Persistent spyware attack

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

HJT logs must be posted from normal boot mode. I will look at this current log but we may not get everything fixed this way.

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {6017D482-C3A3-0C05-8359-2EF6BAA8EFEB} - AppMasterCenter.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I'm back! The Startuplist log did not show anything.

Did you uninstall Ewido & MS AntiSpyware as BJ requested?

Use Windows Explorer to look for the below files and tell me if found. Make sure viewing of hidden files is enabled.

c:\windows\system32\hclean32.exe
c:\windows\system32\ntfsnlpa.exe
c:\windows\system32\rdsndin.exe

 

If Ewido was finding those files after reboot, why would they not be present now since Ewido is uninstalled. Did you check after uninstalling Ewido and then rebooting?

Post a new HJT log too.

 

It could be possible. Try downloading and using the following tool. It is very useful for things like this and even shows files in C:\windows\Downloaded Program Files which Windows Explorer will not show. ExplorerXP

Let me know if it finds anything. Is McAfee still finding rdsndin.exe?

What do "security centre popups" look like and what do they say?

 

If you boot in safe mode, does this popup still occur?

If you boot in either safe mode or normal boot mode, but have no physical connection (unplug cable) to the internet does it appear? When does it appear? Does it come up immediately after reboot or after you run some particular program (like IE)?

Windows Security Center is part of Windows XP SP2. See the below for more info on it:

http://www.theeldergeek.com/security_center.htm

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

Also look again for any of the below files and delete them. Let me know if you find any of them:
C:\WINDOWS\SYSTEM32\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM32\RDSNDIN.EXE
C:\WINDOWS\RDT.INI
C:\WINDOWS\SYSTEM32\HCLEAN32.EXE
C:\WINDOWS\BALLOON.WAV or C:\WINDOWS\BALOON.WAV

Now reboot your PC.

Hijackthis will run just before windows. Have it do a scan and have it fix the below items if present. If not, present just exit HijackThis.
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\HCLEAN32.EXE


Download FindT.zip to the root folder of drive C

- Extract the files inside also to your root folder.
- open the "FindT" folder and run the runthis.bat file
- a text will open post the results


Now let me know where things stand.

 

Okay! But FindT show another file (in addition to the two you deleted). Find C:\WINDOWS\SYSTEM32\CSLKO.EXE

and rename the CSLKO.EXE file to CSLKO.XXX

Your HJT log shows a new problem:

O4 - HKLM\..\Run: [dmkai.exe] C:\WINDOWS\system32\dmkai.exe

Have HJT fix that line and boot in safe mode and find and delete that file.

Reboot in normal mode and post a new log and also indicate how things are working.

 

Sounds good but let's see another HJT log to make sure nothing else showed up.

 

Looks good now. Now to help keep you clean, see the below:

How to Protect yourself from malware!

 

Yes! Uncheck the box to enable system restore and have restore points start creating again.

You're welcome!

 

You're welcome!

It's up to you what you want to do but for reference, my favorite charity is the American Cancer Society! I have lost a lot of friends and family to cancer.