spyware removal – need more help

[Weedy Lady]

To: redcircle (or anyone else)

Thank you so much for the first posting on this part of the forum.

I had a completely clean computer until I made the terrible mistake of clicking on a link that was in a "send me an e mail" form from my web site. It looked like it was a request for a reciprocal link, but was a link to a pornographic site that installed about 130 files of malware, adware, hijacking, etc. on my computer. I tried to stop the installations while they were occuring, to no avail. So I came to the forums and found your posting.

I ran AdAware, and downloaded and ran SpyBot and installed Spyware Blaster. There are still 5 HKEY_USER reg files that show up when I run SpyBot.

I followed the instructions on the link you provided to
http://www.greymagic.com/security/advisories/gm001-ie/
and made the following change:
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 0]
Change the value of "1004" (DWORD) to 3.

I am still getting pop up windows whenever I go from one web page to another. Thanks to "Blaster" they are blank pages, but I really want to stop this from happening at all.

Parts of your message confused me. What are LSP’s and VX2’s? I am not an advanced user – really more intermediate I think.

Can you (or anyone else out there) help me to change these reg files so that I do not get the pop up screens at all? “Do this, then do that” instructions would be most helpful, as I don’t understand the more technical stuff.

[bhartzer]

Another one to try is Hijack This. That sometimes finds things the others don't find.

And don't forget that you can install the latest Yahoo! Toolbar that includes Anti-Spy. The Yahoo! Toolbar found things on my PC that the others didn't find.

[Weedy Lady]

Thanks for your reply.

It's not that the files weren't found. It's that the programs can't fix them. It's a matter of changing a registry file. I need someone to tell me what needs to be changed in it.

And thanks for the suggestion about the Yahoo tool bar, but I just got rid of the Google tool bar and don't want anymore of those either.

[Weedy Lady]

If it helps anyone to help me, here is one of the four entries from the log file from Spybot:

DSO Exploit: Data source exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows|CurrentVerson\Intern et Settings\Zones\0\1004!=W=3

There are 4: 0\1004! files and all are set to W=3 per the instructions on the website referred to in my earlier posting.

I am still getting the pop up ad windows, and more malware is being installed on my computer. I use a combination of the programs I mentioned above to find and remove it about twice a day, but I am getting really discouraged.

Help, please, someone.

[mikmik]

It's that the programs can't fix them

Have you tried to do the scans in safe mode?

Symantec Instructions (all Windows)
To use the F8 method
Use this method only if Windows XP is the only operating system installed on your computer.

1. Start Windows, or if it is running, shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Here is a program that makes it easy to find everything in the registry, and to back it up and edit it:
http://www.resplendence.com/reglite
You can cut and paste addresses -
"HKEY_USERS\S-1-5-18\Software\Microsoft\Windows|CurrentVerson\Intern et Settings\Zones\0\1004!=W=3"
into the address bar and click 'go' like in IE, and you will go to the file in the registry.
Then, you can back up the portion you want to change and then delete it.

First, try the 'safe mode' scans, and unhook from the internet, or use "Safe mode without network support".
Do your scans and repairs, then run hijack this and copy and paste the log here without fixing anything.

I will give you further help. Using the registry is just like using windows explorer, but we'll get to that.

Here is some HijackThis help (for after you run the Spyware removers in safe mode :o])
HijackThis Quick Start

And this explains all the meanings of the results:
Analyzing the log

As you have experienced before, persistence shall prevail!

[mikmik]

Boy! Can't believe I forgot this stuff!

Get this immediately, put it in your folder it tells you to - Hosts file

* Download: hosts.zip [right-click - Select: Save Target As] [Updated 12-01-04]
Unzip and place in the appropriate installed location:
Note: the below locations are for the default paths, edit as needed.

Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

Now, get this and 'double click' to install it. Windows will get very uptight, but it is safe:
Spyware Blocklists File Page

Last, but certainly not least:
Tool to reset shell\open\command registry keys (Symantec)

As part of their routine, many worms and Trojans make changes to the registry. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.

For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this.

They may also change a registry value so that you cannot run the Registry Editor at all.

Symantec Security Response has created a tool to reset these registry values to their default settings

I use all of these whether I need them or not, and I never hesitate for a second. They go in as soon as I install any Windows OS, anywhere. The 'UnHookExec.inf' has been installed and reinstalled needlessly often (just to be sure) and never done the slightest bit of harm. I run Microsoft Excel, Word, etc., no problems with anything, ever.

Not saying you should ignore warnings, ESPESCIALLY when someone like me just up and says to, so every system is set up different, and only use the UnHookExec if the others - everything - still haven't solved it all.

I don't have a whole lot of software running to cause conflicts, on the other hand, I rely on exe calls to start everything.


You to can have a HJT file like this!(and I can still get rid of some LOL):

Logfile of HijackThis v1.97.7
Scan saved at 9:34:38 PM, on 12/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\standalone\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

[Weedy Lady]

I am in process of doing all the things you suggested. Will do another posting when all items are completed, with the requested log file. Just wanted to say THANK YOU, and I'm working on it.

Actually, yesterday in desperation I used system restore (which doesn't usually fix anything at all), then reinstalled the programs I had done above and ran them.....with dsl unplugged. As of last night I was not getting the pop up ad windows.

BUT I am going to do all the stuff you suggested. I don't want this mess happening again. More to come.

[Weedy Lady]

OK. I did everything you told me to except I did not get the reglite program.

When I ran Ad Aware in safe mode it found Alexis again..........just when I thought I had that completely out of my computer. It also found one more malware program, but of course I didn't write it down. They are supposedly in quarantine, along with 150 other things that have been found in the past 3 days. Is there a way to completely delete that stuff that is in quarantine?

I need to keep cookies from commission junction and from linksynergy because I use these programs for the ads on my shopping mall page....and I can't log into their sites without the cookies. I check my cookies almost every day and manually delete the ones I don't really need or want -- or can't identify for sure.

And now: here is the log file from hijackthis:

Logfile of HijackThis v1.98.2
Scan saved at 10:37:31 AM, on 12/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ginny\My Documents\PROGRAM FILES\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100149426468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

NOTE that one of the entries above lists Symantec ad blocking. I do not have ads blocked, but do have pop ups blocked in my Norton Internet security program. I tried to uninstall MS messenger one time, but then I could't use IE at all, so had to let it be there. I took it out of my start up list but it comes back again. I hate it.

Waiting for your next good advice.

THANKS!!!!!

[mikmik]

Hi, Weedy Lady. Your Hijack this log looks very clean, the only suspicion I find is the about:blank home page. A definite sign of Browser Hijackers.

Okay. First the Quarantine Files. I think (I don't have Norton running right now) you can go to the Norton Control Center and click Options at the top, and Find a place to delete The quarantined files.

You can also set it to just delete files instead of quarantining them.

Then, You can also set it, on the main section, not to scan, or monitor, Messenger. Uncheck the option.
I'll tell you why: I hate that Messenger myself, and co matter how many times I try to stop it, I can't. One reason is that Norton starts it!I get tons of errors that Norton 'Couldn't start the msnsgs/background service when I disable mine LOL


Here is a beautiful app: Startup Control Panel - you can even see the msnsgs to be disabled.
------------------------
Do you know about the Advanced mode of Spybot S & D?
Here is a tutorial on Spybot, and it shows the Advanced mode (although not how to select it!):
http://www.safer-networking.org/en/tutorial/index.html
It is selected in the File dropdown menu at the top. It also has a start-up disabling feature, and a 'lock internet settings from within Internet explorer' feature.

You can go into your control panel and select 'Internet Options' and put the page you want to be your home page in the top box. Then click 'apply' and close it. That way, you can use the lock 'Internet Tools' from being opened' feature in IE and the 'Lock Home page' as well.

Then, go into your windows folder, and delete any html pages in there that are named 'blank.html' and 'about blank.html'.

Now, here is more registry fun. This page, from PCHell, talks about removing the .dll file and the relevent keys from the registry: The About:Blank homepage hijacker

They have a plethora of tutorials at the bottom of that page, including: DSO Exploit Removal Instructions and Help.
One more thing for now, the
"HKEY_USERS\S-1-5-18\Software\Microsoft\Windows|CurrentVerson\Intern et Settings\Zones\0\1004!=W=3" can just get deleted, as far as I can tell. I deleted mine last night and haven't noticed any difference with anything whatsoever.
------------------------
Boy, it is complicated - don't hesitate to ask for clarification! I am not always clear, nor are some of these things easy to do, although you are pretty adept, as I recall :O)

I am still concerned that there are no suspicious looking entries in the HJT log, yet there is still the 'about blank' showing up. If this persists, we will have to try other avenues.

Okay, good luck for now, Weedy Lady!

[Weedy Lady]

MikMik --

Apologies for not telling you that I set about:blank as my home page. I want it that way. I keep it that way. Occasionally Microsoft Updates hijacks it and it makes me really mad.

I absolutely hate the idea of having to wait for a home page to load (seconds in dsl, but it makes me mad anyway)when all I want to do is call up my browser and go someplace. I set firefox the same way. I only use firefox occasionally, to check my html code (I do my own), but I can't get music on it and my site is musical. I've tried downloading netscape's quick time and all it does is lock my computer. I've tried it 3 times. So I stick with IE most of the time. Besides that, the Firefox browser was affected by the pop up ad windows also at the same time that IE was.

Were you telling me that I am creating an opportunity for highjackers by having a blank home page? If so, let me know and I'll bite the bullet and pick something (probably google since it's as close to blank as you can get and I use it a lot anyway).

I will delete the one entry you suggest on the hijackthis log list, and list messenger in my Norton scan as an exception.

The quarantined files I want to delete are not in Norton. They are in Ad Aware. I know how to delete things from Norton's quarantine, but can't find anyplace in Ad Aware to delete files. SpyBot has a shredder, but I didn't find one in Ad Aware, and that's the program that has found all this evil stuff (probably because it's the one I've been running first).

I've been using the advanced mode in SpyBot, but very carefully, since there are things I'm not sure of because I don't think I'm that advanced.

I sure appreciate your help. It continues to amaze me that so many people like yourself are willing to give of their time to help others when you also have to make a living. You are great!