View Question
 Question
 Subject: an adware that won't go away Category: Computers > Security Asked by: desert_rose-ga List Price: \$10.00 Posted: 29 Dec 2005 18:26 PST Expires: 28 Jan 2006 18:26 PST Question ID: 611137
 i downloaded a crack for pc-cillin (which was a huge mistake and will never happen again!) and double clicked the file crack.exe twice but nothing happened, since clicking it i started getting these really annoying ads on IE that pop up every minute or two, also i noticed my computer to be very slow. I ran a full scan with PC-Cillin, Kaspersky, Ad-aware and Spybot S&D and found nothing except with Kaspersky and Ad-aware so many viruses were detected and were successfully deleted. and also my desktop wallpaper changed to an ad of an anti-spyware program that i couldn't change but was gone after i ran a virus scan. After the scan i rebooted and did the scan again and nothing was found, but i was still getting the annoying ads even when i'm not using Internet Explorer. i also ran windows in safe mode and scanned using kaspersky and ad-aware and both were up to date but i still get the ads. can someone please help me remove this, and would it help to identify the spyware if i posted a link to the crack i downloaded ?
 Subject: Re: an adware that won't go away Answered By: livioflores-ga on 29 Dec 2005 19:52 PST
 Hi!! This is not the final answer, it is just the first step on which I will give you some instructions and some things to download and do, then you will post as a request for a clarification the results of these instructions and I will tell you what else you must do to fix your computer, if we are lucky after you follow these second set of instructions your computer could be clean. First thing to do: Scan your computer online with the following tools from Trend Micro: (do all the tasks: virus scan, spyware scan and download CWShredder to remove CoolWebSearch, this is a common pestware that is usually present on infected computers). Let these tools remove all that they find. http://housecall.trendmicro.com/ and http://www.trendmicro.com/spyware-scan/ Second thing to do: Download and run the following HijackThis autoinstall program. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process! http://thespykiller.co.uk/files/HJTsetup.exe Hijackthis is an expert's tool used to remove hijackers and spyware, but since it works on demand, not automatically, you only need to post a log here as a clarification and then I will analyze it and tell you what are the next steps. To see how to get and post a log here see the following tutorial at BleepingComputer.com; you will only need to post the log without fixing anything, I will tell you which items must be selected to fix: http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse Note that on Windows NT, 2000, & XP, it requires that you have administrator privileges. Please post the scan log from HijackThis' scan, WITHOUT fixing anything, and after I analyze it I will tell you what things must be fixed with HJT. Also let me know what happened with the online scans. Probably other procedures and products could be necessary to complete the cleaning. Again, remember that this answer is not considered ended until you get rid from this pestware. Use the clarification feature all the times needed, I will be glad to give you further assistance in the cases you need it. Regards, livioflores-ga Request for Answer Clarification by desert_rose-ga on 30 Dec 2005 04:53 PST ok, i disabled system restore and did the online scans and removed all the threats but the adware wasn't removed maybe because i didn't reboot? then i installed and ran HijackThis and here is the scan log: Logfile of HijackThis v1.99.1 Scan saved at 2:27:07 PM, on 12/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Evidence Eliminator\ee.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Hijackthis\HijackThis.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize O4 - HKLM\..\RunServices: [] C:\PROGRAM FILES\SKU62\SKU62.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06 \bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126716283546 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/mcfscan/2,1,0,4657/mcfscan.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\i8420ihoe84c0.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe Clarification of Answer by livioflores-ga on 30 Dec 2005 08:35 PST Hi!! Your computer have several infections, please do the following: Download and install the trial version of EWIDO (it works like a full featured version for 14 days!): http://download.ewido.net/ewido-setup.exe ·Install ewido security suite ·Launch ewido, there should be a big E icon on your desktop, double-click it. ·The program will prompt you to update click the OK button ·The program will now go to the main screen You will need to update ewido to the latest definition files. ·On the left hand side of the main screen click update ·Click on Start The update will start and a progress bar will show the updates being installed. ·After the updates are installed, exit Ewido. ALTERNATIVE METHOD FOR UPDATE: Download the last signature installer and run it: http://download.ewido.net/ewido-signatures-full-20051124.exe Don't do anymore yet. Your computer is infected with the Spyware.SaveKeys, see HJT item O4 - HKLM\..\RunServices: [] C:\PROGRAM FILES\SKU62\SKU62.EXE : http://securityresponse.symantec.com/avcenter/venc/data/spyware.savekeys.html To fix it do the following: Uninstall Spyware.SaveKeys using the Windows Add/Remove Programs utility: -Click Start > Control Panel. -In the Control Panel window, double-click Add or Remove Programs. -Click Save Keys . -Click Add/Remove, Change/Remove, or Remove. -Follow the prompts. Then try to delete the values installed by the pest from the registry, follow the instructions at the above Symantec page; if youdo not feel confident to do that skip this step, but it is recommended to do it. Now reboot in Safe mode and run Ewido: ·Run Ewido. -Click on scanner -Make sure the following boxes are checked before scanning: º Binder º Crypter º Archives -Click on Start Scan Let the program scan the machine. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK. Once the scan has completed, there will be a button located on the bottom of the screen named Save report: ·Click Save report ·Save the report to your desktop ·Exit Ewido Now run HijackThis and click on th Scan Button, from the list select the following items if still present: O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor O4 - HKLM\..\RunServices: [] C:\PROGRAM FILES\SKU62\SKU62.EXE O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\i8420ihoe84c0.dll Now click on the Fix selected items button and let it works. Find to delete the following files if present: C:\WINDOWS\system32\i8420ihoe84c0.dll C:\PROGRAM FILES\SKU62\SKU62.EXE (delete the entire folder) Reboot into normal mode and check your computer behaviour and post a fresh HJT log as a clarification request. Hope this cleans your computer. Regards, livioflores-ga Request for Answer Clarification by desert_rose-ga on 04 Jan 2006 02:07 PST since i got the spyware i have been too scared to update my payment information on Google Answers and they suspended my posting privileges. Anyway i did everything you said but i still have the spyware, i keep on deleting it in safe mode but it just won't go away!! someone suggested i use Spy Sweeper which detected several spywares and blocked them and now i don't get the ads anymore, but in order to remove the spywares i have to subscribe. The Adware that i have is Look2Me, while my account was suspended i googled for removal tools but nothing worked except Spy Sweeper. Clarification of Answer by livioflores-ga on 04 Jan 2006 08:17 PST Hi!! If I understand you well, your computer is clean now, that is a great new!! Now you must do some things to keep it clean in the future. I suggest you a couple of programs that would help you to protect your computer. According to your HJT log you have not a firewall installed and running, you can use (or maybe you are using) the Windows XP firewall or download a and install a free one: "Understanding Windows Firewall in Windows XP Service Pack 2": This is a 3 pages guide, see the links at the bottom for the next pages. http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx "Zone Labs - Zone Alarm": http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=dbtopnav_zaav&AID=9754927&PID=1320436 "Sunbelt Kerio": http://www.sunbelt-software.com/Kerio.cfm Also the following programs will be usefull: "Using SpywareGuard to protect your computer from Spyware & Hijackers": This program gives you realtime protection. http://www.bleepingcomputer.com/forums/tutorial50.html "Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware": This programs vaccinate your computer against well known pestwares. http://www.bleepingcomputer.com/forums/tutorial49.html I hope this helps you. Feel free to continue using the clarification feature if you need it. Regards, livioflores-ga
 another thing I would recomend dooing is first install Tweakall it's a general purpose hidden setting modifer. http://www.codeforge.co.uk/tweakalldownload.php afer installing it run it and have it check for updates (you'll need them done latter) then once you have done that, boot your computer into safe mode, to do this start up your computer (or reboot) and hit the f5 key right after the computer mentios it found the drive to boot from. or if you got a brand name computer right after the brand logo screen dissapeasrs. also don't hit the key just once, key pressing it repeatly untill it gives you a boot menu. if it doesn't give you one and just loads windows then you waited to long to start pressing the key, if it gives you a bios config screen or some other random error then you pushed it to soon (either case just restart and try again nothing got hurt) the boot menu should have a few options for safe mode, then a safe mode command line only, also will have a last known good configuration. take the safe mode with out any extra options. then it might ask which copy of windows to load, pick the one that's having the problem if your not shure which that is just pick one. (if you pick wrong just reboot and try again) once windows finishes loading it might ask you to log in, use the adminstrator account. then you'll see a screen pop up about asking if you want to use system restore or go into the special diagnostic mode. well if you got a restore point set a few days before you got the crack you might be able to use that to get your system back. however if you tried that and had no luck or don't wanta try it or don't have a restore point from back then anymore, then pick the option not to use system restore. when your computer finises loading, first thing I'd do is use spybot and Adaware, and your antivirus here as they will be able to weed out more junk with windows in this state. next I'd go to the system restore wizard it's in start > programs > ascessorys > system tools > system restore and tell you want to make a new restore point, go through the steps when it's done close it then load tweak all. in that program go to "Run Programs" and click on all the pluss signs next to the 5 items in there and then click on and click remove on any entry that doesn't contain a name of something you put in your computer on purpose like logitechvideo or HP-Dvd bit set (if you indeed have such hardware on your system) or AVG_CC (that's part of the AVG anti-virus system) you'll probly find at least an entry or two in there somewhere that looks suspicous so kill it, but it is posible that there is nothing out of the ordinay there the next thing I'd do is make a text file and change the ext from .txt to .htm then open the file, when the browser opens, click on tools and "manage add-ons" disable EVERYTHING! then restart your computer, that kind of sneek attack sometimes works.
 Here is an analysis of you Hijack this log http://hijackthis.de/logfiles/e07aacc6991864d8772cafab1a498e9e.html
 Hey, Where you using a antivirus/firewall before you installed the pc-cillin crack? You can download a copy of MicroAntivirus which includes the trio of a antivirus/firewall/spyware remover at: ( http://www.mavsolutions.com ). If you just need an spyware/adware remover, then try AdwareAlert: ( http://www.antispywareremover.com ), which also includes an registry cleaner.
 kitramos-ga, mister4u-ga and greatergood-ga, thanks for helping but i used Spy Sweeper and it fixed it.