Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Spyware infected computer need help removeing

  1. #1
    Junior Member
    Join Date
    Aug 2005
    Posts
    18

    Spyware infected computer need help removeing

    Hello all,

    I have a computer which is giving me a message in the system tray telling me "This computer is infected with spyware... blah blah blah." I have attached the hard drive to another computer and scaned it using NAV corp edition, AVG, and ad-aware. None of the programs have found any problems with the harddrive... weird. The computer will pop up porn adds about once every 10 min just for fun..

    Does anyone have any ideas about what im dealing with here, I need to try and fix this one instead of reinstalling the O/S...

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Put the drive back.. Boot windows into safe mode then run a HijackThis scan.. Post the log here..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK......

    You have picked up some "scumware"

    AdAware SE
    Spybot S & D
    EWIDO
    A-Squared

    Get them all, update and run them

    Then follow what SirDice suggested........that is the "mopping up" operation

  4. #4
    Junior Member
    Join Date
    Aug 2005
    Posts
    18

    Nasty...

    I found a couple processes running - pmmon.exe and pmmsgr.exe, both were flagged as spyware by a google search.

    Found a link to http://www.lavasoftsupport.com/index.php?showtopic=1844
    which advised how to remove the offending "scumware." I did all the steps and it reinstalled itsself 30 seconds after windows loaded. Persistant little bugger... Right now I have AVG antispy working on it (again) and it has found

    adware.intcodec

    Anyone know how to kill this one?

  5. #5
    Junior Member
    Join Date
    Aug 2005
    Posts
    18

    Hijack this!

    Here is the log


    12:49 PM 11/9/2006Logfile of HijackThis v1.99.1
    Scan saved at 3:48:37 PM, on 11/9/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QualityCodec\pmsngr.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\QualityCodec\pmmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4734044c-7427-43d8-adbe-df942e52bef2} - C:\Program Files\QualityCodec\isaddon.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Troj/Zlob-QK

    http://www.sophos.com/security/analyses/trojzlobqk.html

    pmmon.exe is crapware too

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    Junior Member
    Join Date
    Aug 2005
    Posts
    18

    What does

    MLF mean?

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    its a short form of Morganlefay

    Its how I sign my posts

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Your HijackThis log seems awfully short...

    To remove the little bugger.. Boot to safe mode.. Make sure none of it's processes are running (check with taskmanager). Kill them if necessary. Then follow the removal instructions.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Quote Originally Posted by FNFiveseveN
    I found a couple processes running - pmmon.exe and pmmsgr.exe, both were flagged as spyware by a google search.

    Found a link to http://www.lavasoftsupport.com/index.php?showtopic=1844
    which advised how to remove the offending "scumware." I did all the steps and it reinstalled itsself 30 seconds after windows loaded. Persistant little bugger... Right now I have AVG antispy working on it (again) and it has found

    adware.intcodec

    Anyone know how to kill this one?
    Hi

    You can try



    Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

    Usage Information:

    Download this file, extract it, and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.
    http://www.bleepingcomputer.com/files/killbox.php

    and Stinger http://vil.nai.com/vil/stinger/

    You may want to disable your System Restore and flush the saved points, as you are infected anyway's you are not going to do a system restore, so any of these nasties could still be in a restore point.

    http://www.kellys-korner-xp.com/xp_restore.htm
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •