Major Spyware Problem

[souton]

hey

i didn't know which category i was supposed to post this, so i apologize.

i'm having a spyware problem. i'm getting a bunch of poker pop-ups (with partially nude women).

i'm also gettin a pop-up from time-to-time saying:

Windows Security Center

WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.

Do you want to download certificated software and protect your computer?

Yes No

i'm also getting an icon in my sys tray every now and then saying:

Your computer is at risk

Click on this balloon to fix it.

i have run avg and ad-aware to the point where its not finding anything.

here's my hjl:

Logfile of HijackThis v1.99.0
Scan saved at 1:52:14 AM, on 1/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Souton\Desktop\miranda-im-v0.3.3.1\miranda32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\tsmsetup.exe
C:\WINDOWS\System32\nbtrstat.exe
C:\Valve\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp3\winamp3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Souton\My Documents\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [down] wmplayer.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

if anyone can help me, it would be most appreciated.

 

[SNGX1275]

I'm not expert at the hijackthis reports, but that looks pretty clean. The popups should be minimized with the google toolbar (not windows minimized, I mean minimized compared without the toolbar). But that windows security popup is one I've seen quite often on machines at work that don't have XP SP2 or google toolbar, its not a real security warning, just one to get you to buy some software most likely.

The thing saying your computer is at risk in the system tray is normal if you are running XP SP2. What it means is you either don't have a firewall up (or windows doesn't notice one) or you don't have an antivirus program installed (or again windows might not notice it if its some obscure one).

If you are concerned it might be a virus or some such, try and run an online scan like the one from Trendmicro called Housecall. I don't have the link for it, but a quick google search will give you it.

 

[souton]

i came home from work today and i had 9 pop-ups, 7 = poker, 2 = personalphoto.com or something. and 3 of the "Windows Security Center" pop-ups. also, i constantly keep getting an avg pop-up saying to move:

URL: http://63.219.181.7/cax.cab
C:\Documents and Settings\Souton\Local Settings\Temporary Internet Files\Content.IE5\WXWBMDOF\cax[1].cab
Trojan horse Downloader.Small.7.AZ

to the virus vault. when i do, i get a pop-up that says:

Microsoft Internet Explorer

Please, click YES to install FREE software!

i close that out, and the avg pop-up comes again, it's a never ending process.

then this pops-up:

Copy Error

Setup cannot copy the file Ole32ws.dll.

Ensure that the locations specified below is correct, or change it and insert '(Unknown)' in the drive you specify.

Copy files from:

C:\DOCUME~1\Souton\LOCALS~1\Temp\ICD2.tmp

ps. Housecall didn't find any viruses.

please help me

 

[howard_hopkinso]

Go Here and follow all the instructions.

Regards Howard

 

[bgivens]

Microsoft has a beta version of a new spyware program. I use it at work and at home and it works good and is easy to use. I am new to this forum and do not know why I can't put a link in this message but if you go to Microsofts Downloads and the program name is Microsoft AntiSpyware Beta1.

 

[ellomoto]

Download Adaware Pro and SpyBot - Search and Destroy... run both and get rid of any spy/malware etc that it finds...

 

[bgivens]

Spybot

I have used Spybot for about a year but this new AntiSpyware Beta1 from Microsoft had found many spyware programs that Spybot missed. I have never used the Adware program though.

 

[RealBlackStuff]

AFTER you have been in How to remove Begin2Search / Coolwebsearch
as Howard suggested (and hopefully followed the advise)

Reboot in Safe Mode.

Hit Ctrl/Alt/Del and in Taskmanager try to STOP these processes (if there):
miranda32.exe
tsmsetup.exe
nbtrstat.exe
wmplayer.exe


UNinstall this rubbish (adware/spyware) here:
C:\Documents and Settings\Souton\Desktop\miranda-im-v0.3.3.1\miranda32.exe

I would ADVISE to UNinstall the google-bar. It may be infected. Afterwards (if you insist) you can D/L the latest version from Google.
Personally I fail to see the use of these toolbars, if you use Firefox.

Run Hijackthis on its own and let it 'fix':
C:\Documents and Settings\Souton\Desktop\miranda-im-v0.3.3.1\miranda32.exe
C:\WINDOWS\System32\tsmsetup.exe
C:\WINDOWS\System32\nbtrstat.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [down] wmplayer.exe

When done, delete:
tsmsetup.exe
nbtrstat.exe
miranda-im-v0.3.3.1\miranda32.exe, including the directory itself

Check the location of wmplayer.exe
If it is NOT here: \Program Files\Windows Media Player\wmplayer.exe DELETE it

Leave dumprep alone otherwise.