Spyware on my computer – HijackThis log attached

By rdayama
Jan 1, 2007
Topic Status:
Not open for further replies.
  1. Hello guys,
    I got some sort of Spyware on my computer few days ago. Internet stopped working. My computer started running very very slow. Zillion pop up every time I started internet explorer and the battery drains out in just couple of minutes. I did lot of cleaning with Spy Sweeper, Spybot, Ad-Aware, Ccleaner, WindowsDefender, Symantic Antivirus (with built in Spyware cleaner ) and Smithfraud cleaner. My computer had the Smithfraud virus. I also used Killbox to delete rpcc.dll and rpccd.dll, because Spy Sweeper reported it as spyware but was not able to delete it.

    Between all the tools, ton of spyware (exe’s, dll’s, reg entries and many more) was cleaned up and I think it is mostly clean now. I don’t get pop ups, it doesn’t freeze up and no problems with internet. However, I still have the following problems
    1. Computer is very slow at times
    2. The battery drains out in just couple of minutes (this started happening after I got the spyware on my computer)
    3. I still see strange entries (processes) in Spybot start up processes list

    I’ve attached a HijackThis log. Please advice.
    Thanks in advance.
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Hello and welcome to Techspot.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab

    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

    Click on the fix checked button.

    Close HJT and reboot your system. Other than the above, your HJT log is clean.

    However, you should read the following, as there could still be infections on your system.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.


    If after reading the above you decide you want to clean your system, do the following.


    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:


    This thread is for the use of rdayama only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. rdayama

    rdayama Newcomer, in training Topic Starter

    Howard,
    Thank you. I will delete those entries. I see unknown entries (processes) in Spybot start up processes list. I will post them tonight.
    Thanks
  4. rdayama

    rdayama Newcomer, in training Topic Starter

    Among other applications that I recognize I see the following applications in Spybot System Startup i.e. TOOLS --> SYSTEM STARTUP.

    Crypt32Chain – crypt32.dll
    CryptNet – CryptNet.dll
    Igfxcui – Igfxsrvc.dll
    CscDll – CscDll.dll
    NavLogon – Navlogon.dll
    ScCertPro – WlNotify.dll
    Schedule – WlNotify.dll
    Sclgntfy – Sclgntfy.dll
    SensLogn – WlNotify.dll
    Termsrv – WlNotify.dll
    Wlballoon – WlNotify.dll
    WRNotifier – WRLogonNTF.dll

    They all have System.ini for Key. They are all checked. Please let me know.
    Thanks
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    All those .dll files are legit as far as I can tell.

    Follow the instructions in the link I gave you and post fresh HJT and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of rdayama only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. rdayama

    rdayama Newcomer, in training Topic Starter

    Hello,
    I followed the instructions you gave in the link. The following logs are attached
    AVG Antivirus Scan Log
    AVG AntiSpyware Scan Log
    HighjackThis Log

    My computer is still very slow. Also, sometimes it takes forever to start up.

    I see the following warning many times (10's and 20's each day) in the firewall's warning log.

    McAfee Firewall blocked an incoming UDP packet. The remote address associated with the traffic was <IP Address>. The remote port was 1900 [SSDP]. The local port on your PC was 1900 [SSDP]. The network adapter for the traffic was "D-Link AirPlus G DWL-G630 Wireless Cardbus Adapter #2".

    The binary data contained in the packet was "ff ff ff ff ff ff 00 13 46 a2 27 2c 08 00 45 00 01 18 38 c4 00 00 7f 11 51 6d c0 a8 00 01 ef ff ff fa 07 6c 07 6c 01 04 bc 26 4e 4f 54 49 46 59 20 2a 20 48 54 54 50 2f 31 2e 31 0d 0a 48 4f 53 ".

    Also, the firewall current activities show that a Generic Host Process is accessing internet. I am not sure what that is.
    Thanks
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your HJT log is clean.

    Delete all files in AVG Antispyware quarantine and any files in your AVG antivirus vault. While you`re at it, on the top of the main screen click Shield. Click the word active to change it to inactive. This will disable the active shield and will help to speed up your pc.

    Turn off system restore.(XP/ME only) See how HERE.

    Then, turn system restore back on again. This will delete all your old restore points and anything nasty that`s in them. It will also create a new, clean restore point.

    The alert your getting from your firewall is nothing to worry about. It`s part of your D-Link AirPlus G DWL-G630 Wireless Cardbus Adapter. Tell your firewall to allow the connection and not to alert you again.

    Generic Host Process is accessing internet is absolutely normal and should be allowed. It is a Windows process and is safe.

    Go to add remove programme in your control panel and uninstall anything to do with(if there)

    Norton
    Symantec
    Liveupdate.
    Symantec AntiVirus

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    SAVRoam
    LiveUpdate
    AVG Anti-Spyware Guard

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    guard.exe
    LUCOMS~1.EXE
    SavRoam.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there). None of these entries are nasty, but they are not required.

    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Symantec AntiVirus<Delete the entire folder.
    C:\PROGRA~1\Symantec<Delete the entire folder.
    C:\WINDOWS\system32\NavLogon.dll

    Reboot your computer and post a fresh HJT log.

    Let me know how your system is running.

    Regards Howard :)

    This thread is for the use of rdayama only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. rdayama

    rdayama Newcomer, in training Topic Starter

    Hello Howard,
    Did what you said. HighjackThis log is attached. When I first ran HighjackThis after uninstalling Norton, and did a scan; I got 2 errors. Error log attached as well.

    System boot up and performance has improved quite a bit. However I have other serious issues I need to resolve. Every time the computer boots up, I see the following error in the system event log

    The computer has rebooted from a bugcheck. The bugcheck was: 0x000000a5 (0x00000011, 0x00000006, 0x00000000, 0x00000000). A full dump was not saved.

    Also, I am not able to enter into the set up. After quite a bit of troubleshooting, it turned out that the BIOS is currupted or bad or something. Dell tech support said I need to replace BIOS chipset. I need to fix that first.

    I will poste the hardware issues in the appropriate forum. I mentioned it here, just in case you can give me a quick reply to it while you are replying to the spyware issue.

    Thanks

    Sorry I forgot to attach the logs before.
  9. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your HJT log is clean as a whistle.

    The HJT error message you got is caused by a small bug in HJT and is nothing to worry about.

    I`m sorry to hear, you`re having hardware problems and hope you soon get them resolved.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of rdayama only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. rdayama

    rdayama Newcomer, in training Topic Starter

    Thanks for your help.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.