Spyware problem !!

[hittheswitch]

Hie people,
I have one more problem and this time it is related to spywares.I got a new connection at my place and in excitement i visited a lot of crack sites for the cracks that i needed.I don't remember the exact site but it installed around 70 spywares ( believe me ) in 10 min. ( All those xxx icons showing up on screens and stuff like that ). I cleaned most of them successfully ( manually ). I have a problem now.There was a spyware that automatically started dos and i don't know how it changed my wallpaper to BSOD wallpaper. Now when i right-click on my desktop to view the properties i dont' see any desktop or background tab,only screensaver and settings tab was visible.
Anyone out there knows how to repair this ?
Which is the best Anti-Spyware software for such case?( Which itself is not a spyware)
And also there is this sidebar that has been installed into my internet explorer.How to remove that.


Thanx in Advance.

[swatkat]

Download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.
Copy the entire contents of the file and post it here.

[rajas]

http://home.earthlink.net/~jw045/sit...tures/help.jpg
is it wat the problem is??

This happens due to the policy change in registry(I believe that its done by spyware). Then try doing this:

Navigate to
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System

If there is a DWoRD Value such "NoDispBackgroundPage", "NoDispScrSavPage", "NoDispAppearancePage" with a data value of 1 this will disable the respective tab. Change the value to 0 or delete it to see the tab again. I see that you do not have the background, Appearence, Themes tabs. make the changes accordingly and you should see all back.

Also to resolve the issue with wallpaper of BSOD, download the file and run the registry tweak.
http://ralphcaddell.com/Uploads/Background.zip


Also chk the Kellys-Korner a gr8 site for XP tweaks.
http://www.kellys-korner-xp.com/xp_tweaks.htm
download and run the respective reg tweak to resolve teh issue


please post the results when tried.

[hittheswitch]

Hey swatkat
Right now i'm surfing the net from the college and i've downloaded HijackThis.As soon as i reach back home i'll post the log file created.
And Rajas the firewall at mah college is not allowing me to visit the page u've mentioned.I'll go back home and see.For the time being i've downloaded the background.zip.

Thanx

[kiran_k]

A lesson learnt (for going to crack a software)
Pretty hard way..

[h4xbox]

Edit: [enoonmai] As much as you don't want this post to be edited, posting/helping someone find cracks more easily is not condoned at the forums. I hope you understand. Please refrain from "showing the path" to the people.

I think I have to point out to enoonmai that anandk has also suggested a program why dont u edit his post tooooo.....

Though he has partially helped .. u have to edit it too(coz he said if u visit site in future use this proggie == nearly my post)

[anandk]

use microsoft antispyware, adaware, spybot, spyware doctor. one wont suffice. use 2-4 atleast. it'll hopefully solve all of your problems.

firstly i suggest u dont visit crack sites ! but just in case ....
...next time u visit such sites use and install javacools spywareguard & spywareblaster. they work in the background and use near nil resources, and just dont let spyware enter in the first !

http://www.javacoolsoftware.com/index.html1
http://www.javacoolsoftware.com/spywareguard.html

[shaunak]

get spybot too its a good tool
and b a good boy and stay away from crack sites...............for the next 60 seconds

[futuristically_ancient]

Quote:

Originally Posted by hittheswitch

Hie people,
I have one more problem and this time it is related to spywares.I got a new connection at my place and in excitement i visited a lot of crack sites for the cracks that i needed.I don't remember the exact site but it installed around 70 spywares ( believe me ) in 10 min. ( All those xxx icons showing up on screens and stuff like that ). I cleaned most of them successfully ( manually ). I have a problem now.There was a spyware that automatically started dos and i don't know how it changed my wallpaper to BSOD wallpaper. Now when i right-click on my desktop to view the properties i dont' see any desktop or background tab,only screensaver and settings tab was visible.
Anyone out there knows how to repair this ?
Which is the best Anti-Spyware software for such case?( Which itself is not a spyware)
And also there is this sidebar that has been installed into my internet explorer.How to remove that.


Thanx in Advance.

Use anti-spyware programs like Spyware Doctor v3.2 and SpyBot S&D with the latest updates, n run a full system scan. Delete all entries that come up.
Also, use Registry Mechanic to wipe ur registry clean....
Also, tryout Microsoft AntiSpyware.

Chiao!
______

[chinmay]

maan....this guy rajas is a super genius...i have been posting the same problem for so long and nobody could solve it...i was so pissed off by this...even guyz like swatkat failed to solve this...and this analogue novice raja gave a perfect solution to this major problem of mine....i would recommend him for a braniac rank...btw rajas can u plz temme how this problem occurred?...what malicious code was responsible for this? i never visit crack site btw

[hittheswitch]

Hie Rajas,
Yes dude i had the same problem as shown in the image link that you gave.But for now the BSOD wallpaper problem has been solved because as i got back home i don't know how my profile got corrupted and it was restored to the fresh settings that you get when you install Windows XP.

BSOD wallpaper problem is over.Can you tell me a way to save my profile so that every time my profile gets corrupted i don't need to change all the settings manually.

[hittheswitch]

There is another problem.I have a spyware named bargains.exe that keeps on running in the background.I shut it down manually every time windows boots up because there is no entry of bargains.exe in the startup or msconfig. Secondly i've deleted all the files named bargains.exe and other files related to it but somehow every time i boot up it again gets installed.Any idea about this?

[hittheswitch]

hie swatkat this is the logfile generated by HijackThis

Logfile of HijackThis v1.97.7
Scan saved at 7:01:56 AM, on 5/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
E:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D9D044B1-C8D5-4AA6-8D80-1A03B70E48C3} - C:\WINDOWS\System32\coaifba.dll (file missing)
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE
O9 - Extra button: SideFind (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...006_cracks.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{496FD08A-B624-41E3-86A1-07C75602EFB3}: NameServer = 202.138.97.193 202.138.96.2

[hittheswitch]

i thought of deleting some of the entries in hijack this.This is the log generated afterwards:


Logfile of HijackThis v1.97.7
Scan saved at 7:03:47 AM, on 5/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir...0&plcid=0x0409
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

[hittheswitch]

Hie i've got another problem.Every time i boot up, it shows that the profile i was using is corrupted and give me a temporary profile.Wat is all this? I get the same freshly loaded Windows XP desktop,every time i logon.
Secondly how can i enable auto-login ( i don't want to click on my username every time i log in ) ?

[chinmay]

hittheswitch d u know that u have posted 5 posts together...even double posting is a total no-no in digit forums...u shud edit the first post only if u want to add something...u may be banned or warned for doing this..

[swatkat]

You are using an old version of HijackThis. Any, fix these in the current HijackThis, and post a fresh log using latest HijackThis.
Download CWShredder, AdAware and SpywareBlaster and install them.

Boot in safe mode. Go to Add/Remove Programs in Control Panel, and unintall these things:-
1] BullsEye Network
2] CashBack By Bargain Buddy
3] NaviSearch

Run HijackThis, and put a checkmark against these entries:-
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O2 - BHO: (no name) - {D9D044B1-C8D5-4AA6-8D80-1A03B70E48C3} - C:\WINDOWS\System32\coaifba.dll (file missing)
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O9 - Extra button: SideFind (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...006_cracks.cab

Then close all other open programs, and click "Fix checked" in HijackThis.
Exit from HijackThis, and delelte these files:-
C:\WINDOWS\nem220.dll
C:\Program Files\SideFind\sfbho.dll
C:\WINDOWS\System32\coaifba.dll
C:\WINDOWS\System32\msbe.dll
C:\Program Files\ISTbar\istbarcm.dll

And delelte these folders:-
C:\Program Files\SideFind
C:\Program Files\ISTbar

Run these tools:-
CWShredder --> Run CWShredder and click "Fix".

SpywareBlaster --> Run it, and click "Enable All Protection".

AdAware --> Click "Scan Now" button in the left pane and select the radio button "Perform full system scan" and click "Start".


Reboot to Normal Mode. Get latest version of HijackThis and post a new log.

[hittheswitch]

Hi swatkat this is the log file that has been generated after i followed the process you earlier mentioned.I think now my computer is free from all the spywares.Wat do u think? Well i would really like to thank you for taking so much of pain and getting my problem solved.

Logfile of HijackThis v1.97.7
Scan saved at 7:09:19 PM, on 5/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
E:\Softwares\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

[swatkat]

Hi,
Log looks clean, but get the latest version of HijackThis and post a new log. It gives more details than the older one.
Download it here.

[rajas]

Hi all,

Good to see that the issue has been resolved for hittheswitch.

@chinmay_d Thank you very much for your words. Dont really know what could have cause this. U know very well that u need not do anything gr8 to get a spyware. Spyware do get downloaded without ur notice.

I'm analogue novice in digit as the number of posts are very less and I'm choosy in posting to the issues. I go by importance.
I may be Analogue Novoice in DIGIT Forum, but not a novoice for IT stuff.