1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Tons of spyware!

By dmelsh · 8 replies
Jan 26, 2010
  1. Hey, so I was asked by my parents to look at their computer while I'm in town. What did I find? Almost every virus created on earth. Computer run slow and everything was outdated. After working on it a few hours I cleaned most of it up and updated most software.

    They are using AVG Internet Security which doesn't seem to be doing a good enough job with these viruses. Should I uninstall it and use Avast and Zone Alarm instead? Or should I force them to buy Kaspersky Internet security which is what I use?

    I have included hijackthis logs and the many scans with malwarebyte's.

    I figured I'll let you guys take a look at the hijacked logs before I start cleaning then encase I miss something that needs additional cleaning.

    Thanks again for all your guys help and future advance.

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    You should format and reinstall Windows fresh
  3. protecterstouch

    protecterstouch TS Rookie

    Yeah this thing is a big mess.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    OR you can do the following which will most likely remove all of the malware and spare you a reformat/reinstall.

    You can download the Norton Removal Tool and save it to your desktop to run later.

    You can reopen HijackThis to [b['do system scan only'. You can check the following if present:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    O2 - BHO: PicLens plug-in for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\PicLens.dll
    O9 - Extra button: Launch PicLens - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\PicLens.dll
    O23 - Service: DNADownloader - Unknown owner - C:\Program Files\GameSpot\DownloadManager_Win32.exe (file missing)
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
    See Option 1

    Option 1: P2P or 'file sharing: P2P Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall MioNet which is associated with the Mionet remote access and sharing network.
    for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Then you can close all Windows except HJT and click on "Fix Checked."

    You can then Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    And do the following:
    • Double click on the Norton Tool on your desktop and follow the prompts to remove remaining Norton entries.
    • Click on Start> Run type in [b[services.msc[/b]> double click on the following Services and set as instructed:
      DNADownloader> reset Startup type to Manual
      ccSvcHst (SYmantec)> reset to Disabled> Stop the Service
      MioNet> Set to Manual if keeping. Set to Disabled is uninstalling.
    Close Services.

    Then you can reboot back into Normal Mode and do the following:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Then you can update PicLens to Cooliris which it has been named for about 2 years and install the plug-in for Firefox HERE I think you'll be please to learn that Cooliris allows you to make the wall of pictures from the images on your system as well as on the internet.

    Then you can reset the Cookies so you don't pick up every Tracking Cookie on the internet:
    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    After that, you could attach the Combofix report and Eset log to the next reply. This should show you a marked improvement.


    You can reformat and reinstall because someone didn't want to take the time to outline these things for you. Reformatting should be the last thing you do and only if nothing else works.

    EDIT: By the way, most of the adware is My Web Search. This is easily gotten for downloading Fun Web Products which offers 'free' Smileys, Screensavers, Cursors, etc. While these are free to download, you do pay a price of having all their adware on the system- some from Mywebsearch, Mysearch, My Search Bar, My Way Speedbar. But all if not most has been removed and I didn't see any remaining in HJT.
  5. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    "You can reformat and reinstall because someone didn't want to take the time to outline these things for you. Reformatting should be the last thing you do and only if nothing else works"....

    Thanks for taking the time to post this Bobbye... I looked at dmelsh's logs and thought Yikes!
  6. dmelsh

    dmelsh TS Rookie Topic Starter

    Bobbye thanks for your reply to my problems. I know it must have take sometime to go through everything and find solutions. So thank you.

    I have a quick question though. When I first looked at all the problems on the computer my first impress was to upgrade my parents computer to windows 7. Since I still have a student email address I can get windows 7 pro for $70. I think this would be the best solution for them.

    However, I was wondering if anyone knows how this works. Would it give me a download that I mount on a dvdr so I can do a clean install. Or will it just upgrade the OS and leave everything still on the computer.
  7. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Windows 7 will need a minimum 2GB of memory, and possibly a newer motherboard and video card to run properly. What are the current system specs? I got Windows 7 pro student priced at $30
  8. Row1

    Row1 TS Guru Posts: 343   +13

    whatever you do, get rid of anything norton.

    whatever you do, get rid of anything norton.

    being fully protected by norton is analogous to having a trojan take over your computer.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    dmelsh, upgrading an operating system isn't like downloading a program. Before you start, check the compatibility for the programs you will want on the system. And check the specs for RAM, drivers, etc.

    I don't see any indication of the computer manufacture and have no system specs. If it were me, I would clean up the system first. Then do the detective work about compatibility. Changing the OS just because you have adware and a bit of spyware is a pretty drastic step- it shouldn't be a step taken in haste.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...