Please help, hijacked by spyware!!

[dlpetey]

Ok I need some help, I'm at a loss as what to do. I recently had to reinstall windows and I got a peice of spyware in the process that I can't get rid of. It's on of those "Windows Alerts" that says there are critical problems that need to be adderssed quickly. So I should go to their website and buy their registry cleaner.

I have run Avast several times, Ad-Aware, Spy-Bot search and destroy, CCcleaner, and RegsrcubXP and still am getting the thing popping up. It's set to "alert" me about every 4-5 min and saves up the info so that I have to close out all of them. So if I log off the computer for say 30min I will have like 6 messages to close out.

Please help!!

[vass0922]

run hijackthis and give us the log it creates

did you update the applications with the latest definitions before scanning?

you can also try trendmicro online scan tool... its free

[Atomic Rooster]

Those pop-ups may be using the Windows Messenger service. Try this: go to Control Panel > Administrative Tools > Services. Scroll down to Messenger, right click and select Properties. Under Startup type select Disabled. Then under Service status, click the Stop button. Click Apply and hopefully that should kill the pop-ups.

[dlpetey]

Here's the log file, also I did what Atomic Rooster said, we'll see if that works.


Logfile of HijackThis v1.99.1
Scan saved at 9:17:36 AM, on 10/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
F:\Installed\Upkeep\Avast\aswUpdSv.exe
F:\Installed\Upkeep\Avast\ashServ.exe
F:\Installed\Internet\PC anywhere\awhost32.exe
H:\WINDOWS\System32\CTHELPER.EXE
F:\INSTAL~1\Upkeep\Avast\ashDisp.exe
F:\Installed\Media\Damon Tools\daemon.exe
F:\Installed\Internet\Ad-Aware SE Professional\Ad-Watch.exe
H:\WINDOWS\System32\CTsvcCDA.exe
F:\Installed\Upkeep\Outpost Firewall\outpost.exe
F:\Installed\Upkeep\Avast\ashMaiSv.exe
F:\Installed\Upkeep\Avast\ashWebSv.exe
G:\Temp Apps\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\apps\Documents\Adobe\Reader\ActiveX\AcroIEHelpe r.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] H:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] H:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [avast!] F:\INSTAL~1\Upkeep\Avast\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Outpost Firewall] F:\Installed\Upkeep\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] F:\Installed\Upkeep\Outpost Firewall\feedback.exe /dumps_startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Installed\Media\Damon Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AWMON] "F:\Installed\Internet\Ad-Aware SE Professional\Ad-Watch.exe"
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - F:\Installed\Upkeep\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1130036549289
O20 - AppInit_DLLs: f:\apps\upkeep\outpos~1\wl_hook.dll F:\INSTAL~1\Upkeep\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: PCANotify - H:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Installed\Upkeep\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Installed\Upkeep\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Installed\Upkeep\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Installed\Upkeep\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - F:\Installed\Internet\PC anywhere\awhost32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - H:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\Installed\Upkeep\Outpost Firewall\outpost.exe

[sr71000]

first of all..you should probably move hjt from your temp apps folder to a more permanant folder!! Then, go to my site http://k-techcomputers.us and look for the link to the two online analyzers. post your log in those and it'll check it for common problems....and we'll go through the one posted here for other problems If you make any fixes in the log...post a new one here so we don't just repeat the work of the online analyzers

[rrcn]

I scanned your log and I don't see anything unusual.

Did you try running tredmicro's online virus scan like Vass suggested?

[dlpetey]

When I try to do trendmicro's virus scan I get "HouseCall ActiveX component is not ready." Not sure what it wants.

Edit: sr7100 BTW the link for your site took me to a page that said the address had changed and if posted on a fourm to alert the poster

[jutah]

I had the same problem, I would leave my machine on over night and wake up to find like 100 alerts or so. I ran Ad-aware, Spybot, CCleaner, The Cleaner, and changed my anti virus from Symantec to AVG. I also ran highjack this and ran the log through the above mentioned site (KC computers). After all that I got rid of all the alerts. The only spyware I can't get rid of yet is this stupid huntbar? Hope this helps.

Jutah

[dlpetey]

As an update Atomic Roosters suggestion seems to have done the trick. I haven't had any of the popups since following that advice. As for the highjack this stuff everything seems to be fine. So thanks guys.

[Atomic Rooster]

Good to hear all is well. I'm glad I could help.