Google Answers Logo
View Question
 
Q: an adware that won't go away ( Answered,   4 Comments )
Question  
Subject: an adware that won't go away
Category: Computers > Security
Asked by: desert_rose-ga
List Price: $10.00
Posted: 29 Dec 2005 18:26 PST
Expires: 28 Jan 2006 18:26 PST
Question ID: 611137
i downloaded a crack for pc-cillin (which was a huge mistake and will
never happen again!) and double clicked the file crack.exe twice but
nothing happened, since clicking it i started getting these really
annoying ads on IE that pop up every minute or two, also i noticed my
computer to be very slow.

I ran a full scan with PC-Cillin, Kaspersky, Ad-aware and Spybot S&D
and found nothing except with Kaspersky and Ad-aware so many viruses
were detected and were successfully deleted.
and also my desktop wallpaper changed to an ad of an anti-spyware
program that i couldn't change but was gone after i ran a virus scan.

After the scan i rebooted and did the scan again and nothing was
found, but i was still getting the annoying ads even when i'm not
using Internet Explorer.
i also ran windows in safe mode and scanned using kaspersky and
ad-aware and both were up to date but i still get the ads.

can someone please help me remove this, and would it help to identify
the spyware if i posted a link to the crack i downloaded ?
Answer  
Subject: Re: an adware that won't go away
Answered By: livioflores-ga on 29 Dec 2005 19:52 PST
 
Hi!!


This is not the final answer, it is just the first step on which I
will give you some instructions and some things to download and do,
then you will post as a request for a clarification the results of
these instructions and I will tell you what else you must do to fix
your computer, if we are lucky after you
follow these second set of instructions your computer could be clean.

First thing to do:
Scan your computer online with the following tools from Trend Micro:
(do all the tasks: virus scan, spyware scan and download CWShredder to
remove CoolWebSearch, this is a common pestware that is usually
present on infected computers). Let these tools remove all that they
find.
http://housecall.trendmicro.com/
and
http://www.trendmicro.com/spyware-scan/


Second thing to do:
Download and run the following HijackThis autoinstall program. HJT
needs to be in its own folder so that the program itself isn't deleted
by accident. Having the backups could be VITAL to restoring your
system if something went wrong in the FIX process!
http://thespykiller.co.uk/files/HJTsetup.exe

Hijackthis is an expert's tool used to remove hijackers and spyware,
but since it works on demand, not automatically, you only need to post
a log here as a clarification and then I will analyze it and tell you
what are the next steps.
To see how to get and post a log here see the following tutorial at
BleepingComputer.com; you will only need to post the log without
fixing
anything, I will tell you which items must be selected to fix:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse

Note that on Windows NT, 2000, & XP, it requires that you have
administrator privileges.


Please post the scan log from HijackThis' scan, WITHOUT fixing
anything, and after I analyze it I will tell you what things must be
fixed with HJT. Also let me know what happened with the online scans.
Probably other procedures and products could be necessary to complete
the cleaning.

 
Again, remember that this answer is not considered ended until you get rid
from this pestware. Use the clarification feature all the times
needed, I will be glad to give you further assistance in the cases you
need it.


Regards,
livioflores-ga

Request for Answer Clarification by desert_rose-ga on 30 Dec 2005 04:53 PST
ok, i disabled system restore and did the online scans and removed all
the threats but the adware wasn't removed maybe because i didn't
reboot? then i installed and ran HijackThis and here is the scan log:

Logfile of HijackThis v1.99.1
Scan saved at 2:27:07 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky
Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunServices: [] C:\PROGRAM FILES\SKU62\SKU62.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence
Eliminator\ee.exe /m
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program
Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06

\bin\ssv.dll
O9 - Extra button: Yahoo! Services -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 -
{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program
Files\WIDCOMM\Bluetooth

Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 -
{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program
Files\WIDCOMM\Bluetooth

Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)
- C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - 

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126716283546
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - 

http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} -
http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-

loc/mcfscan/2,1,0,4657/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} -
C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\i8420ihoe84c0.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. -
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky
Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket
Division Software - C:\Program Files\Alcohol Soft\Alcohol

120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead
Systems, Inc. - C:\Program Files\Common Files\Ulead

Systems\DVD\ULCDRSvr.exe

Clarification of Answer by livioflores-ga on 30 Dec 2005 08:35 PST
Hi!!

Your computer have several infections, please do the following:
Download and install the trial version of EWIDO (it works like a full
featured version for 14 days!):
http://download.ewido.net/ewido-setup.exe


·Install ewido security suite
·Launch ewido, there should be a big E icon on your desktop, double-click it.
·The program will prompt you to update click the OK button 
·The program will now go to the main screen
You will need to update ewido to the latest definition files.
·On the left hand side of the main screen click update
·Click on Start
The update will start and a progress bar will show the updates being installed.
·After the updates are installed, exit Ewido.

ALTERNATIVE METHOD FOR UPDATE:
Download the last signature installer and run it:
http://download.ewido.net/ewido-signatures-full-20051124.exe


Don't do anymore yet.

Your computer is infected with the Spyware.SaveKeys, see HJT item O4 -
HKLM\..\RunServices: [] C:\PROGRAM FILES\SKU62\SKU62.EXE :
http://securityresponse.symantec.com/avcenter/venc/data/spyware.savekeys.html

To fix it do the following:
Uninstall Spyware.SaveKeys using the Windows Add/Remove Programs utility:
-Click Start > Control Panel. 
-In the Control Panel window, double-click Add or Remove Programs.
-Click Save Keys <VersionNumber>.
-Click Add/Remove, Change/Remove, or Remove. 
-Follow the prompts.

Then try to delete the values installed by the pest from the registry,
follow the instructions at the above Symantec page; if youdo not feel
confident to do that skip this step, but it is recommended to do it.


Now reboot in Safe mode and run Ewido:
·Run Ewido.
   -Click on scanner
   -Make sure the following boxes are checked before scanning:
            º Binder
            º Crypter
            º Archives
   -Click on Start Scan
Let the program scan the machine. While the scan is in progress you
will be prompted to clean the first infected file it finds. Choose
"clean", then put a check next to "Perform action on all infections"
in the left corner of the box so you don't have to sit and watch Ewido
the whole time. Click OK.

Once the scan has completed, there will be a button located on the
bottom of the screen named Save report:
·Click Save report
·Save the report to your desktop
·Exit Ewido


Now run HijackThis and click on th Scan Button, from the list select
the following items if still present:
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\RunServices: [] C:\PROGRAM FILES\SKU62\SKU62.EXE
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\i8420ihoe84c0.dll

Now click on the Fix selected items button and let it works.

Find to delete the following files if present:
C:\WINDOWS\system32\i8420ihoe84c0.dll
C:\PROGRAM FILES\SKU62\SKU62.EXE (delete the entire folder)


Reboot into normal mode and check your computer behaviour and post a
fresh HJT log as a clarification request.

Hope this cleans your computer.

Regards,
livioflores-ga

Request for Answer Clarification by desert_rose-ga on 04 Jan 2006 02:07 PST
since i got the spyware i have been too scared to update my payment
information on Google Answers and they suspended my posting
privileges. Anyway i did everything you said but i still have the
spyware, i keep on deleting it in safe mode but it just won't go
away!!

someone suggested i use Spy Sweeper which detected several spywares
and blocked them and now i don't get the ads anymore, but in order to
remove the spywares i have to subscribe.
The Adware that i have is Look2Me, while my account was suspended i
googled for removal tools but nothing worked except Spy Sweeper.

Clarification of Answer by livioflores-ga on 04 Jan 2006 08:17 PST
Hi!!

If I understand you well, your computer is clean now, that is a great new!!
Now you must do some things to keep it clean in the future. I suggest
you a couple of programs that would help you to protect your computer.
According to your HJT log you have not a firewall installed and
running, you can use (or maybe you are using) the Windows XP firewall
or download a and install a free one:
"Understanding Windows Firewall in Windows XP Service Pack 2":
This is a 3 pages guide, see the links at the bottom for the next pages.
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

"Zone Labs - Zone Alarm":
http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=dbtopnav_zaav&AID=9754927&PID=1320436

"Sunbelt Kerio":
http://www.sunbelt-software.com/Kerio.cfm


Also the following programs will be usefull:
"Using SpywareGuard to protect your computer from Spyware & Hijackers":
This program gives you realtime protection.
http://www.bleepingcomputer.com/forums/tutorial50.html

"Using SpywareBlaster to protect your computer from Spyware,
Hijackers, and Malware":
This programs vaccinate your computer against well known pestwares.
http://www.bleepingcomputer.com/forums/tutorial49.html


I hope this helps you. Feel free to continue using the clarification
feature if you need it.

Regards, 
livioflores-ga
Comments  
Subject: Re: an adware that won't go away
From: kitramos-ga on 29 Dec 2005 21:37 PST
 
another thing I would recomend dooing is first install Tweakall it's a
general purpose hidden setting modifer.
http://www.codeforge.co.uk/tweakalldownload.php
afer installing it run it and have it check for updates (you'll need
them done latter)

then once you have done that, boot your computer into safe mode, to do
this start up your computer (or reboot) and hit the f5 key right after
the computer mentios it found the drive to boot from. or if you got a
brand name computer right after the brand logo screen dissapeasrs.
also don't hit the key just once, key pressing it repeatly untill it
gives you a boot menu.  if it doesn't give you one and just loads
windows then you waited to long to start pressing the key, if it gives
you a bios config screen or some other random error then you pushed it
to soon (either case just restart and try again nothing got hurt)

the boot menu should have a few options for safe mode, then a safe
mode command line only, also will have a last known good
configuration.

take the safe mode with out any extra options. then it might ask which
copy of windows to load, pick the one that's having the problem if
your not shure which that is just pick one. (if you pick wrong just
reboot and try again)

once windows finishes loading it might ask you to log in, use the
adminstrator account. then you'll see a screen pop up about asking if
you want to use system restore or go into the special diagnostic mode.
well if you got a restore point set a few days before you got the
crack you might be able to use that to get your system back. however
if you tried that and had no luck or don't wanta try it or don't have
a restore point from back then anymore, then pick the option not to
use system restore.  when your computer finises loading, first thing
I'd do is use spybot and Adaware, and your antivirus here as they will
be able to weed out more junk with windows in this state. next I'd go
to the system restore wizard it's in
start > programs > ascessorys > system tools > system restore
and tell you want to make a new restore point, go through the steps
when it's done close it then load tweak all.
in that program go to "Run Programs" and click on all the pluss signs
next to the 5 items in there and then click on and click remove on any
entry that doesn't contain a name of something you put in your
computer on purpose like logitechvideo or HP-Dvd bit set (if you
indeed have such hardware on your system) or AVG_CC  (that's part of
the AVG anti-virus system) you'll probly find at least an entry or two
in there somewhere that looks suspicous so kill it, but it is posible
that there is nothing out of the ordinay there the next thing I'd do
is make a text file and change the ext from .txt to .htm  then open
the file, when the browser opens, click on tools and "manage add-ons"
disable EVERYTHING!  then restart your computer, that kind of sneek
attack sometimes works.
Subject: Re: an adware that won't go away
From: mister4u-ga on 30 Dec 2005 07:10 PST
 
Here is an analysis of you Hijack this log
http://hijackthis.de/logfiles/e07aacc6991864d8772cafab1a498e9e.html
Subject: Re: an adware that won't go away
From: greatergood-ga on 31 Dec 2005 07:59 PST
 
Hey,

Where you using a antivirus/firewall before you installed the pc-cillin crack? 
You can download a copy of MicroAntivirus which includes the trio of a
antivirus/firewall/spyware remover at: ( http://www.mavsolutions.com
). If you just need an spyware/adware remover, then try AdwareAlert: (
http://www.antispywareremover.com ), which also includes an registry
cleaner.
Subject: Re: an adware that won't go away
From: desert_rose-ga on 04 Jan 2006 02:12 PST
 
kitramos-ga, mister4u-ga and greatergood-ga, thanks for helping but i
used Spy Sweeper and it fixed it.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy