TechSpot

Major Spyware Problem

By souton
Jan 22, 2005
Topic Status:
Not open for further replies.
  1. hey

    i didn't know which category i was supposed to post this, so i apologize.

    i'm having a spyware problem. i'm getting a bunch of poker pop-ups (with partially nude women).

    i'm also gettin a pop-up from time-to-time saying:

    Windows Security Center

    WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.

    Do you want to download certificated software and protect your computer?

    Yes No


    i'm also getting an icon in my sys tray every now and then saying:

    Your computer is at risk

    Click on this balloon to fix it.


    i have run avg and ad-aware to the point where its not finding anything.

    here's my hjl:

    Logfile of HijackThis v1.99.0
    Scan saved at 1:52:14 AM, on 1/22/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Souton\Desktop\miranda-im-v0.3.3.1\miranda32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\tsmsetup.exe
    C:\WINDOWS\System32\nbtrstat.exe
    C:\Valve\Steam\Steam.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Winamp3\winamp3.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Souton\My Documents\hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [down] wmplayer.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


    if anyone can help me, it would be most appreciated.
     
  2. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,552   +301

    I'm not expert at the hijackthis reports, but that looks pretty clean. The popups should be minimized with the google toolbar (not windows minimized, I mean minimized compared without the toolbar). But that windows security popup is one I've seen quite often on machines at work that don't have XP SP2 or google toolbar, its not a real security warning, just one to get you to buy some software most likely.

    The thing saying your computer is at risk in the system tray is normal if you are running XP SP2. What it means is you either don't have a firewall up (or windows doesn't notice one) or you don't have an antivirus program installed (or again windows might not notice it if its some obscure one).

    If you are concerned it might be a virus or some such, try and run an online scan like the one from Trendmicro called Housecall. I don't have the link for it, but a quick google search will give you it.
     
  3. souton

    souton TS Enthusiast Topic Starter Posts: 164

    i came home from work today and i had 9 pop-ups, 7 = poker, 2 = personalphoto.com or something. and 3 of the "Windows Security Center" pop-ups. also, i constantly keep getting an avg pop-up saying to move:

    URL: http://63.219.181.7/cax.cab
    C:\Documents and Settings\Souton\Local Settings\Temporary Internet Files\Content.IE5\WXWBMDOF\cax[1].cab
    Trojan horse Downloader.Small.7.AZ


    to the virus vault. when i do, i get a pop-up that says:

    Microsoft Internet Explorer

    Please, click YES to install FREE software!


    i close that out, and the avg pop-up comes again, it's a never ending process.

    then this pops-up:

    Copy Error

    Setup cannot copy the file Ole32ws.dll.

    Ensure that the locations specified below is correct, or change it and insert '(Unknown)' in the drive you specify.

    Copy files from:

    C:\DOCUME~1\Souton\LOCALS~1\Temp\ICD2.tmp


    ps. Housecall didn't find any viruses. :(

    please help me
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Go Here and follow all the instructions.

    Regards Howard :D
     
  5. bgivens

    bgivens TS Rookie

    Microsoft has a beta version of a new spyware program. I use it at work and at home and it works good and is easy to use. I am new to this forum and do not know why I can't put a link in this message but if you go to Microsofts Downloads and the program name is Microsoft AntiSpyware Beta1.
     
  6. ellomoto

    ellomoto TS Rookie Posts: 18

    Download Adaware Pro and SpyBot - Search and Destroy... run both and get rid of any spy/malware etc that it finds...
     
  7. bgivens

    bgivens TS Rookie

    Spybot

    I have used Spybot for about a year but this new AntiSpyware Beta1 from Microsoft had found many spyware programs that Spybot missed. I have never used the Adware program though.
     
  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    AFTER you have been in How to remove Begin2Search / Coolwebsearch
    as Howard suggested (and hopefully followed the advise)

    Reboot in Safe Mode.

    Hit Ctrl/Alt/Del and in Taskmanager try to STOP these processes (if there):
    miranda32.exe
    tsmsetup.exe
    nbtrstat.exe
    wmplayer.exe


    UNinstall this rubbish (adware/spyware) here:
    C:\Documents and Settings\Souton\Desktop\miranda-im-v0.3.3.1\miranda32.exe

    I would ADVISE to UNinstall the google-bar. It may be infected. Afterwards (if you insist) you can D/L the latest version from Google.
    Personally I fail to see the use of these toolbars, if you use Firefox.

    Run Hijackthis on its own and let it 'fix':
    C:\Documents and Settings\Souton\Desktop\miranda-im-v0.3.3.1\miranda32.exe
    C:\WINDOWS\System32\tsmsetup.exe
    C:\WINDOWS\System32\nbtrstat.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [down] wmplayer.exe

    When done, delete:
    tsmsetup.exe
    nbtrstat.exe
    miranda-im-v0.3.3.1\miranda32.exe, including the directory itself

    Check the location of wmplayer.exe
    If it is NOT here: \Program Files\Windows Media Player\wmplayer.exe DELETE it

    Leave dumprep alone otherwise.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.