Hello all, as said in my title, i’m goin on 12 hours straight of tryin to figure out how to get this friggen spyware off of my computer! >:( I’ve searched the “Advice&Tools for virus…” thread at the top of this topic list and used the info there. I’ve also searched a few other topics and can’t seem to get these viruses that keep popping up on my system gone for good: 1.Win32: Trojan-gen 2.Win32: Ad-Agent 3.Win32: Oneclick-B 4.Win32: Trojano-857 5.Win32: Indown 6.Win32: Trojano-950! :-\ I’m the type to figure things out myself and have a little experience w/ both software problems and very little in anti-virus/spyware removal but have successfully accomplished removal of both w/ some 2nd hand advice. Well after spending a couple of hours alone in safe mode running what seemed to be the best spyware removal tools, Avast home ed. 4.5, and removing registry startups, I’m just lost as what to do next. By the way, the problems I’m having are that 2 msgs come up in IE (i use firefox normally). One says somethin about havin to d/l some software and only option is to click yes (can’t close box or end task), and the other is: “Is your computer infect with spyware?”. You can only click ‘yes’ or ‘no’ and i did neither so it just sits there until it decides to popup some random sites on IE, and that’s w/ my pop-up blockers on!!! ??? Anyways, sorry for long post i’m very distressed, so here’s my hijakthis.log: Can someone plz help me? :-\
Logfile of HijackThis v1.99.1
Scan saved at 6:10:21 AM, on 2/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Thanks for the quick reply! Sorry I didn’t mention it, but I’ve done all those things. Got SP2, the whole nine…except that I didn’t check a burned music cd i made around 10 or so hours ago, but it’s left my PC about 2 min after it went in. What did I do wrong? Lack of sleep…did i leave out any more important info.? Sorry, and again thanks! :-[
This is (part of) the result of my HJT log analyzer:
CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:
You are using the latest version of HijackThis.
You are using the latest version of Internet Explorer.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.
THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
r1 - hkcu\software\microsoft\internet explorer\main,search page = c:\windows\blank.htm
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = about:blank
r3 - default urlsearchhook is missing
o2 - bho: (no name) - {b75f75b8-93f3-429d-ff34-660b206d897a} - c:\windows\system32\boln.dll
o2 - bho: (no name) - {c7cb7747-b60a-21fe-33c9-e3e479112a67} - (no file)
o4 - hklm..\run: [systems restart] rundll32.exe boln.dll, dllregisterserver
o15 - trusted zone: *.admin2cash.biz
o15 - trusted zone: *.finefind.nettraffic2cash.biz
o15 - trusted zone: *.private-dialer.biz
o15 - trusted zone: *.private-iframe.biz
o15 - trusted zone: *.awmdabest.com (hklm)
o15 - trusted ip range: 206.161.125.149
o15 - protocoldefaults: ‘http’ protocol is in trusted zone, should be internet zone
o15 - protocoldefaults: ‘http’ protocol is in trusted zone, should be internet zone (hklm)
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1094079324453
o16 - dpf: {a3009861-330c-4e10-822b-39d16ec8829d} (cravonline object) - http://www.ravantivirus.com/scan/ravonline.cab
o23 - service: avast! mail scanner - unknown owner - c:\program files\alwil software\avast4\ashmaisv.exe" /service (file missing)
o23 - service: creative service for cdrom access - creative technology ltd - c:\windows\system32\ctsvccda.exe
o23 - service: epsonbidirectionalservice - unknown owner - c:\program files\epson\esm2\eebsvc.exe
o23 - service: xcikbwpspvot (faddwtbp6) - unknown owner - c:\windows\system32\skmozzlj6.exe (file missing)
o23 - service: trend micro personal firewall (pccpfw) - trend micro incorporated. - c:\program files\trend micro\internet security\pccpfw.exe
o23 - service: trend nt realtime service (tmntsrv) - trend micro incorporated. - c:\program files\trend micro\internet security\tmntsrv.exe
o23 - service: trend micro proxy service (tmproxy) - trend micro incorporated. - c:\program files\trend micro\internet security\tmproxy.exe
o23 - service: x10 device network service (x10nets) - unknown owner - c:\progra~1\atimul~1\remctrl\x10nets.exe (file missing)
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
Nothing found.
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
Well I did everything, even got into a System Information folder while in safe mode that was being hidden. I had to change access to it even tho i was logged in as administrator. I was so desperate to get rid of everything that I think i deleted some settings b/c once I logged back on under my regular user (not admin, i haven’t been logged in as admin for months) it looked like my old admin settings. I tried to log in as admin and it said i didn’t have permission, or whatever…I’m sure i can fix that by getting into safe mode. What’s drivin me crazy tho is that I’ve got all those viruses back and seems like a few more now. WHAT’S GOIN ON??? avast keeps poppin up w/ new or the same replicated viruses every 5-10min, it’s so annoying. I keep moving them and I’m lost as to what to do, or if i’ll ever get rid of em. :-\ Here’s the latest Hijackthis list in hopes that someone can plz tell me why nothin seems to work: ??? ???
Logfile of HijackThis v1.99.1
Scan saved at 1:28:28 PM, on 2/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
btw, it’s still taunting me w/ that “Is your computer infect with spyware?” message that only gives me a ‘yes’ or ‘no’ answer. no way to delete or close it unless i can figure out which task to end. ARGH plz help!!! :o
I’m literally exhausted and flat out shocked at how stubborn these viruses are, I’m gonna go get some sleep and check back later. It’s now spreading to other areas of the hdd that it didn’t goto b4 so it’s best that I go now to stop the bleeding. Btw, if it helps, I cleared out all the registry stuff in the startup, followed all the instructions on your link, and even manually deleted left other junk files (exes) from the folders that were giving me problems all in safe mode. I also ran avast’s scheduled boot scan (b4 windows load up), so I’m at a complete loss as this is the 2nd time i’ve done this except I got into the “System Volume Information” folder this time and deleted most files cept the dlls from the past few days. I also changed my hosts like you suggested the 2nd time round. Again thanks in advance for anything you can do to help. I hope this isn’t something that’ll spread too quickly b4 i can fully remove it or crash my pc.
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
Nothing found.
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
o4 - global startup: corecenter.lnk = c:\program files\msi\core center\corecenter.exe
btw, it's still taunting me w/ that "Is your computer infect with spyware?" message that only gives me a 'yes' or 'no' answer. no way to delete or close it unless i can figure out which task to end. ARGH plz help!!
This sounds like adware to me, click on the link in Eddy’s signature (See a post by eddy above) and follow the malware removal instructions.
After that redo the hijackthis log and post back here please.
Hi all, thanks again for the help. Yeah I downloaded all the patches and yes I did disable system restore (it was disabled already), but i didn’t enable it defaulted that way. Does enabling make a difference? Other than that I’ve done everything suggested on this topic and to the letter. I’m no slouch @ computers, even tho i’ve only been usin XP, which is my first NT base PC for almost a year. I don’t know what else to do…I can keep scannin and removin junk, but if it keeps comin back I’ve got to try somethin else. :-\ Please help, typin between pop-up windows and movin viruses that come back is so annoying.
That means you have downloaded a toolbar that is infected with malware.
It may be this happened without you noticing it.
Make sure to set your browser to NOT install anything without specifically giving permission.
Have a look HERE for security settings.
After you have done so, follow the procedure in the malware removal section again.
Those instructions have never failed to solve a problem like this unless the user didn’t followed them correctly or if the user allowed the system to become infected again.
Okay will do. I’ve gotten a lot more sleep this time and I’m so motivated I’m about to fdisk the whole thing if this doesn’t work, lol. I’m confident in you all so thanks again. I’m gonna get started, and I’ll probably be back in a few hours to update you on the results. Btw, neither CWShredder or Bazooka found anythin in safe mode after running them both at least 3 times each. Also, Spywareblaster seems to not be working or is getting manipulated b/c when i “set recommended values” (in safe mode), then come back to it, it says it keeps resetting, this may be b/c i’m haven’t adjusted the settings tho. I’ll make sure to do that now. One more thing before I go, do i need to click ALL those links that you have, I mean those like 20, 30 somethin at the bottom of your page? if that’s the case, then yeah I really just scratched the surface. :-\ Like I said, i’ve gotten a lot more sleep and am ready to tackle this thing. Thanks again!
No need to click on the links at the bottom, except perhaps to visit the HijackThis section for help on that.
Just follow the 9 steps. And running those applications in safe mode isn’t the way. Many things are not loaded when booting into safe mode and can remain unseen by the ‘scanner’ applications.
Oh I see! :o Whoa, the state of software and security is pretty poor. I used to own McAffee office around the 1999 which took care of most of this stuff. I guess Norton might be the way to go nowadays. Anyways I’m d/l-ing Microsoft Office updates now. I guess I haven’t had to upgrade my pc that much lately that I’ve been missing the obvious. I’m also taking in the info from your site, thanks. Btw, that Trend Micro Internet software/firewall came with my motherboard/computer, so probably not much use for it as it’s one of those try for so and so days then buy. Ummmm sorry I’d rather get zonealarm, heh. Btw, is there a way to make sure I’ve gotten rid of everything in my task manager that shouldn’t be there? Like a link that tells you what Processes should or can be run w/o anything else interfering before I do these additons? Back in the day (man i miss win98 now) all I needed was Explorer and maybe Systray, for example. Thanks again for putting me into this century of security, lol. I’ll make sure to keep you updated on the situation as I continue to secure and change these default paper-security settings. >:(
Well looks like I’ve made a lot of progress today, possibly even am close to completely eliminating this problem. One thing that’s troubling me now tho is even tho I’m loggin on as usual (same user name) to Windows, I can’t log on as Administrator, and when I try to do it gives me this message: “Unable to log you on because of an account restriction.” I’m pretty lucky because I am able to activate my hardware base nvidia firewall that came with my motherboard. Didn’t even realize i had it b/c i had to d/l NVIDIA’s drivers instead of my mobo’s manufacturer’s. ??? Who knows, after all these settings changes and loopholes, i don’t know if i can trust another default setting, lol. Anyways here’s my latest hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:15:22 AM, on 2/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Thanks again for all the help!!! So far so good, ;D Now if i can only get my original settings/links back in windows, i’m just guessing it’s got somethin to do w/ me not being able to log on as administrator.
nm trojan’s just came back, >:( avast picked em up, then i moved em to chest, blah blah blah. I’m gonna scour those 2 websites to work on securing my software then try these scans all over again, sigh. :-\
