Major Spyware Problem on slow laptop

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ilya, Sep 5, 2004.

  1. ilya

    ilya Private E-2

    It seems that a DSO Exploit is somehow crushing me here when it comes to the war on spyware.

    Advertisement.com, CoolWWWSearch and various other toolbars and such are appering on my IE explorer and draining my virtual memory. I'm using Spybot with the updated definitions as of September 5th, and it seems to clear out whatever exploits it finds other than DSO. However, after opening IE Explorer and running it again - the problems reappear. My homepage is hijacked and a search page comes up (as well as popups) if I attempt to use a search engine or submit something in Google.

    Could anyone help?
     
  2. ilya

    ilya Private E-2

    Quick update, getting the following when I startup:

    Advertising.com
    CoolWWWSearch
    DoubleClick
    DSO Exploit
    Avenue A, inc.
    VX2/f

    After running Spyware S&D, I'm left with:

    Advertising.com
    DSO Exploit
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ignore DSO Exploit reports from SpyBot. It is a known bug. Or you can configure it to ignore the DSO Exploits too.

    To address your other issues, please follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal >

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.
     
  4. ilya

    ilya Private E-2

    Problem is still occuring after taking all of the mentioned steps.

    About:blank is coming up along with some pop-ups.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  6. ilya

    ilya Private E-2

    Here is the log... (attached)
     

    Attached Files:

  7. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    You sure you did all the steps because you are still running Service Pack 1, not 2. Naturally, we need to wonder what else you may have skipped :) That was like Step #1. Theres a TON of problems in there, so you really need to make sure you did all the steps. Heres some to remove:

    FYI, Viewpoint is called spyware, its installed by AOL. Should be able to remove it from add\remove programs but you will need to search for viewmgr.exe, delete it and remove all references to it in your Hijack This logfile. While in add\remove programs uninstall anything else you dont recognize.

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uevdk.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uevdk.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uevdk.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uevdk.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uevdk.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uevdk.dll/sp.html#29126
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {302FD6F2-399E-02BF-F24F-70F4CAF474E0} - C:\WINDOWS\system32\atlfh32.dll
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchmiracle.com

    Chaslang may have more to add, but please be sure that from SAFE MODE per the tutorial, you have completely virus scanned and run ALL of the optional tools especially about:buster and HSRemove and check back. Keep your browser closed until all steps are completed and you remove those lines. I would like to see you do all the steps this time, reading that log file wore me out :) The removal of these lines, installation of service pack 2 and complete virus and spyware scanning from safe more will take you a couple hours.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I believe that Winad Client is removable from Add./Remove programs too.

    Also note, there are couple of files that are of concern:
    1) O4 - HKLM\..\Run: [atlfh32.exe] C:\WINDOWS\system32\atlfh32.exe
    This is a typical sign of about:blank or HSA hijacks running. This process should be ended using Task Manager before fixing any lines with HijackThis. Then after fixing lines with HijackThis, I would also suggest running about:Buster a couple of times.

    2) This next line looks like a typical trojan:
    O4 - HKLM\..\Run: [gyzbburlpny] C:\WINDOWS\System32\niwzkv.exe

    Unless you know different, I would fix that line to with HJT and then boot in safe mode and delete the file: C:\WINDOWS\System32\niwzkv.exe

    3) This next one (DO NOT DELETE/FIX) I would like to confirm what it is:
    O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START

    Info out there indicates:
    Possibly a left over from Windows Update for wireless NIC (maybe Linksys) drivers? Not required though.

    Do you have a Wireles NIC card? Can use Windows Explorer to locate this file and right click on an get us some Properties info (like Company and Product Name)?
     
  9. ilya

    ilya Private E-2

    Updated HJT log attached - still having popup and about: problem after going through the reccomended steps twice and updating Windows XP security.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to use my When all else fails - Generic Solution to HSA (Only the Best) & about:Blank hijack thread. I list below the lines of concern from the log you last posted. See if you can use this as a start to following the Generic Solution steps. Follow them exactly do not skip anything and do not stop in the middle anywhere and reboot or power down (unless told to).

    Processes of concern:
    C:\Documents and Settings\Ilya Galperin\Desktop\Source\aiepk2.exe
    C:\WINDOWS\apprb32.exe

    HijackThis lines of concern:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vhuyx.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vhuyx.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vhuyx.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vhuyx.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vhuyx.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vhuyx.dll/sp.html#29126
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {30A95DF7-FBEA-D763-E682-9D786EF30062} - C:\WINDOWS\system32\javavw32.dll
    O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\Ilya Galperin\Desktop\Source\aiepk2.exe
    O4 - HKLM\..\Run: [apprb32.exe] C:\WINDOWS\apprb32.exe
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds