S.O.S. - having several problems. "READ ME FIRST" steps completed

Hi! I've completed all the steps in the "READ ME FIRST" section, but haven't downloaded Hijack This! yet... I want to be sure it's the right thing to do first.

I've been using Mozilla Firefox as my browser for around a year and have never had spyware/adware troubles until recently. For some reason, I've started to get IE pop-up's while I'm surfing in Firefox. Other issues I've been having include: Aurora pop-up's; clicksearchclick links everywhere; a blackend desktop that reads WARNING YOU'RE IN DANGER etc...; there is a blue desktop underneath the black one which says "Security Warning: and a bunch of other letters and words including VXDVMM. Also, not sure if it's related but since it just started, I assume it is but when I plug something into my USB port I get a blue desktop that tells me I need to do a memory dump. My HD is 40GB and is maybe 1/2 full... plus, I just defragged a few days ago and the issue is still there. I've been using my USB port for years and have never had a problem until recently. Finally, to my knowledge I have no firewall on my system. Is there a good free/cheap one out there to help me out?

Thanks for any tips. You people are great and run a super-helpful site. It's nice to see people providing free help for other people. You are all to be commended.

Thank you!!
Steve

 

Oh, one more thing: for some reason I wasn't able to run the Symantec Security Check. It wouldn't open with my Firefox browser due to an issue with my cookie settings... I allowed it to open via my Tools>Options>Cookies but it still wouldn't. Thanks!

 

Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks bjgarrick! Here is my logfile. Fwiw, I'm also having issues with my Control Panel>Display. A few of the tabs are missing... not sure if it's related to my desktop hijack or not?

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file desktopfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the desktopfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Download the following file, after download is complete run the uninstaller. When uninstall is complete, reboot and procede with the next steps.

Download Uninstaller


After you complete the above, procede with these online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you have completed ALL of the above, procede with this last remaining step:

Download Ad-Aware SE 1.06

Install and get the updated reference file. After you have got the updates run a full system scan and remove all found infections.

After you have completed all of the above, reboot and post a fresh HJT log.

 

Hi... thanks again for the help. A few things:

-Bitdefender online scan (only for IE; I use Firefox and don't have an updated version of IE. Should I download it when prompted?)

-RavAntivirus online scan <-- select Auto Clean then click Scan My PC (there was no button for Auto Clean, nor Scan My PC; it offered me a "browse" box to choose files from my computer but I don't know which ones to choose)

-TrojanScan online scan (again, only for IE)

Finally, I ran the RegEdit4 key, then rebooted. The folder/file is on my desktop... is there a better place for it? Thanks... Steve

 

You can remove the reg file if you have already merged it. Run the online scans in IE anyways.

 

OK, here is my latest log file. I ran the online scans, but 1 or 2 of them didn't have a way to remove the malware/adware/spyware although it found some.... specifically TrojanScan which found 16 items but didn't actually remove them. Things appear to be getting smoother here though. I really appreciate the help. Thanks again!

 

-Please download Ewido Security Suite

- Install and get any updates!
- Run a full scan on Local Disk C:\
- Remove ALL found infections

After you complete the above, reboot and post a fresh HJT log.

 

Here's my latest HJT logfile. Also, fwiw the desktop/control panel hijack that I initially had (which then went away) is now back. Thanks... Steve

 

First, uninstall Ewido, and disable any antivirus or antispyware programs you have installed so it will not block any of this fix.


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R3 - URLSearchHook: (no name) - _{AA460422-2CEF-400f-AA05-F63368E04706} - (no file)

O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\drexinit.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\System32\wer8274.dll (file missing)
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)

O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [kntwfg] c:\windows\system32\phynnsu.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{99663467-DD0B-4FA2-871B-FEA46068834E}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {C6B6BA95-27E9-4585-B41F-E72F1FE72A0E} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C6B6BA95-27E9-4585-B41F-E72F1FE72A0E} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {CA80FC9A-945B-44D3-9B60-465C20A684FA} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA80FC9A-945B-44D3-9B60-465C20A684FA} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {28DC386F-EA77-4BBB-8894-E31D22D8147D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {28DC386F-EA77-4BBB-8894-E31D22D8147D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {5379E9BA-5883-4E02-8D09-4D74B84728CD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5379E9BA-5883-4E02-8D09-4D74B84728CD} - (no file) (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {71F9D5D6-E833-4317-B4BB-D8F09135806A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {71F9D5D6-E833-4317-B4BB-D8F09135806A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B085DD8D-251B-4AD0-BF28-2DEC99C22A3A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B085DD8D-251B-4AD0-BF28-2DEC99C22A3A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C6B6BA95-27E9-4585-B41F-E72F1FE72A0E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C6B6BA95-27E9-4585-B41F-E72F1FE72A0E} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C6D94285-C529-459C-973A-EED782800809} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C6D94285-C529-459C-973A-EED782800809} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CA80FC9A-945B-44D3-9B60-465C20A684FA} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA80FC9A-945B-44D3-9B60-465C20A684FA} - (no file) (HKCU)

O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livephish.com/nugster/dlControl.CAB

O23 - Service: Encompass Server (EncompassServer) - Unknown owner - C:\Program Files\Encompass\EncompassServer.exe (file missing)
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.


NEXT:
Run CCleaner

NOW:
Navigate to and DELETE the following if they should remain:

(Only delete the EXACT filenames below, nothing else)

C:\WINDOWS\System32\Services ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\spoolsrv32.exe

C:\WINDOWS\System32\phynnsu.exe

C:\WINDOWS\System\blank.htm

C:\WINDOWS\drexinit.dll

C:\WINDOWS\Web\desktop.html

C:\wp.exe

C:\wp.bmp

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

OK, I ran the fix in HJT but I think I missed some files. When I rebooted into Safe Mode I didn't see any place to enable the "Viewing of Hidden Files & Folders". When I did the Safe Mode scan there were a few items from my latest logfile which were not found. Also, two of the items that I "fixed" are still appearing -- the two O23 items for Encompass and iPod.

Also, I found C:\\WINDOWS\System32\Services but it wasn't technically a "folder".... it was one of the pictures which looks like 2 gears. I didn't delete because I wanted to be sure it was the right thing to delete.

Here is my latest logfile. Lmk if I need to do something different. THANKS!!

 

Yes, delete that!

It doesnt appear you didnt anything in my last fix.

Run the fix again, but this time do it normal mode.

 

Ok, I did the HJT fix in normal mode and it seemed to work much better than it did in safe mode. There are still 4 line items that keep reappearing even after I fixed them:

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O23 - Service: Encompass Server (EncompassServer) - Unknown owner - C:\Program Files\Encompass\EncompassServer.exe (file missing)
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

Otherwise, everything else seems to be running smoothly. Here is my latest logfile.

Do you have recommendation's for a firewall or anything else that my computer might be lacking? Are there certain types of websites which seem to provide more adware/spyware than others? or is it random?

Thanks again bjgarrick for all your help! Have a great day!

Steve

 

Download
Pocket KillBox
(Don't run it yet)

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\spoolsrv32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. After you have rebooted and windows has loaded attach a fresh HJT log from normal mode.

 

Thanks again. The two items disappeared, but the two O23's still remain and I still have a blue hijacked desktop w/ "VXD VMM(01), SmitFraud, TrojanSpy, etc." and can't do much with Control Panel>Display.

Here is my latest logfile:

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\wp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\wp.bmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\Web\desktop.html into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. After you have rebooted and windows has loaded attach a fresh HJT log and let me know how things are running now.

 

OK, so far so good. The desktop hijack is gone and Control Panel>Display is back to normal. The two O23 item's still remain but they don't seem to be doing any harm as far as I can tell. Is there anything else I can/should do from here to prevent further attacks? ie: run ad-aware once per week? run ccleaner every so often? install a better firewall? Thanks again bjgarrick! You rock!

HJT logfile attached.
Steve

 

Oh, one other thing. When I plug in my external soundcard via the USB port on the front of my computer, I get this message. Could it be spyware related? Thank you!!

Screenshot posted here:
http://forums.majorgeeks.com/showpost.php?p=600512&postcount=1

 

Your HJT log is clean, are you having any further Malware problems?

For this you will need to post in the Software Forum.