need some spyware help

[Professor Teile]

Ok i know the drill i have run my spyware stuff in safe mode and got me a hijackthis log. What do i need to remove?



Logfile of HijackThis v1.99.1
Scan saved at 4:21:20 PM, on 12/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Zippy\Local Settings\Temp\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ev1.net/
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129620561045
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FBF89CC-6983-4C74-9122-B944B998567C}: NameServer = 85.255.115.18,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B681E00-853D-48ED-A382-8B744C147664}: NameServer = 85.255.115.18,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA6D0B97-05EB-4ACF-AE02-CF71B3859342}: NameServer = 85.255.115.18,85.255.112.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{2FBF89CC-6983-4C74-9122-B944B998567C}: NameServer = 85.255.115.18,85.255.112.113
O17 - HKLM\System\CS2\Services\Tcpip\..\{2FBF89CC-6983-4C74-9122-B944B998567C}: NameServer = 85.255.115.18,85.255.112.113
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[rapier57]

OK, the one thing that stands out most to me is:

O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"

I would uninstall this first, while in safe mode, and check again. If nothing else, let HijackThis remove it from the startup list and then clean it out. I haven't found anything on the net that indicates UnSpyPC is anything more than a spyware scamming tool and is classified by some sites as spyware itself.

Hope this helps. I'll be online for a bit to check your progress. So, post when you get somewhere.

[Agent_Steal]

Here check out this link [1] ...

UnSpyPC

Hope that helps ..

[dalek]

I would download EWIDO run the scans and clean out the crap. another useful tool is Ccleaner after you have cleaned your PC, run another HJT log.

For wild tangent I would go to add/remove and get rid of it...

Myself personally, I would get the WinXp SP2 and all of the security patches since SP2 came out, otherwise you are going to be continously getting rid of crap.

To manage your Startups I would get Steve Miln's Start Up Control Panel a lot easier to edit.


Also, unless you absolutely need it I would get rid of your Realplayer, this comes with crap as well.

All of your 017's are garbage:

What it looks like:

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gla.ac.uk

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175

What to do:
If the domain is not from your ISP or company network, have HijackThis fix it. The same goes for the 'SearchList' entries.
For the 'NameServer' (DNS servers) entries, Google for the IP or IPs and it will be easy to see if they are good or bad.

HJT Tutorial

Lastly: How did I get Infected in the First Place

Merry Christmas..

[nihil]

Hmmm,

What antispyware and AV have you run?

Did you run HJT in normal or safe mode?

The reason I ask is all there seems to be there is the remains of a Trend Micro Housecall and the unreliable UnSpyPC

You might like to use a browser other than IE?

http://www.emsisoft.com/en/software/free/ (A-Squared)

http://www.safer-networking.org/en/index.html (Spybot Search & Destroy)

Are two useful free tools...................download, update and run in safe mode.

[brokencrow]

Run MS's AntiSpyware and Ad-Adware. Remove everything they find. Then go to www.pandasoftware.com and run an online virus/spyware scan. This'll find any viruses and also dropper files that reinstall persitent spyware. Be sure to generate a report (.txt file). If there's any viruses, just use one of Norton's removal tools designed for that specific virus.

If you've got persitent spyware (seemingly unremoveable), try booting up using a live linux cd (Insert is the best here) and mount the hdd. If it's an NTFS volume, you'll need to run captive so you can write to the hdd. Then manually delete those files Panda's scan found.

Works for me.