Need Help with adware/spyware, I read the stickies

I read the stickies, dwnloaded all the tools and used them. They took care of part of the problem My homepage is still hijacked and i get popups when im not online. I aslo got an extra tool bar on IE that i dont no where it came from. Whenever one of these popups occurs, my favorties list is also altered. I read all the stuff about hijack this, used it, and saved the log file. I just need permission to post it. I read through it, i recognize several "bad" things but dont recognize any "good" things. Some one plz tell me what the next step is.

Thanx,
Gimpster

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

My hijack this log is attached.

Im am currently running Windows 2000 office edition. A few more details about my problem - I belive the spyware is running a mock version of windows firewall and windows secruity center. I also get a random redirect to an adult site while going to a new webpage on IE. A popup blocker stopped the adware popups, but i realize this is only a temporary solution.

Thank you for your time,
Gimpster

 

Please allow me a moment to post you a fix.

 

First:

The first thing I notice is that your Operating System is WAY out dated. After we get your system clean from spyware/virus infections you need to install Service Pack 4. This is part of the problem!


Second:

Make sure ALL browsers are closed when running HJT.

C:\Program Files\Internet Explorer\iexplore.exe


Third:


Please look in Add or Remove Programs for the following and Uninstall them if found:

SmartPopupBlocker

180solutions


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


twink64.exe

cotu.exe

??rvices.exe

sprmover.exe

truettf.exe

dxconf.exe



Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\sfcman32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\sfcman32.dll/sp.html (obfuscated
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\sfcman32.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = mkMSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Are you familiar with this entry above in the box?? If not fix this to.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {44044A10-DA9D-4AE9-952A-48A4C115076A} - C:\WINNT\System32\sfcman32.dll
O2 - BHO: (no name) - {9C82C52F-7AC9-721D-B328-2917236D7C99} - C:\WINNT\System32\wyvzufq.dll
O2 - BHO: (no name) - {A9AFF52F-57FA-4729-9E18-193A135D51A9} - C:\WINNT\System32\wyvzufq.dll

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINNT\System32\iecustom32.dll

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINNT\Temp\TBuninst.exe /remove
O4 - HKCU\..\Run: [Tdtu] C:\Documents and Settings\Administrator\Application Data\cotu.exe
O4 - HKCU\..\Run: [Axghhkd] C:\WINNT\System32\??rvices.exe

O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O18 - Filter: text/html - {E63AE417-8D2B-4D32-87DB-5BA07C4E5A15} - C:\WINNT\System32\sfcman32.dll
O18 - Filter: text/plain - {E63AE417-8D2B-4D32-87DB-5BA07C4E5A15} - C:\WINNT\System32\sfcman32.dll


Again, make sure All Browser Windows are Closed when you Click FIX.



Fourth:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file badentry.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the badentry.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Fifth:



Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file updateentry.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the updateentry.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Sixth:



Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file lastfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the lastfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!



Seventh:


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


c:\program files\180solutions ←–– Delete this whole folder if it exist!

C:\spe ←–– Delete this whole folder if it exist!

C:\Documents and Settings\Administrator\Application Data\cotu.exe

C:\WINNT\System32\wyvzufq.dll

C:\WINNT\System32\iecustom32.dll

C:\WINNT\System32\??rvices.exe

C:\WINNT\System32\sprmover.exe

C:\WINNT\System32\truettf.exe

C:\WINNT\System32\dxconf.exe

C:\WINNT\System32\sfcman32.dll

C:\WINNT\System32\twink64.exe



NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"



Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Havent started the process yet, but thankyou for helping me out. Before I start, i have one question, SmartPopupBlocker was a blocker i downloaded from this site, is it necessary to remove it?

Edit: im going to uninstal it so i can continue, plz let me know if it is safe to reinstall it.

Tyvm
gimpster

 

to any1 - i finally have time to work on my problem. I started following bjgarrick's steps and got stuck at system restore. Im running Windows 2000 buisness edditon, the majorgeeks faq said that disabling system restore was necessary for windows xp and me only. Im aware that Windows 2000 is very similiar to, but not the same as ME. I couldnt find a option to disable system restore in my computer properties or in system restore itself. When i open system restore, a menu appears that looks just like an installation menu. Does this mean that it is off? If it is still on, how to I disable it? Do I even have to disable it since it is only Win 2000, not ME ???


thanks

 

Windows 2000 does NOT have system restore, procede.

 

Ty so much bjgarrick for helping me out. Ty also to chalang for the firefox tip.

Bjgarrick, everythings running great now, when i ran spybot, it fixed two items, valueclick and findspy. attached is my new hijack this file, i checked it for any thing that was on the checklist, didnt see anything. Agian ty so much for taking the time to help me, and others on these forums.

Much happier
-gimpster123

also, can i delete the hijack this logs and the file you had me edit the registry with?

 

Do another scan with HijackThis and Check the Box for the following:

Make sure All Browser Windows are Closed when you Click FIX.


O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-716D61788264} - C:\WINNT\System32\max8264.dll


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:

Navigate to and delete the following file:

C:\WINNT\System32\max8264.dll
Note: If you have any problem removing this file, boot into Safe Mode and delete it.


NEXT:
Run CCleaner


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.




Are you currently experiencing any problems?

 

Ok, ill go back in and delete that BHO. Everything is still running great except for one thing. I use zonealarm firewall. When i was away from my pc for about 3 hrs, Windows explorer requested permission to acces the internet, its destination was IP 67.19.185.246 this was the ip that u had me remove with the quote i pasted into the registry. Ill fix the bho, follow the final steps and see if it still asks for permission.


Ty again

 

Okay!

 

arg.... this is so frustrating. I thought that everything was fine an running great, then WAM! another popup. The fake windows firewall is still there two with the fake windows secruity center. At least im pretty sure these are fake, because ive only seen those programs on xp Ive never seen them on this pc, and i havent updated in a long time. Any advice on what do next? In the meantime im gonna scan with all the tools i got, plus those alternative online scans.

 

Is System Restore disabled?

 

you had told me that windows 2000 did not have system restore, if it does please tell me how to disable it, the faq for system restore only covers ME and XP. Im still in the process of trying a few new scans, Hijack This wasnt picking any of the stuff i deleted. So im asuming not its a reinstalling spyware, just one not deleted yet.

Tools i have used with out success:

Spybot
About Buster
Adaware
Hijackthis
Trend micro scan
Symatec scan

Current protections
Spyware blaster
zonealarm fire wall
i will install panda titanium anti virus, this is for viruses i know, but it cant hurt

if u know of any other good tools that i havent used yet, let me know about them

thanx
gimpster123

 

Windows 2000 does NOT have System Restore! I forgot you was on Win2000

Attach me a current HJT log, please.

 

Also, you need to make sure you run HJT from C:\Program Files\Hijack This so your backups will be safely stored.

 

ok, heres a current log.

 

First:

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


sprmover.exe

truettf.exe

dxconf.exe

connmie.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\System32\sprmover.exe

C:\WINNT\System32\truettf.exe

C:\WINNT\System32\dxconf.exe

C:\WINNT\System32\connmie.exe

NEXT:
Run CCleaner


Second:

Please download rem3velvin.exe

Save it on your desktop. Double click it it will self extract the Zip file to C:\ms4hd

Boot your computer into Safe Mode.

Navigate to c:\ms4hd and double-click on the remv3.bat file. When it is done it will open a log file of what it found. This log file is saved in c:\log.txt.

Reboot your computer back to normal mode and post the contents of c:\log.txt. To open it, click on start, then run, and type notepad c:\log.txt and press the OK button.

A notepad will open up. Please create a reply to this message and post the contents of that notepad along with a new hijackthis log.

Good Luck

 

CCleaner will get that as its in the TEMP folder, correct?

I just figured it was a one time uninstall so thats why I left it.

Your're right though

 

I meant the file, HJT would get the reg entry. Not that dumb

 

so what should i fix with hijack this?

 

followed ur steps bjgarrick, heres the logs

 

heres hjt

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

sprmover.exe

connmie.exe

truettf.exe

dxconf.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINNT\Temp\WTuninst.exe /remove

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINNT\System32\sprmover.exe

C:\WINNT\System32\connmie.exe

C:\WINNT\System32\truettf.exe

C:\WINNT\System32\dxconf.exe

C:\WINNT\Temp\WTuninst.exe


NEXT:
Run CCleaner


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

nvrmnd

 

heres the new log

 

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINNT\System32\iecustom32.dll (file missing)


NEXT:
Run CCleaner


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Reboot and post new HJT log. How are things running?

 

it just keeps coming back arg...

 

What does? I need another HJT log!

 

ok heres a current log

it just seems like the following programs

sprmover.exe

connmie.exe

truettf.exe

dxconf.exe

keep coming back whenever i think my pc is clean, wam!! there back

it jst really frustrating

 

Are you deleting them as per my request? One reason is because your Operating System is WAY out dated.

 

yes, im deleting them exactly as you told me two, there is a program(s) that we havent found yet that randomly redirects my IE to a adult gaming site every once in a while, gives porn popups, and a fake windows secruity center/firewall that says "your computer may be infected with spyware".... etc etc it then tells me to "click here for spyware remover"


thanx for your patience
gimpster

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

NOW:
Run Hijack This, click on Open the Misc Tools section. Now select Generate StartupList log and attach the startuplist.txt file as an attachment to your post.

NEXT:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\System32\sprmover.exe

C:\WINNT\System32\connmie.exe

C:\WINNT\System32\dxconf.exe


Reboot to Normal Windows and attach a new HJT log along with the startuplist log.

 

steps completed, logs attached

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe


Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

sprmover.exe ←–– Search for this file and delete when found!

sysobj.exe ←–– Search for this file and delete when found!

NEXT:
Run CCleaner


Reboot to Normal Windows


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.



NOW:

Download & Install Windows 2000 Service Pack 4

After you do this, go to Windows Updates and get updated!

After all updates are complete reboot and post as new HJT log.