Spyware help

Hi,
Some spywares have "invaded" my PC and although I have used Ad-Aware and Spybot, they have not all be cleaned. Actually the problem is that whenever I connect to the Internet, in the first minute of the connection a random site pops up.(sometimes a "normal" site, but others some weird one...) I have deleted much stuff that looked suspicious but the problem continues.

To be more specific, an Internet Explorer window pops up with this address:
http://540.filehost/randomsites/banner.aspx
and after that it is redirected to another random one.
Any ideas? Note:This happens once every ,let's say,20 minutes.
Thanks

Hi C0nfused,

Please download HijackThis. Make sure you install HijackThis to a permanent folder such as C:\HJT as it creates backups of what we will fix.

Run the program, click the button at the top "Do a system scan and save a logfile". Save the log to a convenient place such as C:\HJT Notepad will open, copy and paste the entire log into your post. Do not fix anything yet, most of what's in the log is needed!

http://www.majorgeeks.com/download3155.html

Tom

Hi,
Thanks for your answer. I had forgotten to check this thread for any answers so that's why there was such a delay in my answer. I am not sure if it's wise to post the results here. They contain, I think, ip addresses and some information about my connection. Any ideas?
Thanks again

ist pretty safe to post the log here. there is no information in the log that will compromise your security in any way. Besides your ip address is given out everytime you click a link on the internet. besides Hijackthis logs do not give out your ip. rather they report on the current processes running on your system, and the entries in your registry it believe to be possible spyware/adware/malware.
There are plenty of other hijackthis logs posted all over the internet. its safe. please post your log and we will try and help you out.

Besides, if you are infected, there is porbably a hell lot moe information of a much more sensitive nature going out without your knowledge to the creator of the infection

OK.Here are the results. I have made some comments because some words are in my mother-tongue.

Logfile of HijackThis v1.99.1
Scan saved at 5:20:00 μμ, on 18/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις(=connections)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Ραδιόφωνο(=radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft(=extract to M.Excel) Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thank you for the translation!

You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.

If you have any questions before starting the fix, please don't hesitate to ask!

Right-Click this link: http://www.mvps.org/winhelp2002/DelDomains.inf > select Save Link As > save it to your Desktop.

Go to your Desktop and right click the file: DelDomains.inf and select: Install

This will remove all entries in Internet Explorer's "Trusted Zone" and "Ranges".

Next...

Logoff your internet/network connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked".

It is OK if some of these items are no longer listed.

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

These are resource hogs that can be fixed also:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Next...

Boot into Safe Mode. Restart your computer, start tapping F8 when your computer first starts booting, there will be a menu displayed > select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck hide extensions for known file types.
Uncheck the Hide Protected Operating System Files option.
Click Yes to confirm.
Click OK.

Search for and delete the following file:

C:\WINDOWS\System32\vbsys2.dll

Reboot normally.

Next....

Please download CCleaner:

http://www.ccleaner.com

Install the program and run it.

On the Windows tab, click Run cleaner.

On the Applications tap, click Run Cleaner.

Please post a fresh HijackThis log.

Tom

Thanks for your great help. I did what you suggested and some "bad" things have certainly been removed as there are no pop-up screens now. Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 12:41:21 πμ, on 19/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις(=connections )
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Ραδιόφωνο(=radio ) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Excel(=extract to Microsoft Excel ) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CDB55C7-6ABC-4325-99E1-CD53028E73D6}: NameServer = 147.102.222.220 147.102.222.210
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Excellent work! Your final log is clean.

Because you were infected, backups of the malware may be in System Restore.

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 Click OK.

Create a new Restore Point:

Start > All Programs > Accessories > System Tools > System Restore > tick Create a Restore Point > Next > enter a name for the Restore Point Creation (Today, Removed Spyware, etc.) > Create > Close.

The date and time will automatically be added.

Next...

I don't see an antivirus program running in your log...

AVG has a new, free version available - AVG7 Free edition:

http://free.grisoft.com/doc/1

Be sure to update it right away and perform a full system scan.

Also...

I don't see a firewall running in your log.

ZoneAlarm has a free firewall that does a good job:

http://www.zonelabs.com/store/conte...reeDownload.jsp

Tom

I really appreciate your help Tom. I just have one question. What exactly is a firewall? And is this free antivirus going to actually help or will it just use resources of my system? I am asking these because many people doubt about the efficiency of antivirus programs and firewalls
Thanks again

I'll try and answer these questions

A firewall is a program on your computer that is designed to protect your computer from unauthorised access over either the internet or intra-net. Its like a software sentry that gaurds the access to your computer both ways, going out to the internet and comming from the internet. A Good firewall, keeps an eye on what programs on your computer are attempting to connect to what and where on the internet, and will alert if you if it feels they are suspicious or using suspicious port nos (usually port numbered 1024 and below are considered safe but a good firewall still checks for known attacks using these ports). The firewall also monitors all incomming traffic, and from where it comes from. It will, as a rule of thumb, usually only allow information through that has been specifically requested by your computer (by your browser etc..). It also closes all unused port numbers. Most firewalls today have advanced features bult in, like add blocking, ip masking (that is hiding your ip address from the internet), and the ability to confuse port scanners that commonly used by malware and attackers. You will have to google for more information on firewalls.
a really good free firewall i reccommend is ZoneAlarm available from the link in my signature (or porfvided by Tom above).

A free anti-virus that is really worth its salt, is AVG. Avast is also an option, but this computer user prefers AVG It does make sense to opt for a paid antivirus. The free versions are pretty effective for most home needs and purposes, but you will not get a full set of features, that you get with a paid version. If you intend this for a home system and do not have exrememly valuable data on your pc, i think a free antivirus will suffice. It is worth it to have an antivirus and firewall combo running. most of them
use insignificant resources on your computer as compared with the benefits they provide. if it is a real issue, only turn them on when your internet connection is active . Please note I say active !, if you have cable internet, and you decide to turn off your firewall and antivirus, make sure you disable the internet connection before. like wise with broadband and dial-up.
cheers

I've posted a bit more information on firewall below just for a bit of general knowledge


A firewall is considered a first line of defense in protecting private information

Excellent post oneMSBi!

A very well thought out description!

I'd rep you but, I'm all out of reps for you right now!

Somebody proxy rep this guy!

Tom

Hi C0nfused,

Zone Alarm and AVG both have a very small footprint (they use very little resources). They seem to work well together.

These are tools that will help keep you from getting infected again:

SpywareBlaster prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially dangerous sites in InternetExplorer.

http://www.javacoolsoftware.com/spywareblaster.html

****************************************************************

SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

http://www.wilderssecurity.net/spywareguard.html

****************************************************************

Google Toolbar is an excellent, free pop-up blocker.

http://toolbar.google.com

****************************************************************

Consider switching to Firefox. It is much safer than IE.

http://www.mozilla.org/products/firefox/

****************************************************************

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

****************************************************************

MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

http://mvps.org/winhelp2002/hosts.htm

****************************************************************
All are very small free programs. Occasionally check for updates.

****************************************************************

Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available"

http://windowsupdate.microsoft.com/

****************************************************************

Please take a minute to read: So how did I get infected in the first place?

http://forums.net-integration.net/i...?showtopic=3051

****************************************************************

Also, if you take the time to check over this Home Computer Security guide from CERT and follow it's guidelines, you will have much less computer problems:

http://www.cert.org/homeusers/HomeComputerSecurity/

Tom

Thank you guys for your great answers. You are very helpful. I really appreciate that!