Please God, somebody help me.

Discussion in 'adware, spyware & hijack cleaning' started by mattsterrr, Jul 16, 2004.

Thread Status:
Not open for further replies.
  1. mattsterrr

    mattsterrr Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    5
    Logfile of HijackThis v1.97.7
    Scan saved at 16:38:13, on 16/07/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\pro91d\bin\AdmSrvc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\E_S00RP2.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    c:\pro91d\bin\ProSrvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\RealPopup\RealPopup.exe
    C:\WINDOWS\System32\NDrv.exe
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Grisoft\AVG6\avgw.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Matt Jackson\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.bbc.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.bbc.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.bbc.co.uk
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C42 Series (Copy 1)" /O5 "LPT3:" /M "Stylus C42"
    O4 - HKLM\..\Run: [EPSON C42] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P9 "EPSON C42" /O5 "LPT1:" /M "Stylus C42"
    O4 - HKLM\..\Run: [Stylus] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P6 "Stylus" /O6 "USB001" /M "Stylus C42"
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [System Backup] ms32.exe
    O4 - HKLM\..\Run: [Supastatus] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
    O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.3512615741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. mattsterrr

    mattsterrr Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    5
    I'm pretty new to the whole security thing, although having said that this is my works PC and whilst I haven't been surfing stuff I shouldn't have, I'd like to get it fixed myself.

    I have the free AVG, Trojan Remover, Spybot, CWShredder and StartPage guard on here. I keep getting told I have Startpage.6.AQ and to run AVG which I do, and it cleans it but usually within another ten minutes, the bugger is there again.

    I've tried cleaning when system restore is off, cause I read that somewhere once, but this unfortunately means I have no System Restore point prior to this rubbish happening.

    It all started because I had some spyware jobby that brought up about:blank with SearchFor... as homepage which was incredibly annoying. Got rid of that in the end, but don't actually know how.

    Please help me, I feel like I've been anally intruded. :'(
     
  3. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI mattsterrr

    Well, let's see if we can get it "clean".

    First of all - you should go to Windows Update and get ALL critical Updates !

    Pls. save your Hijackthis into its own folder - like C:\Hijackthis

    Press Ctrl+Alt+Del and 'end task' on any of the follow that are present:
    ms32.exe
    NDrv.exe

    Check the following items in HijackThis.
    Close all windows except HijackThis and click "Fix checked":

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)

    O4 - HKLM\..\Run: [System Backup] ms32.exe

    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE <--------optional

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\WINDOWS\System32\NDrv.exe

    Then reboot and use AdAware as described :
    HERE

    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
    Then browse to the C:\Windows\Temp folder and delete all files in it.
    Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Run Hijackthis again and pls. post a FRESH log.
     
  4. mattsterrr

    mattsterrr Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    5
    Many, many thanks for trying to help cleanse me.

    I'll give it a bash on Monday morning, and post a fresh log.

    Only problem I can see, at this stage, is that oour IT department (in there infinite wisdom) have asked us NOT to download windows updates anymore as apparently, it was causing havoc.

    I suppose I'll have to try without, and post on Monday.

    Here's hoping.

    Cheers again,

    Mattsterrr
     
  5. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    You're Welcome :)

    Thanks for your feedback and till Monday :)
     
  6. mattsterrr

    mattsterrr Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    5
    Right, I followed your instructions implicitly (apart for the critical updates bit, as mentioned in my last post) and this is the latest log. If you can fix this you are truly a a master of cleansing wizardry.

    Logfile of HijackThis v1.97.7
    Scan saved at 09:44:26, on 19/07/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\pro91d\bin\AdmSrvc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\E_S00RP2.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    c:\pro91d\bin\ProSrvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
    C:\Program Files\RealPopup\RealPopup.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Matt Jackson\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.bbc.co.uk
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.bbc.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.bbc.co.uk
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C42 Series (Copy 1)" /O5 "LPT3:" /M "Stylus C42"
    O4 - HKLM\..\Run: [EPSON C42] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P9 "EPSON C42" /O5 "LPT1:" /M "Stylus C42"
    O4 - HKLM\..\Run: [Stylus] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P6 "Stylus" /O6 "USB001" /M "Stylus C42"
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Supastatus] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
    O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.3512615741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  7. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi mattsterrr

    Any idea what this is?
    c:\pro91d\bin\AdmSrvc.exe

    Hmmm........ look at this:

    O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com

    Your Startpage shows: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/

    What is correct?
     
  8. mattsterrr

    mattsterrr Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    5
    Hi, Marianna

    I don't have a clue what AdmSrvc is.

    And bbc is the correct homepage.

    Just to let you know, the bugger was there again this morning despite being conspicuos in it's absence yesterday.
     
  9. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Both clueless about this one: AdmSrvc ? Maybe you RIGHTclick on it and look under Properties??

    Check O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
    in HJT and click "Fix checked"

    Reboot

    Better now?
     
Thread Status:
Not open for further replies.