Adware Hell

Hi,

I've been battling with problems on this PC for months. iSearch has installed itself. Elite Toolbar is showing up in the registry files. Altnet has made itself at home and won't go away. About: blank is here, too. They're all partying on my hard drive and making me wish I owned a MacIntosh.

Some of the many symptoms--I get occasional blue screens that appear when I'm on the Internet. The entire screen goes blue and tells me "Fatal System Failure", the computer clicks off and reboots. Also, it's crippled Norton Internet Security and any uninstall/reinstall of Norton results on more "installation errors" on the Norton side. If that's not enough, I can't even do a simple virus scan from the Norton site. As soon as it starts scanning, I get a message saying that the scan was stopped. I have ActiveX enabled and I used IE 6.0, so it's not a compatibility issue.

I've run SpySweeper, MS Anti-Spyware Beta, and even HijackThis. I'm going to post all logs in the hope that someone might be able to help me rid this machine of all problems.

How they got here--AIM. The youngest whelp used the earliest known version of AIM without my knowledge. Hello! Open the door and invite them in, why don't you?

Anyway, I appreciate any help. FYI, I have a second drive I'll be installing this weekend so I can separate my work documents from my child's insatiable need to chat. If we need to reformat, the news won't come as a total shock, so if you see that as the only option, feel free to break it to me. And forgive me for not using smiley emoticons--I heard today that the little brats who are building these trojans are now building them into emoticons. It's getting so a girl can't go out on the 'Net without a chaperone.

Sorry for rambling. I've spent two weeks battling with these things. I'm a bit punchy.

Lori

Log #1
Logfile of HijackThis v1.98.2
Scan saved at 12:06:27 PM, on 4/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\fvdecxi.exe
C:\Program Files\iTunesShuffle\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\vzzazn.exe
C:\PROGRA~1\eZula\mmod.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Documents and Settings\rOo\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteino32.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

The other two to follow shortly. Thanks, guys and gals. I appreciate any help.

 

Here is the log from SpySweeper:

02:50 PM: |··· Start of Session, Wednesday, April 13, 2005 ···|
02:50 PM: Spy Sweeper 3.5.0 (Build 198) started
02:50 PM: Processing Startup Alerts
02:50 PM: Removed Startup entry: fecddi
02:56 PM: |··· End of Session, Wednesday, April 13, 2005 ···|
07:36 AM: |··· Start of Session, Thursday, April 14, 2005 ···|
07:36 AM: Spy Sweeper 3.5.0 (Build 198) started
07:37 AM: Processing Startup Alerts
07:37 AM: Removed Startup entry: etbrun
07:37 AM: Removed Startup entry: vbvqqe
07:37 AM: Internet Explorer Search Page has been updated to: http://www.google.com
07:38 AM: Processing Startup Alerts
07:38 AM: Removed Startup entry: etbrun
07:46 AM: |··· End of Session, Thursday, April 14, 2005 ···|
03:25 PM: |··· Start of Session, Thursday, April 14, 2005 ···|
03:25 PM: Spy Sweeper 3.5.0 (Build 198) started
03:25 PM: |··· End of Session, Thursday, April 14, 2005 ···|
06:09 PM: |··· Start of Session, Thursday, April 14, 2005 ···|
06:09 PM: Spy Sweeper 3.5.0 (Build 198) started
06:09 PM: |··· End of Session, Thursday, April 14, 2005 ···|
07:04 AM: |··· Start of Session, Friday, April 15, 2005 ···|
07:04 AM: Spy Sweeper 3.5.0 (Build 198) started
07:05 AM: Processing Startup Alerts
07:05 AM: Removed Startup entry: etbrun
07:05 AM: Removed Startup entry: vbvqqe
07:05 AM: Removed Startup entry: wjjrrj
07:05 AM: Removed Startup entry: Nsv
07:05 AM: Removed Startup entry: picsvr
07:05 AM: Removed Startup entry: Desktop Search
07:05 AM: Removed Startup entry: ffis
07:05 AM: Removed Startup entry: qmpmvp
07:05 AM: Removed Startup entry: KavSvc
07:05 AM: Removed Startup entry: naau.exe
07:05 AM: Processing Startup Alerts
07:05 AM: Removed Startup entry: Desktop Search
07:05 AM: Removed Startup entry: ffis
07:05 AM: Removed Startup entry: naau.exe
07:05 AM: Processing Startup Alerts
07:05 AM: Removed Startup entry: Desktop Search
07:05 AM: Removed Startup entry: ffis
07:05 AM: Removed Startup entry: etbrun
07:05 AM: Removed Startup entry: naau.exe
07:05 AM: |··· End of Session, Friday, April 15, 2005 ···|
07:36 AM: |··· Start of Session, Friday, April 15, 2005 ···|
07:36 AM: Spy Sweeper 3.5.0 (Build 198) started
07:37 AM: Processing Startup Alerts
07:37 AM: Removed Startup entry: Desktop Search
07:37 AM: Removed Startup entry: ffis
07:37 AM: Removed Startup entry: naau.exe
07:37 AM: Removed Startup entry: etbrun
07:37 AM: Removed Startup entry: ryfiinr
07:37 AM: Processing Startup Alerts
07:37 AM: Removed Startup entry: Desktop Search
07:37 AM: Removed Startup entry: ffis
07:37 AM: |··· End of Session, Friday, April 15, 2005 ···|
07:46 AM: |··· Start of Session, Friday, April 15, 2005 ···|
07:46 AM: Spy Sweeper 3.5.0 (Build 198) started
07:46 AM: |··· End of Session, Friday, April 15, 2005 ···|
01:11 AM: |··· Start of Session, Saturday, April 16, 2005 ···|
01:11 AM: Spy Sweeper 3.5.0 (Build 198) started
01:12 AM: |··· End of Session, Saturday, April 16, 2005 ···|
09:53 AM: |··· Start of Session, Saturday, April 16, 2005 ···|
09:53 AM: Spy Sweeper 3.5.0 (Build 198) started
09:53 AM: Processing Startup Alerts
09:53 AM: Removed Startup entry: Desktop Search
09:53 AM: Removed Startup entry: ffis
09:53 AM: Removed Startup entry: etbrun
09:53 AM: Removed Startup entry: wjmiqn
09:53 AM: Removed Startup entry: lpsbepv
09:53 AM: Removed Startup entry: ukczsq
09:54 AM: Processing Startup Alerts
09:54 AM: Removed Startup entry: Desktop Search
09:54 AM: Removed Startup entry: ffis
09:54 AM: Removed Startup entry: etbrun
09:54 AM: Internet Explorer Search Page has been restored to: http://www.google.com
09:54 AM: Processing Startup Alerts
09:54 AM: Removed Startup entry: Desktop Search
09:54 AM: Removed Startup entry: ffis
09:54 AM: Internet Explorer internal web pages restored to protected values
09:54 AM: Processing Startup Alerts
09:54 AM: Removed Startup entry: Desktop Search
09:54 AM: Removed Startup entry: ffis
09:54 AM: Processing Startup Alerts
09:54 AM: Removed Startup entry: Desktop Search
09:54 AM: Removed Startup entry: ffis
09:54 AM: Removed Startup entry: etbrun
09:54 AM: Processing Startup Alerts
09:54 AM: Removed Startup entry: Desktop Search
09:54 AM: Removed Startup entry: ffis
09:54 AM: Removed Startup entry: etbrun
09:54 AM: |··· End of Session, Saturday, April 16, 2005 ···|
11:14 AM: |··· Start of Session, Saturday, April 16, 2005 ···|
11:14 AM: Spy Sweeper 3.5.0 (Build 198) started
11:14 AM: Processing Startup Alerts
11:14 AM: Removed Startup entry: Desktop Search
11:14 AM: Removed Startup entry: ffis
11:14 AM: Removed Startup entry: etbrun
11:14 AM: Removed Startup entry: yxspsg
11:14 AM: |··· End of Session, Saturday, April 16, 2005 ···|
12:09 PM: |··· Start of Session, Saturday, April 16, 2005 ···|
12:09 PM: Spy Sweeper 3.5.0 (Build 198) started
12:09 PM: Processing Startup Alerts
12:09 PM: Removed Startup entry: Desktop Search
12:09 PM: Removed Startup entry: ffis
12:09 PM: Removed Startup entry: tsvcin
12:09 PM: Removed Startup entry: etbrun
12:09 PM: Removed Startup entry: Nsv
12:09 PM: Removed Startup entry: picsvr

 

And here's the one from MS AntiSpyware--

Spyware Scan Details
Start Date: 4/16/2005 9:57:31 AM
End Date: 4/16/2005 10:06:34 AM
Total Time: 9 mins 3 secs

Detected Threats

Possible Browser Hijack Browser Modifier more information...
Details: Possible Browser Hijack redirects Internet Explorer.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.


Transponder.ABetterInternet.Ceres Spyware more information...
Details: VX2.ABetterInternet.Transponder.2 is a new transponder variant of aBetterInternet.
Status: Ignored
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
C:\WINDOWS\ceres.dll


iSearch.DesktopSearch Spyware more information...
Details: Removes the users access to use Windows Search and replaces it with C:\WINDOWS\isrvs\desktop.exe.
Status: Ignored
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
c:\windows\isrvs\desktop.exe
c:\windows\isrvs\ffisearch.exe
c:\windows\isrvs\mfiltis.dll
c:\windows\isrvs\isearch.xpi
c:\windows\isrvs\sysupd.dll
C:\WINDOWS\system32\drivers\delprot.sys
C:\WINDOWS\isrvs\edmond.exe
C:\WINDOWS\isrvs\msdbhk.dll

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Desktop Search
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html sctpf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ffis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Desktop Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ffis
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB-C706-4791-8674-4D429F85897E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Desktop Search
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ffis
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot\Security Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot\Enum 0 Root\LEGACY_DELPROT\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot\Enum Count 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot\Enum NextInstance 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot Type 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot Start 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot ErrorControl 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot ImagePath \SystemRoot\system32\drivers\delprot.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot DisplayName delprot
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB-C706-4791-8674-4D429F85897E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html sctpf
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB-C706-4791-8674-4D429F85897E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html


Unclassified.Spyware.57 Spyware more information...
Status: Ignored
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected files detected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\naau.exe
c:\windows\system32\vzzazn.exe

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KavSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KavSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KavSvc


Altnet Browser Plug-in more information...
Details: Altnet Topsearch acts as a search engine and runs as an Internet Explorer browser helper object. It can supply advertising to KaZaA users.
Status: Removed
Elevated threat - Eleveated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet


Detected Spyware Cookies
No spyware cookies were found during this scan.