Computer infested with spyware and adware

gzevspero · Jan 8, 2005

I get popups, searches I didn't ask for, homepages I didn't ask for, internet explorer window resizing, you name it... ran latest versions of spybot and adaware but they didn't help. Running Win2k on Athlon XP 1.4, 512 MB RAM. Attached is my hijackthis log file, any advice would be greatly appreciated...
Thanks,
gzevspero

howard_hopkinso · Jan 8, 2005

Take a look at the following thread by RBS it should help you.

How to remove begin2search/coolwebsearch

Follow the instructions exactly. It might be a good idea to print it out.

Regards Howard :grinthumb

RealBlackStuff · Jan 8, 2005

After you have hopefully EXACTLY followed my post (as recommended by Howard)
boot into Safe Mode.

Press Ctrl/Alt/Del, go into Task Manager and try to END these processes (if still there):
C:\WINNT\system32\msupd4.exe
C:\WINNT\svrrun.exe
C:\WINNT\mmups.exe
C:\WINNT\system32\internat.exe
C:\Program Files\SED\SED.exe
C:\WINNT\system32\installer.exe
C:\WINNT\system32\iouggw.exe
C:\WINNT\SStb.exe
C:\WINNT\ssqb.exe
Reboot.exe

Now run HJT on its own and let it "fix" (if still there):
C:\WINNT\system32\msupd4.exe
C:\WINNT\svrrun.exe
C:\WINNT\mmups.exe
C:\WINNT\system32\internat.exe
C:\Program Files\SED\SED.exe
C:\WINNT\system32\installer.exe
C:\WINNT\system32\iouggw.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\dxfse.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\dxfse.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {5DB65E8D-F6DB-0C67-BC40-BBAB9DA261CC} - (no file)
O4 - HKLM\..\Run: [svrrun] C:\WINNT\svrrun.exe
O4 - HKLM\..\Run: [SStb.exe] C:\WINNT\SStb.exe
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINNT\mmups.exe
O4 - HKLM\..\Run: [ssqb.exe] C:\WINNT\ssqb.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Reboot.exe <<-- wherever it lurks

-- HJT cannot fix this O10, see my note on LSPFIX?
-- O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
-- O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
-- O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
-- O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akamai.net/7/248/11498/v1/www.moveonpac.org/content/qt/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20966f3ad30ad3b37903/netzip/RdxIE601.cab
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O23 - Service: Miscrosoft Updates Service 4 - Unknown - C:\WINNT\system32\msupd4.exe

Delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

gzevspero · Jan 9, 2005

Many thanks for your help. I followed these instructions and have successfully eliminated most spyware from my machine (woohoo!!! What a relief! ), however I did get one lone popup, in firefox this time, advertising a rogue spyware removal tool on eblocs.com.
Also, I can't seem to get rid of the 01 Hosts entries that hijackthis found - they just keep coming back.
Attached is a current hijackthis log - thanks to anyone who may have any further advice.
gzevspero, amateur spy:knock:er

RealBlackStuff · Jan 9, 2005

Let HJT "fix" these in safe mode:
C:\WINNT\system32\iouggw.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {5DB65E8D-F6DB-0C67-BC40-BBAB9DA261CC} - (no file)

Then delete C:\WINNT\system32\iouggw.exe

Fix this lot using the FIXLSP from my big post
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

Computer infested with spyware and adware

gzevspero

Attachments

howard_hopkinso

Posts: 21,238 +17

RealBlackStuff

Posts: 6,450 +3

gzevspero

RealBlackStuff

Posts: 6,450 +3

Similar threads

Latest posts