Help with Spyware.

Hi,
I was told that if I downloaded HijackThis and posted the log someone could help me get rid of some unusually annoying spyware. Can someone take a look and help?
Thanks,
Aaron.

 

Hi Aaron,
Well, you are somewhat correct. We are happy to help, but you need to start here:

http://forums.majorgeeks.com/showthread.php?t=35407

You also need to move HijackThis to its own folder - C:\Program Files\HijackThis. This will allow for the preservation of backups.

Befor you get started on the tutorial, see if you are able to remove the following via Add or Remove Programs:

Web Rebates
SyncroAd
Bullseye Network

Your HijackThis log is a mess. Once you have moved HJT to a safe place, have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rev0lt.net/index.html

O2 - BHO: (no name) - {68DB3170-B06C-0ECC-D256-6C557C84244A} - C:\WINDOWS\System32\espkffc.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [cbzzcl] C:\WINDOWS\System32\atyrvy.exe

O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe

O4 - HKLM\..\Run: [Sysino] lsess.exe

O4 - HKLM\..\RunServices: [Sysino] lsess.exe

O4 - HKLM\..\RunServices: [Sysino] lsess.exe

O4 - HKLM\..\RunOnce: [Sysino] lsess.exe

O4 - HKCU\..\Run: [Sysino] lsess.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...166f16089431:81b1e337486498d88431998986b85d10

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

You will need to track down and try to DELETE:

C:\WINDOWS\System32\lsess.exe
C:\Program Files\Windows SyncroAd
C:\Program Files\Web_Rebates\

NOTE: I’m sure I missed a few entries and there will probably be a couple that reappear. Also, if you recognize any that you know you want or need, leave them alone. There are a few in your log with which I am not familiar.

Now, begin the tutorial. Note the steps that you are able to complete and the ones that give you trouble. This will help us fix you up more quickly. Post back with any questions. I’ll be away for a bit, but there are many here who are much more qualified to help you than I. So, no worries!

Best luck,

PP

*** Looks like Chaslang got here at same time. You are better off in his able hands.

 

Hi Chas,

There are A LOT of nasty looking things on Aaron's log. I listed only the ones that jumped out at me. I'm heading out the door and don't have time to look up the ones I don't know.

Best

PP

 

Hey Guys,

Thanks so much for your help! I'm sorry I didn't follow the normal protocols in the beginning, but I have now. I did everything in that post (The 'Do this before asking for help' post), and everything seemed to work fine (IE I had not problems installing, configuring, and cleaning). I then followed every instruction that PhilliePhan wrote with the following results:

-VIA the Add/Remove programs I was able to remove Web Rebates and SyncroAd, but not Bullseye Network (As I didn't see it there).

-I had HijackThis fix most of the items that were mentioned to tick off, although some of them weren't there (I'm assuming they were fixed by the other spy/adware programs).

-I tried to track down and delete the following:

C:\WINDOWS\System32\lsess.exe
C:\Program Files\Windows SyncroAd
C:\Program Files\Web_Rebates\

-lsess.exe didn't exist, although lsass.exe did. Was that a typo or is it just a very similar name?
-Windows SyncroAd got deleted.
-Web_Rebates didn't exist (Again assuming it was already dealt with)

So everything seems to be working fine now, except for one last thing that perhaps someone can shed some light on. Every time I login with any user on the computer, an IE window pops up with the following URL:

http://gen0cide.net/page1/index.html

I doubt it's doing anything really bad, it's just totally annoying.

I have attached my latest HijackThis log file as well.

Thanks so much!

Aaron.

 

Hi Aaron,

Welcome to the world of Malware! lsess is made to look like the legitimate and needed lsass in order to try to fool you. Really, it sticks out like a sore thumb!

Your log is better.
You should have HijackThis fix the following:

O4 - HKLM\..\Run: [REEGRUN] C:\index.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Find and delete: C:\index.exe - Note that you may have to shut down the running process via Task Manager.


I AM UNSURE ABOUT THE FOLLOWING, SO DO NOT FIX THEM FOR NOW:

O4 - HKLM\..\Run: [WIN3S2SNDS] C:\windows\system32\winiprtx.exe

C:\windows\system32\winiprtx.exe

O4 - HKCU\..\Run: [Mahr] C:\Documents and Settings\Lanny\Application Data\eog?.exe

Do you recognize any of those? Let us know.

Best,

PP

 

Hey guys!

Thanks so much!! This has fixed all my problems!

Fireball.

 

Glad to hear it, Aaron! I imagine Chas will agree that you are quite welcome!

Best,

PP