Does my laptop have spyware?

Status
Not open for further replies.
L

livinlovinit

Posts: 13   +0
Hello, I am just wondering if I have a virus or spyware because every time I login to my laptop the wallpaper is gone and so are the icons. everything is gone except my msn messenger and the sidebar that came with vista. Its until I login the second time, everything is there but feels like its performing slowly. I also get the "KeyAccess for windows has stopped working" sometimes. Also when I put my USB key in, the auto run feature doesn't pop up. I will have to go to "My Computer" to view it.

My HijackThis Log is attached

Please, any help will be appreciated, I cant bare the thought that someone is watching me through my computer.

Thank you in advance
 

Attachments

  • Scan1.txt
    11.6 KB · Views: 5
Uninstall your AVG Antivirus
Then run the removal tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

Restart

Install Avira free AntiVirus

Open HJT Scan only, and place a tick in everybox where the entry finishes with "File Missing" Then select FIX

Then follow this guide: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

By the way your Autorun can be fixed by going here: http://support.microsoft.com/kb/953252
 
Thank you so much for replying. So I am guessing that I do have spyware on my laptop. I will still do what you said I should, but post back here if I have anymore questions.
Thank you

Hi, here are the logs of the required 8 step rule. I will await your reply

heres the HijackThis Log


sorry, heres the mbam
 
kimsland said:
Open HJT Scan only, and place a tick in everybox where the entry finishes with "File Missing" Then select FIX
Click to expand...
This quoted part was not done, and still needs to be done

Your SuperAntiSpyware log caught quite a few spywares, it may be best to run it again

Here is your next step though:

Please download and run SDFix (I'm sorry, but I must refer you to t h i s tutorial on its use, scroll down to "SDFix Instructions")

Download, and run the "RunThis.bat" in Safe Mode, as advised
Then attach the log and a new HJT log
Oh by the way, it says that it may take 20mins to scan! (Mine took over an hour to complete!)
 
Oh, I'm sorry, I thought I did. Well I scanned with HijackThis again, and removed the "File Missing" ones, and its okay you refered me to the tutorial, I appreciate it....I will scan with SuperAntiSypware again and the SDFix in safe mode

Thank you
 
Hi, I scanned MaleWare Bytes - Anti Maleware and with SuperAntiVirus in safe mode, however I couldn't get SDFix to run the RunThis.bat.....I checked all the possible things to cause it not to work via the tutorial. It seems that it isn't working because it is compatible to the 32-bit computers. My computer is 64-bit. I still did a scan with HijackThis in safe mode and have both SuperAntiVirus and HijackThis Logs. I notice that the HijackThis for some reason can't remove the "File Missing" for some reason =s. Also the Maleware says I'm not infected, but i don't believe it because when I login to my computer, the desktop still acts funny =s
 
Please startup HijackThis and do a scan only
On all listed entries below, place a tick in the associated entry box
Close all Internet browsers (like Internet Explorer or Firefox) Actually close any other program that's running too.
Then select FIX to all:
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KeyAccess] keyacc32.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O13 - Gopher Prefix:
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_48fbb870\AESTSr64.exe (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_8adfd0a8\STacSV64.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
Click to expand...
Close the HijackThis blank Window
And then restart

Run CCleaner again
And then run one more HijackThis scan and log, and attach it to a new reply :)
 
Okay, so I did the scan with HijackThis and deleted all the items you posted. However the very first one, the O1 - Host: ::1localhost didn't delete from what I understand. HijackThis said:

"Error Details: An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=01 - Hosts: ::1localhost)"

Windows version: Windows NT 6.00.1905
MSIE version: 7.0.6001.18000

HijackThis version: 2.0.2


I rested my laptop as you said and ran the CCleaner and HijackThis again, heres the Log

Am I free from this Spyware? (I hope so)
 
That's strange, all the file missing and everything I quoted is still there :confused:

Please go to Users in Control Panel, and confirm that you are an Administrator
If you are, then there must be policies set. In which case do my above post in Safe Mode, but log on to Administrator account
 
heres the HijackThis Log. The file missing" codes won't delete for some reason. I restarted sveral times, repeated the process several times and it still won't go away =s this is a stubborn sypware =D.

Oh I just wanted to mention that I backed up the files I still want to keep on this laptop
to a cd. I TRULY APPRECIATE YOUR HELP, but this spyware is really getting to me, and I can't really work in school knowing that this laptop is "infected". I need this laptop to make it through college because my program requires us to be able to use a laptop. It seems that this spyware is really tough to get rid of. So I just might reformat this laptop, but if I still have a few steps to go, I will, but if reformatting it will do the trick, why not, I just hope it didn't jump to the cd i used to keep the files I
still want =D

I will await your reply about my decision and your advise if I should reformat or not

Once again THANK YOU FOR ALL YOUR HELP I APPRECIATE IT =D
 
Download Combofix
Lots of info on its use h e r e
Direct download h e r e

Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
ComboFix will also restart your computer (eventually) and then (eventually) create a log

Save this log file to be attached to a new reply

Then run HJT scan
Remove (tick and Fix all) all the "file missing" entries one last time (just get most for a test)
Restart (this is a must)
Do another scan with HJT (scan and log file) and attach this to a new reply (without the "file missing" entries, I hope ;) )
 
Umm, ComboFix won't work on my 64 bit Vista laptop. It says: Incompatiable OS. ComboFix only works for Windows 2000 and XP and then has it in several different languages after.
That message pops up after a small blue screen flashes for about 1 second, I can't read what it says but I believe its from the ComboFix running =s
 
Hmm I seem to be at a full stop (This is not normal)
Depending upon how long you wish to wait, I might ask for one of our other Malware specialists to have a look (which I thought I might be, up until now)
 
I would like your malware specialist to have a look but since its the weekend I can use this time to start the reformatting. College, is going to be hard if I don't have a working computer lol. I do have the DVD to reinstall Vista, I made sure I backed up my laptop the first day I got it, just in case I had a problem like this.

Once again thank you for your assistance =)
 
First SDFix will not run under Vista.

I have had it to run on a few of my Clients workstations that I have tweaked turned off many unneeded services UAC etc.

On some others with the very same tweaks it will not run. But SDFix under Vista is not supported by its author.

All the HJT entries with the @ exist on all 64 BIT Vista and HJT will not remove and are harmless and will be right back after a format and install.

So livinlovinit give us a status report on how computer works (is original issue fixed?) and any issues we may not be aware of.

But ComboFix should run (unless I have missed the fact that it is a 64 bit issue) and we do need its log.

So do the following
In Control panel in User Accounts turn off UAC and reboot (back on after we finish).

Then Start-Run
type
Combofix /u
Click OK or hit Enter key
This uninstalls ComboFix

Now download fresh ComboFix, the rename it to 12CBF34.exe.

Now try to run
If no joy then rt click the Icon and chose "Run as Administrator"
If no joy then rt click the Icon and chose Properties-Compatability chose Windows XP SP2 click apply and OK
Then Run as Administrator again.

This don't work we will drop back and punt!

Mike
 
Hello Mike, thank you for replying. I ended up reformatting my laptop, twice. Everything seems to be okay, i even notice that some of the devices on the laptop has not stopped working. But something seems funny, so I did a scan with HijackThis and notice the @ entries are still there =( heres the log. Oh and yes my laptop is a 64 bit laptop

I am currently downloading the ComboFix but I am having a hard time understanding the UAC your talking about and this part

"Now try to run
If no joy then rt click the Icon and chose "Run as Administrator"
If no joy then rt click the Icon and chose Properties-Compatability chose Windows XP SP2 click apply and OK
Then Run as Administrator again."

I will post back about the ComboFix when done downloading
 
You jumped the gun I don't think a format reinstall was necessary!

And appearently you did not read my last post!
All the HJT entries with the @ exist on all 64 BIT Vista and HJT will not remove and are harmless and will be right back after a format and install.
Click to expand...

No 64 bit drivers for these items so no issue, no problem your computer is running the 32 bit versions for these entries.

Mike
 
Oh, im sorry, i understand about the @ entries comment you said.......so does that mean im spyware free....am i still infected???
 
No if you just formatted and reinstalled you should be clean.

Those entries mean nothing.

If there were 64 Bit versions if these entries they would not have the (file missing) but may would still not be able to be removed until HKT becomes 64bit.

Forget them!

Mike
 
Normally all "file missing" entries can be safely removed
I'm going to have to find more information about this, as I've not seen this issue before
If you happen to know the MS support link concerning this issue, I'd be interested in reading it.
 
oh, okay, for a sec I thought my recovery disk was infected too lol

So let me try and understand the last post, the "file missing" entries are suspicious but not high risks of a spyware attack, but none the less forget about it

Once again, thank you so much =D
 
OK I will try to explain more.

When you have a 64 bit computer/OS there are possibly 2 set of drivers/programs.

64bit and 32bit.This just means at 64 bit the computer only has to take one bite (in the terms of eating) to process something. If it took 1000 bites at 32 bit it would need only 500 bites at 64bits.

There is a shortage of 64bit drivers for a lot of applications. There is also a shortage of 64bit programs.

All the 64bit entries in the HJT log have an @ sign like
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

To prove the above line is harmless if the Spoolsv was not working then you would not be printing! It has dropped back to 32bits to do this.

And the 32 bit have this or no mention at all or the (x86) which is 32bit like
C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-Aware.exe (x86) designates 32bit.

The reason you do not need to worry is that the 32bit versions of all those entries with @ sign in their name are running and therefore do not show up. They would show up without the @ sign (32bit) if they really were missing and HJT could then remove the entries,

So in this case it is a computability there are no 64 bit versions of these so it is impossible for them to run.

The reason HJT can not remove them is HJT is not 64Bit and may also be effected by the @ sign.

Is that as clear as mud?

Mike
 
Status
Not open for further replies.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
468
eriksnyman1
E
O
Syngate - what is it and why has it shown up on my laptop?
Replies
2
Views
280
Nelson28
N
Dood123
Help login in Instagram account, says use 2FA code but have not set up 2FA for insta
Replies
0
Views
709
Dood123
Dood123

Latest posts

Back