TechSpot

Spyware help please, hijackthis log included

By mandimay
Jun 6, 2005
  1. Hello everyone...I'm new here so I hope I am in the right place! I have a 1.2 ghz Gateway with 256 MB RAM. I have always considered myself a spyware expert, cleaning this computer of 412 viruses and (get this) 1084 spyware components with adaware when I first started using it (It was my boyfriends, now husbands). I was recently surfing the net and came across an Alicia Silverstone fan page that installed a ton of spyware and trojans on my computer and I have had trouble ever since. The trojans were in my java cache and could not be cleaned so I resorted to uninstalling java, deleting the viruses and reinstalling java. I have also ran Spybot S&D, Adaware and Spyware Doctor, all of which find the spyware (one being Hotsearchbar) and they claim to delete it but an immediate follow up scan shows they are still there. System restore is turned off. After all of this the pop ups continue. Recently I tried to download a trial of Norton. While it was installing the computer shut down on it's own. I also tried to run a PCcillin Housecall scan...Just as it was about to find something the computer shut down. When Adaware says there are components that cannot be removed and wants to run on system restart, I click yes. I restart and then Adaware pops up to run...But just as it starts up the computer shuts down. I can't restart the computer without cancelling the Adaware scan. Whatever this is it is much smarter than me. I am now running Mozilla Firefox browser with no pop ups and protection from SpywareBlaster but when using Internet Explorer the pop ups are still present! Can anyone help? My hijackthis log is attached. I would much appreciate it!
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    First off, move HJT to its OWN directory (read my signature), NOT in Temp!
    C:\Documents and Settings\xxxxxxx\Local Settings\Temp\hijackthis 2\HijackThis.exe

    Second, your PC is top-heavy with too much AntiVirus etc. junk (Symantec/Norton, SpywareDoctor=rubbish, Avast (incomplete) and AVG).
    You should dump everything, except AVG. Believe me, your PC will be much better off.

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    bgbaaalkr.exe
    regsync.exe
    VCMnet11.exe
    wupdater.exe

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    ccEvtMgr.exe
    ccPwdSvc.exe
    ccSetMgr.exe
    hnaoyac.exe
    SAVScan.exe
    SBServ.exe
    symlcsvc.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, UNinstall anything to do with (if you can):
    C:\PROGRA~1\SPYWAR~1\tools\ ==>> Spyware Doctor
    C:\Program Files\Common Files\updater\wupdater.exe
    C:\Program Files\Alwil Software\Avast4
    Any Symantec/Norton rubbish

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\WINNT\system\bgbaaalkr.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
    O2 - BHO: SDWin32 Class - {11801B7C-D3F0-4F53-BDCE-CF121B4F8C7A} - C:\WINNT\system32\jtmny.dll
    O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\system32\vbrundll.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\system32\nsy2094.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
    O3 - Toolbar: (no name) - {460A8A2A-97F2-4D98-BEAE-35B647C00966} - (no file)
    O4 - HKLM\..\Run: [regsync] C:\WINNT\system32\regsync.exe
    O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
    O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
    O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0011.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: hnaoyac - Unknown owner - C:\WINNT\system32\hnaoyac.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.

    When you are done (after cleaning up), get the free firewall from http://soho.sygate.com and switch XPs firewall off.

    And never EVER use Internet Explorer again, other than for Windoze updates!
    Stick with Firefox.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.