Spyware on my computer – HijackThis log attached

[rdayama]

Hello guys,
I got some sort of Spyware on my computer few days ago. Internet stopped working. My computer started running very very slow. Zillion pop up every time I started internet explorer and the battery drains out in just couple of minutes. I did lot of cleaning with Spy Sweeper, Spybot, Ad-Aware, Ccleaner, WindowsDefender, Symantic Antivirus (with built in Spyware cleaner ) and Smithfraud cleaner. My computer had the Smithfraud virus. I also used Killbox to delete rpcc.dll and rpccd.dll, because Spy Sweeper reported it as spyware but was not able to delete it.

Between all the tools, ton of spyware (exe’s, dll’s, reg entries and many more) was cleaned up and I think it is mostly clean now. I don’t get pop ups, it doesn’t freeze up and no problems with internet. However, I still have the following problems

1. Computer is very slow at times
2. The battery drains out in just couple of minutes (this started happening after I got the spyware on my computer)
3. I still see strange entries (processes) in Spybot start up processes list

I’ve attached a HijackThis log. Please advice.
Thanks in advance.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

Click on the fix checked button.

Close HJT and reboot your system. Other than the above, your HJT log is clean.

However, you should read the following, as there could still be infections on your system.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.


If after reading the above you decide you want to clean your system, do the following.


Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of rdayama only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[rdayama]

Howard,
Thank you. I will delete those entries. I see unknown entries (processes) in Spybot start up processes list. I will post them tonight.
Thanks

 

[rdayama]

Among other applications that I recognize I see the following applications in Spybot System Startup i.e. TOOLS --> SYSTEM STARTUP.

Crypt32Chain – crypt32.dll
CryptNet – CryptNet.dll
Igfxcui – Igfxsrvc.dll
CscDll – CscDll.dll
NavLogon – Navlogon.dll
ScCertPro – WlNotify.dll
Schedule – WlNotify.dll
Sclgntfy – Sclgntfy.dll
SensLogn – WlNotify.dll
Termsrv – WlNotify.dll
Wlballoon – WlNotify.dll
WRNotifier – WRLogonNTF.dll

They all have System.ini for Key. They are all checked. Please let me know.
Thanks

 

[howard_hopkinso]

All those .dll files are legit as far as I can tell.

Follow the instructions in the link I gave you and post fresh HJT and AVG Antispyware logs.

Regards Howard

This thread is for the use of rdayama only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[rdayama]

Hello,
I followed the instructions you gave in the link. The following logs are attached
AVG Antivirus Scan Log
AVG AntiSpyware Scan Log
HighjackThis Log

My computer is still very slow. Also, sometimes it takes forever to start up.

I see the following warning many times (10's and 20's each day) in the firewall's warning log.

McAfee Firewall blocked an incoming UDP packet. The remote address associated with the traffic was <IP Address>. The remote port was 1900 [SSDP]. The local port on your PC was 1900 [SSDP]. The network adapter for the traffic was "D-Link AirPlus G DWL-G630 Wireless Cardbus Adapter #2".

The binary data contained in the packet was "ff ff ff ff ff ff 00 13 46 a2 27 2c 08 00 45 00 01 18 38 c4 00 00 7f 11 51 6d c0 a8 00 01 ef ff ff fa 07 6c 07 6c 01 04 bc 26 4e 4f 54 49 46 59 20 2a 20 48 54 54 50 2f 31 2e 31 0d 0a 48 4f 53 ".

Also, the firewall current activities show that a Generic Host Process is accessing internet. I am not sure what that is.
Thanks

 

[howard_hopkinso]

Your HJT log is clean.

Delete all files in AVG Antispyware quarantine and any files in your AVG antivirus vault. While you`re at it, on the top of the main screen click Shield. Click the word active to change it to inactive. This will disable the active shield and will help to speed up your pc.

Turn off system restore.(XP/ME only) See how HERE.

Then, turn system restore back on again. This will delete all your old restore points and anything nasty that`s in them. It will also create a new, clean restore point.

The alert your getting from your firewall is nothing to worry about. It`s part of your D-Link AirPlus G DWL-G630 Wireless Cardbus Adapter. Tell your firewall to allow the connection and not to alert you again.

Generic Host Process is accessing internet is absolutely normal and should be allowed. It is a Windows process and is safe.

Go to add remove programme in your control panel and uninstall anything to do with(if there)

Norton
Symantec
Liveupdate.
Symantec AntiVirus

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

SAVRoam
LiveUpdate
AVG Anti-Spyware Guard

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

guard.exe
LUCOMS~1.EXE
SavRoam.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there). None of these entries are nasty, but they are not required.

O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Symantec AntiVirus<Delete the entire folder.
C:\PROGRA~1\Symantec<Delete the entire folder.
C:\WINDOWS\system32\NavLogon.dll

Reboot your computer and post a fresh HJT log.

Let me know how your system is running.

Regards Howard

This thread is for the use of rdayama only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[rdayama]

Hello Howard,
Did what you said. HighjackThis log is attached. When I first ran HighjackThis after uninstalling Norton, and did a scan; I got 2 errors. Error log attached as well.

System boot up and performance has improved quite a bit. However I have other serious issues I need to resolve. Every time the computer boots up, I see the following error in the system event log

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000a5 (0x00000011, 0x00000006, 0x00000000, 0x00000000). A full dump was not saved.

Also, I am not able to enter into the set up. After quite a bit of troubleshooting, it turned out that the BIOS is currupted or bad or something. Dell tech support said I need to replace BIOS chipset. I need to fix that first.

I will poste the hardware issues in the appropriate forum. I mentioned it here, just in case you can give me a quick reply to it while you are replying to the spyware issue.

Thanks

Sorry I forgot to attach the logs before.

 

[howard_hopkinso]

Your HJT log is clean as a whistle.

The HJT error message you got is caused by a small bug in HJT and is nothing to worry about.

I`m sorry to hear, you`re having hardware problems and hope you soon get them resolved.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of rdayama only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[rdayama]

Thanks for your help.