea to print it out.

    Regards Howard :grinthumb
  3. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    After you have hopefully EXACTLY followed my post (as recommended by Howard)
    boot into Safe Mode.

    Press Ctrl/Alt/Del, go into Task Manager and try to END these processes (if still there):
    C:\WINNT\system32\msupd4.exe
    C:\WINNT\svrrun.exe
    C:\WINNT\mmups.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\SED\SED.exe
    C:\WINNT\system32\installer.exe
    C:\WINNT\system32\iouggw.exe
    C:\WINNT\SStb.exe
    C:\WINNT\ssqb.exe
    Reboot.exe

    Now run HJT on its own and let it "fix" (if still there):
    C:\WINNT\system32\msupd4.exe
    C:\WINNT\svrrun.exe
    C:\WINNT\mmups.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\SED\SED.exe
    C:\WINNT\system32\installer.exe
    C:\WINNT\system32\iouggw.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\dxfse.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\dxfse.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {5DB65E8D-F6DB-0C67-BC40-BBAB9DA261CC} - (no file)
    O4 - HKLM\..\Run: [svrrun] C:\WINNT\svrrun.exe
    O4 - HKLM\..\Run: [SStb.exe] C:\WINNT\SStb.exe
    O4 - HKLM\..\Run: [mediamotor.exe] C:\WINNT\mmups.exe
    O4 - HKLM\..\Run: [ssqb.exe] C:\WINNT\ssqb.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Global Startup: Reboot.exe <<-- wherever it lurks

    -- HJT cannot fix this O10, see my note on LSPFIX?
    -- O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    -- O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    -- O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    -- O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akamai.net/7/248/11498/v1/www.moveonpac.org/content/qt/qtplugin.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20966f3ad30ad3b37903/netzip/RdxIE601.cab
    O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
    O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
    O23 - Service: Miscrosoft Updates Service 4 - Unknown - C:\WINNT\system32\msupd4.exe

    Delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.
  4. gzevspero

    gzevspero Newcomer, in training Topic Starter

    Many thanks for your help. I followed these instructions and have successfully eliminated most spyware from my machine (woohoo!!! What a relief! ), however I did get one lone popup, in firefox this time, advertising a rogue spyware removal tool on eblocs.com.
    Also, I can't seem to get rid of the 01 Hosts entries that hijackthis found - they just keep coming back.
    Attached is a current hijackthis log - thanks to anyone who may have any further advice.
    gzevspero, amateur spy:knock:er
  5. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Let HJT "fix" these in safe mode:
    C:\WINNT\system32\iouggw.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {5DB65E8D-F6DB-0C67-BC40-BBAB9DA261CC} - (no file)

    Then delete C:\WINNT\system32\iouggw.exe

    Fix this lot using the FIXLSP from my big post
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.