Solve : Spyware/Trojan invasion?

1.	Solve : Spyware/Trojan invasion?
Answer» Yesterday I made the unfortunate mistake of opening a bad exe and I got flooded with trojans and things like Virus-Busters and WinAntiVirus Pro ect. I took care of most of that stuff with some info on another site but now I am busy battling these horrendous pop-ups from heavy.com, STOPzilla, and searching for anything on google is a joke, you find the site you want to go to and clicking on it just prompts ANOTHER lesser search site trying to find what you want but sending you to shopping sites and basically sending me in circles. I also cant check my mail so I had to download mozilla just for that. I did a scan with Hijack this and this is what I came up with. Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\{3CAE5751-07D4-1033-0330-060221060001}\Update.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\SSTEM3~1\winspool.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\system32\W?nSxS\c?rss.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\FlashGet\flashget.exe C:\Downloads\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=gzcDwIZ4YTF_Mt9gXDLfJSh4VbU R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll R3 - URLSearchHook: (no name) - {F41D3F47-8AFF-8E7A-8FAD-A428E0753197} - C:\WINDOWS\system32\rjudpk.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\axxrtvdx.dll O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing) O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {E025A7B7-ED73-4E0F-B8ED-7129381E0E50} - C:\WINDOWS\system32\jkhfg.dll (file missing) O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll O2 - BHO: (no name) - {F41D3F47-8AFF-8E7A-8FAD-A428E0753197} - C:\WINDOWS\system32\rjudpk.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\SSTEM3~1\winspool.exe" -vt tzt O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\I used both Ad-Aware and SPYBOT S&D and they continuously found new spyware, I had also went into safemode and ran both of the spyware protectors. It seemed like the spyware just reinstalled itself onto the pc right after Adaware and Spybot had gotten RID of them. And Ive been using Norton Anti-Virus to get rid of the Trojans ect. Also to answer your question why these things were even allowed onto the pc in the first place is because Norton was myseriously disabled "no idea on that one" and the second I turned it on it spotted the Trojans and deleted them. So you say I should get rid of Winspool C?rss.exe and these ipv6mons.dll and rjudpk.dll? I wont until you confirm this. Once fixed/deleted I will redo a scan with Norton, Adaware and Spybot. Quote I used both Ad-Aware and Spybot S&D and they continuously found new spyware, I had also went into safemode and ran both of the spyware protectors. It seemed like the spyware just reinstalled itself onto the pc right after Adaware and Spybot had gotten rid of them. And Ive been using Norton Anti-Virus to get rid of the Trojans ect. Also to answer your question why these things were even allowed onto the pc in the first place is because Norton was myseriously disabled "no idea on that one" and the second I turned it on it spotted the Trojans and deleted them. So you say I should get rid of Winspool C?rss.exe and these ipv6mons.dll and rjudpk.dll? I wont until you confirm this. Once fixed/deleted I will redo a scan with Norton, Adaware and Spybot. Did you have system restore off when you ran the scans?I turned off system restore, and it seems that the spyware still gets reinstalled over and over again. I need to find a way to stop this soon because the list of stuff it finds is growing. Also today Norton found 3 different trojans on different occasions within one hour. This is looking pretty grim . And I don't want to install Panda because I will have to uninstall Norton for it to work. And I dunno if I can find the Norton disk to reinstall.Running another AV program will not break Norton...the scans that were suggested are online scans.Ok, an update, I just downloaded AVG and went into safemode, unplugged my internet connection and ran it. This is what it found and Quarantined: Adware.Softomate Trojan.Small Downloader.Nurech.m Downloader.IstBar Trojan.Mezzia Downloader.TSUpdate.j Downloader.TSUUpdate.o Worm.Banwarum.f Downloader.PurityScan.co After this I ran Spybot and Ad-aware and found minimal problems. THEN I got out of safemode and did a HJT scan, hopefully this will SHED some light on things. Lemme know if you want me to POST the log.Would probabaly be a good idea, then we can see whats left over. Chris

Answer»

Yesterday I made the unfortunate mistake of opening a bad exe and I got flooded with trojans and things like Virus-Busters and WinAntiVirus Pro ect.
I took care of most of that stuff with some info on another site but now I am busy battling these horrendous pop-ups from heavy.com, STOPzilla, and searching for anything on google is a joke, you find the site you want to go to and clicking on it just prompts ANOTHER lesser search site trying to find what you want but sending you to shopping sites and basically sending me in circles.
I also cant check my mail so I had to download mozilla just for that.

I did a scan with Hijack this and this is what I came up with.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\{3CAE5751-07D4-1033-0330-060221060001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\SSTEM3~1\winspool.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\W?nSxS\c?rss.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\FlashGet\flashget.exe
C:\Downloads\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=gzcDwIZ4YTF_Mt9gXDLfJSh4VbU
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: (no name) - {F41D3F47-8AFF-8E7A-8FAD-A428E0753197} - C:\WINDOWS\system32\rjudpk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\axxrtvdx.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E025A7B7-ED73-4E0F-B8ED-7129381E0E50} - C:\WINDOWS\system32\jkhfg.dll (file missing)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O2 - BHO: (no name) - {F41D3F47-8AFF-8E7A-8FAD-A428E0753197} - C:\WINDOWS\system32\rjudpk.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\SSTEM3~1\winspool.exe" -vt tzt
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\I used both Ad-Aware and SPYBOT S&D and they continuously found new spyware, I had also went into safemode and ran both of the spyware protectors. It seemed like the spyware just reinstalled itself onto the pc right after Adaware and Spybot had gotten RID of them.

And Ive been using Norton Anti-Virus to get rid of the Trojans ect.
Also to answer your question why these things were even allowed onto the pc in the first place is because Norton was myseriously disabled "no idea on that one" and the second I turned it on it spotted the Trojans and deleted them.

So you say I should get rid of Winspool C?rss.exe and these ipv6mons.dll and rjudpk.dll?
I wont until you confirm this. Once fixed/deleted I will redo a scan with Norton, Adaware and Spybot. Quote

I used both Ad-Aware and Spybot S&D and they continuously found new spyware, I had also went into safemode and ran both of the spyware protectors. It seemed like the spyware just reinstalled itself onto the pc right after Adaware and Spybot had gotten rid of them.

And Ive been using Norton Anti-Virus to get rid of the Trojans ect.
Also to answer your question why these things were even allowed onto the pc in the first place is because Norton was myseriously disabled "no idea on that one" and the second I turned it on it spotted the Trojans and deleted them.

So you say I should get rid of Winspool C?rss.exe and these ipv6mons.dll and rjudpk.dll?
I wont until you confirm this. Once fixed/deleted I will redo a scan with Norton, Adaware and Spybot.

Did you have system restore off when you ran the scans?I turned off system restore, and it seems that the spyware still gets reinstalled over and over again.
I need to find a way to stop this soon because the list of stuff it finds is growing.
Also today Norton found 3 different trojans on different occasions within one hour.
This is looking pretty grim .
And I don't want to install Panda because I will have to uninstall Norton for it to work.
And I dunno if I can find the Norton disk to reinstall.Running another AV program will not break Norton...the scans that were suggested are online scans.Ok, an update, I just downloaded AVG and went into safemode, unplugged my internet connection and ran it. This is what it found and Quarantined:

Adware.Softomate
Trojan.Small
Downloader.Nurech.m
Downloader.IstBar
Trojan.Mezzia
Downloader.TSUpdate.j
Downloader.TSUUpdate.o
Worm.Banwarum.f
Downloader.PurityScan.co

After this I ran Spybot and Ad-aware and found minimal problems.

THEN I got out of safemode and did a HJT scan, hopefully this will SHED some light on things.
Lemme know if you want me to POST the log.Would probabaly be a good idea, then we can see whats left over.

Chris

Solve : Spyware/Trojan invasion?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment