Drowning in Spyware!

Hi,

Here's my problem, and I am at my wits end, so I hope to find some suggestions on my favorite forum.

In a nutshell, my husband turned off our popup stopper. My teenager then got on the computer and hit some cheat code sites for his xbox, which of course are loaded with popups. So then Zone Alarm pops up with a zillion "Do you want blah, blah, blah to access the internet?". Which of course, he responds "yes" to every one, thereby loading up our once happy Windows XP with hundreds of lovely little spywares. {sigh}

We have tried everything to try and get this stuff off our PC. Obviously we've used Spybot and AdAware, but the stuff just keeps coming back. We've looked at the registry, reconfigured Zone Alarm and Norton, etc. etc.

We can't use the browser anymore (IE or Mozilla) because it just redirects us to some ad / porn site.

Am I at a point where I need to do a Windows re-install, reformat of the motherboard, or what??

Any suggestions would be GREATLY appreciated.

Thanks so much,
~Snow

(^^;?(Clean installation highly recommended as purely as SnowWhite.)

Any anti-virus-spyware can be disabled by anti-anti-spyware-virus (=real Trojan) executed by administrator right.

Clean Install Windows and disable Automatic Update. Disable all scripts and activeX control. Use such a browser that can disable scripts with easy interface.

If you want to try to remove spywares by all means, post Hijackthis log to Antivirus Forum.

Have you tried posting a HiJackThis log in the Anti-Virus forum ??

I'd give that a wee try first before you go re-formatting and re-installing windows again !

If you do end up with a fresh Windows install, look into different user groups to prevent others from doing things you don't want them to do w/o you knowing.

Run a few spyware removers. i recommend spybot search and destroy and lavasoft adaware.

Full scan and remove all the viruses, cookies and whatever it may find.

If still hijacked, Clean out all your browser caches,plugins and objects, then re-install your browsers.

Run a virus scan as well

Get the Microsoft antispyware program which seems to find stuff that spybot and adaware miss.

Thread moved from Windows Help to Antivirus Protection.

whats your staus now ?

Hi, and thanks for your suggestions.

Status as of today:

Have run adaware, spybot, virus check, trojan remover, disabled scripts in browser. Haven't uninstalled/reinstalled anything yet. Things seem to be better after running all of these things, but if we have to restart or shut down - we're right back where we started. So, does this mean it's living in the registry somewhere??

I've only done one reinstall of Windows in my geek career - and that was Windows 98. So, after uninstalling Windows, I need to reformat the hard disk and then reinstall, correct? Is this a surefire way of killing any sneaky little bugs that may be deeply embedded? Want to make sure that I'm truly starting fresh.

Thanks so much - and thanks to edwinbrains for moving my post over to this Forum.

~Snow

Hi SnowWhite,

Please download HijackThis. Make sure you install HijackThis to a permanent folder such as C:\HJT as it creates backups of what we will fix.

Run the program, click the button at the top "Do a system scan and save a logfile". Save the log to a convenient place such as C:\HJT Notepad will open, copy and paste the entire log into your post. Do not fix anything yet, most of what's in the log is needed!

http://www.majorgeeks.com/download3155.html

Tom

Hi again ~

Here are the results of my HijackThis scan - I really appreciate the help!!

Logfile of HijackThis v1.99.1
Scan saved at 7:05:56 PM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\unuzpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yc...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [C-Media Mixer] NOT_Mixer.exe /startup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "NOT_C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\unuzpr.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [audiodev] NOT_C:\WINDOWS\System32\audiodev.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yah.../ymmapi_416.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v6.cab
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\h84m0ih1e84.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

You appear to be infected with Virtumundo/VirtuMonde

If you have any questions, please don't hesitate to ask.

I'd like you to download and run Symantec's VirtuMonde Removal Tool:

http://securityresponse.symantec.co...er/FixVundo.exe

Follow these steps to download and run the tool:

1. Download the FixVundo.exe file
2. Save the file to a convenient location, such as your Desktop.
3. Close all the running programs.
4. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
5. Double-click the FixVundo.exe file to start the removal tool.
6. Click Start to begin the process, and then allow the tool to run.

Do not launch any new applications while the tool is running!

7. Restart the computer.
8. Run the removal tool again to ensure that the system is clean.
9. Purge System Restore with the directions below:

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 Click OK.

Create a new Restore Point:

Start > All Programs > Accessories > System Tools > System Restore > tick Create a Restore Point > Next > enter a name for the Restore Point Creation (Today, Removed Spyware, etc.) > Create > Close.

The date and time will automatically be added.

Next...

Let's do some more cleaning up:

Download Ad-Aware SE Personal Edition version 1.05 from:

http://www.lavasoft.de/support/download/

Run Adaware, click the "Check for Updates now" link. Install the latest reference file

Perform a full system scan with Adaware, allow it to remove anything it finds. It may ask if it can run the next time your computer boots, allow it to do so.

Then...

Download Spybot - Search & Destroy 1.3 from.

http://www.safer-networking.org/en/download/index.html

Make sure you are online, run Spybot - Search & Destroy, click the "Check for Updates now" link. Install the latest reference file

Scan and fix all items checked in RED.

Reboot and post a fresh HijackThis log.

Tom