?
Solved

Can't get rid of this spyware!!

Posted on 2004-12-01
6
Medium Priority
?
2,341 Views
Last Modified: 2013-12-04
I have some spyware on my laptop that I have not been able to get rid of using Ad-Aware or Spybot.  The processes that I see running that I know are bad are CxtPls.exe, AutoUpdate.exe, and SED.exe.  Here is my HijackThis log.  Can someone please help me?!?!

Logfile of HijackThis v1.97.7
Scan saved at 12:01:22 PM, on 12/1/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\pctspk.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Softex\Winroute\winroute.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINNT\System32\WLANSTA.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\System32\kmw_run.exe
C:\Program Files\SED\SED.exe
C:\WINNT\System32\KMW_SHOW.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\System32\lab2cenu.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\cfmmem07.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINNT\System32\omwipe32.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.appsitehosting.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall.corp.sprint.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://secure.us.dell;http://inside.us.dell;http://securedev.us.dell;http://insidedev.us.dell;<local>
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.dellhost.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.dellhost.com"); (C:\Documents and Settings\Carrie_Cardon\Application Data\Mozilla\Profiles\default\9l2ie1ie.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Carrie_Cardon\Application Data\Mozilla\Profiles\default\9l2ie1ie.slt\prefs.js)
O1 - Hosts: 209.235.107.68 app1.dellhost.com
O1 - Hosts: 209.235.107.69 app2.dellhost.com
O1 - Hosts: 209.196.6.141 tapp.dellhost.com
O1 - Hosts: 216.205.79.114 ATLDHPDC01
O1 - Hosts: 216.205.79.115 ATLDHSQL01
O1 - Hosts: 216.205.79.116 ATLDHAPP01
O1 - Hosts: 216.205.79.117 ATLDHAPP02
O1 - Hosts: 216.205.79.118 ATLDHSVC01
O1 - Hosts: 216.205.79.119 ATLDHWEB01
O1 - Hosts: 216.205.79.120 ATLDHWEB02
O1 - Hosts: 216.205.79.121 ATLDHTAP01
O1 - Hosts: 209.235.17.230 www.billy-bob.net
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [winroute] C:\Program Files\Softex\Winroute\winroute.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [SetupType] Portable
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [clcxnw] C:\WINNT\System32\quszbwq.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [ekggdy] C:\WINNT\System32\ytmcln\ekggdy.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [v77W37P] lab2cenu.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ewo6RXjFV] cfmmem07.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Configuration Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O16 - DPF: {024A73C6-2766-11D3-821F-00105A272719} (ESMART_DTPicker.ESMARTDTPicker) - http://app2.appsitehosting.com/dhsmart/client_code/ESMART_DTPicker.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {5A4BFFB1-2D6E-11D3-A7CD-00C04F8F83CD} (GetHTTP APPLET) - http://inside.us.dell.com/finance/home/getHTTPApplet.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.5781134259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
Comment
Question by:ag99carrie
6 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 2000 total points
ID: 12718762
Hello ag99carrie =)

You are using an old version on hijackthis, so Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12718787
Then use msconfig to untick unwanted progrmas as described here >> http://netsquirrel.com/msconfig/
After that Download these tools and install and update Adaware and Spybot:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
LSPFix ==> http://www.spychecker.com/program/lspfix.html
Stinger ==> http://vil.nai.com/vil/stinger
========================================================

Turn off your System Restore before cleaning the system if its WinME\XP >> http://www.pchell.com/virus/systemrestore.shtml
Boot your system in safemode, use LSPFix to remove those aklsp.dll & calsp.dll files
Then Run all the rest four tools one by one and delete everything they detect.
Delete the offending exe files manually from the hard drive if they are present on the hard drive
Then delete the temporary internet files and history of IE
and run Disk Cleanup on your hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ?? :)
0
 
LVL 6

Expert Comment

by:caza13
ID: 12720318
Advise: Remove This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy.

Author: PeopleOnPage, Inc.
Author URL: http://www.peopleonpage.com
Author description: "PeopleOnPage (POP) is software that allows you to see everybody who's either been to or is currently on the same Web page as you, wherever you go on the Web. You can then chat with them using POP's instant messaging client, send an e-mail, or leave graffiti messages on the Web page for others to see. Use POP in World mode with your friends, or strike up a conversation with someone on your favorite Web site whose picture or tagline intrigues you. Dating mode helps you find someone who not only fits your dating criteria but also visits the sites that matter to you. Then just click their Chat or E-mail button to make contact. POP safeguards your privacy, so it couldn't be simpler or safer to meet people online."

"POP! is a US-incorporated business with its headquarters in Seattle, Washington. The company is the first to develop the technology necessary to make one-on-one chatting possible on any website on the world wide web - not just on specialist chat sites or on sites with added chat features. So for the first time ever, instead of having to visit a particular community or dating website to chat, you can TAKE chat to any website."

Distribution details: PeopleOnPage was bundled with Grokster around June 2003, and it installed by pop-up ActiveX drive-by download.

Security details: PeopleOnPage includes an updater component which can silently download and execute arbitrary code form its controlling server.

PeopleOnPage Signature Details: The following information includes some of the standard signatures* associated with this spyware threat. Please do not attempt to manually remove these items from your computer; Removing these items incorrectly or partially can cause your computer to experience critical errors, prevent your computer from restarting or cause loss of Internet connectivity.

http://www.spynet.com/spyware/spyware-PeopleOnPage.aspx
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:ag99carrie
ID: 12721839
Thanks SheharyaarSaahil!!  That did the trick!!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12721888
^_^
0
 

Expert Comment

by:ncmcn
ID: 12834063
I deal with spyware removal daily, below is a brief overview of the process I usually follow when removing some of these nasty programs.  I tried to simplify it a bit..

1. Boot in safe mode, and disable all the items in startup using msconfig.  If you are using Windows XP, it may be a good idea to turn off system restore temporarily as well.

2. Search the registry for keys containing 'run', this will show you the various folders used to start applications with the system.  You may also want to search for 'startup' keys.  I usually search the registry for the known spyware apps listed in msconfig as well

3. Run some spyware scanning utilities.  I have a lot of success using hijackthis, spybot, ad-aware, and spysweeper, sometimes Bazooka...

4. Empty all temp folders, and check the Program Files folder for signs of spyware remains... Folders like 'Toolbar' and 'Myway' are bad.

5. I usually also go through the Windows and /system or /system32 folders, and arrange the files by date.  This is useful in spotting files all installed at the same time/date.  You can right-click the files, and select properties.  If the file displays information about its creator under the version tab, such as Company: Microsoft Corporation, then it is more than likely legitimate.  If there is a file that you are wary about, and it dispalys no information in these fields, try looking it up on google to see what the exe or dll may be before deleting it.

6. You can start to enable the startup items in msconfig.  If you recognize all the items in startup, then it is safe to enable all the items.

7. It's not a bad idea to run scans again to ensure the applications haven't been reinstalled, may also want to try www.trendmicro.com 's free online scan.  It does a good job finding some of the trojans associated with certain spyware applications.

8. Don't forget to re-enable system restore when you're finished, and if at this point you are still having issues.. well..
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question