Mega Huge Spyware Problem

[Dan Clark]

A few weeks ago, my brother went on my computer, went on some gaming sites so it seems, and has lumbered with with 5497895762396 spyware programs.

Noticable ones are "gimmygames", "freeprod" and "findthewebsiteyouneed.com". I keep deleting these, but they come back in a few minutes.

Whenever I'm on firefox, whatever page I'm on changes to some random advert site, it does this every few minutes.

So far I'm running Ad-Aware and Spybot search and destroy, they find things and delete them, but it doesn't fix my problem.

Please help TF, I don't want all the hassle of backing up hundreds of tv shows on my ipod again.

[Danny]

Run spybot and adaware in safemode then without rebooting fire up 'hijack this' and use it to remove anything suspicious from internet explorer.

Edit my hijack this list looks something like......

[attachmentid=2769]

if you post up a screenshot of your hijack this ill try give you a list of what you can delete

[Dan Clark]

Logfile of HijackThis v1.99.1

Scan saved at 18:23:16, on 26/02/2006

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\WINSYSBAN11.EXE

C:\WINDOWS\ZGVMYXVSDAAA\COMMAND.EXE

C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP\SVCHOST.EXE

C:\PROGRAM FILES\TMENTOR\MENTOR FOR WINME\MINITRAY.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\PROGRAM FILES\RALINK\RT2500 WIRELESS LAN CARD\INSTALLER\WINME\RACONFIG2500.EXE

C:\PROGRAM FILES\OPENOFFICE.ORG 2.0\PROGRAM\SOFFICE.EXE

C:\PROGRAM FILES\OPENOFFICE.ORG 2.0\PROGRAM\SOFFICE.BIN

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - Default URLSearchHook is missing

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [p2pnetworking] P2PNETWORKING.EXE

O4 - HKLM\..\Run: [winsysupd] C:\WINDOWS\WINSYSUPD11.exe

O4 - HKLM\..\Run: [winsysban] C:\WINDOWS\WINSYSBAN11.exe

O4 - HKLM\..\Run: [gimmygames] C:\WINDOWS\GIMMYGAMES11.exe

O4 - HKLM\..\Run: [Command] C:\WINDOWS\ZGVmYXVsdAAA\command.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EX_"

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [p2pnetworking] P2PNETWORKING.EXE

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe

O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Mentor Tray Icon.lnk = C:\Program Files\tMentor\Mentor for WinMe\minitray.exe

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINME\RaConfig2500.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: svchost.exe

O9 - Extra button: Mentor - {3892CA40-9B9A-11d4-8D73-00105A296A2A} - "C:\Program Files\tMentor\Mentor for IE5\IE5Help.chm" (file missing)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O15 - Trusted Zone: *.line6.net

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - http://gameadvisor.futuremark.com/global/msc37.cab

[AndyT]

I don't know what happened, but yesterday my comptuer wouldn't turn on...i had to do soooooooooo much shit to get it to work- and now I have to reinstall ALL of my old programs, and set all of my old settings.......

I had to freaking spend like 3 hours in a command prompt typing in old school shit though, gave me good memories of the old days......f**k it was horrible.

[trials_pimp]

I had this last week.

You have coolwebsearch.

It downloads all those links you have, and its a registry file that spybot, Adaware ect cant get rid of.

all the time you have it it will constantly download other programes, and what mine did, start controling your computer.

I had to format to get rid of it. You mind find its still in the registry if you only rolled drivers back

[Danny]

For starters you can try CWShredder which is supposed to remove coolwebsearch. Found here http://www.intermute.com/spysubtract/cwshr...r_download.html

Then if that doesnt work run spyboy and adaware in SAFE MODE the run hijack this and remove all the stuff with x's next to em

xx R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

xx R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

xx R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

xx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

xx R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

xx R3 - Default URLSearchHook is missing

xx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

xx O4 - HKLM\..\Run: [p2pnetworking] P2PNETWORKING.EXE

xx O4 - HKLM\..\Run: [winsysupd] C:\WINDOWS\WINSYSUPD11.exe

xx O4 - HKLM\..\Run: [winsysban] C:\WINDOWS\WINSYSBAN11.exe

xx O4 - HKLM\..\Run: [gimmygames] C:\WINDOWS\GIMMYGAMES11.exe

xx O4 - HKLM\..\Run: [Command] C:\WINDOWS\ZGVmYXVsdAAA\command.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EX_"

xx O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

xx O4 - HKLM\..\RunServices: [p2pnetworking] P2PNETWORKING.EXE

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

xx O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun

xx O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe

xx O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

xx O4 - Startup: Mentor Tray Icon.lnk = C:\Program Files\tMentor\Mentor for WinMe\minitray.exe

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINME\RaConfig2500.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: svchost.exe

xx O9 - Extra button: Mentor - {3892CA40-9B9A-11d4-8D73-00105A296A2A} - "C:\Program Files\tMentor\Mentor for IE5\IE5Help.chm" (file missing)

xx O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

xx O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

xx O15 - Trusted Zone: *.line6.net

xx O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - http://gameadvisor.futuremark.com/global/msc37.cab

[Dan Clark]

That thing found no signs of coolwebsearch on my computer.

Just done your thing Danny, lets hope it works out

http://www.uniqueoffer-s.com/normal/yyy102.html

I just got redirected to that

Seems a bit better though, theres less interruptions.

[omgnoseat]

you could try these programs:

http://www.ewido.net/en/download/

http://www.javacoolsoftware.com/spywareblaster.html

http://www.pctools.com/spyware-doctor/?ref=d6

did wonders for me when i had the terrible ´´spyaxe´´ virus, i still got nightmares about it

[Si-man]

Did a scan on my comp for spyware etc, found f**kin loads!!!!

Thats off a week of not using it, shitties

Found 1000 registry faults lol

[anzo]

Lavasoft.

Go there, under the 'Products' section click AdAware Personal, download it and scan your computer.

After the scan, click all the tick boxes to delete the items, click next/finish and it'll delete them all. Piss easy.

[Janson]

So far I'm running Ad-Aware and Spybot search and destroy, they find things and delete them, but it doesn't fix my problem.

[Dan Clark]

Thank you Janson.

Well, it has improved, still not totally gone though.