97gstchick
asked on
Help with some spyware removal
Hello....
I'm tring to help my friend who just got some really bad spyware last night. I told him to dl ad-aware se, spybot search and destroy and the microsoft beta anit spyware. He did all of that and tried to run the programs and in the middle of the scans for all of them an error would come up and wouldnt complete. He says all but the adds on his fav places keep popping up and aim still won't let him instant message anyone.
Here is his HJT log someone please look into this for me.
Logfile of HijackThis v1.99.1
Scan saved at 12:26:48 PM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\system32\apitm3 2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\system32\wscntf y.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\sysuw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim\My Documents\jimmyz\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ uuopd.dll/ sp.html#37 049
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ uuopd.dll/ sp.html#37 049
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = res://C:\WINDOWS\system32\ uuopd.dll/ sp.html#37 049
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ uuopd.dll/ sp.html#37 049
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ uuopd.dll/ sp.html#37 049
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WINDOWS\system32\ uuopd.dll/ sp.html#37 049
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = res://C:\WINDOWS\system32\ uuopd.dll/ sp.html#37 049
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {21E4D24D-BFDF-C114-094D-1 46BCC33676 4} - C:\WINDOWS\aping.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",Ex portedChec kODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [sysuw.exe] C:\WINDOWS\sysuw.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B 7D41EF1CB5 2} - C:\Program Files\AWS\WeatherBug\Weath er.exe (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.d ll
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097234255078
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apitm3 2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
I'm tring to help my friend who just got some really bad spyware last night. I told him to dl ad-aware se, spybot search and destroy and the microsoft beta anit spyware. He did all of that and tried to run the programs and in the middle of the scans for all of them an error would come up and wouldnt complete. He says all but the adds on his fav places keep popping up and aim still won't let him instant message anyone.
Here is his HJT log someone please look into this for me.
Logfile of HijackThis v1.99.1
Scan saved at 12:26:48 PM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\apitm3
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\system32\wscntf
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\sysuw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim\My Documents\jimmyz\HijackThi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {21E4D24D-BFDF-C114-094D-1
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",Ex
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [sysuw.exe] C:\WINDOWS\sysuw.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.d
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {6414512B-B978-451D-A0D8-F
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apitm3
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2ev
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
Your log file analised http://www.hijackthis.de/logfiles/ceeca1ca274f2bf25f5342ec6d58a61f.html
heres what all that stuff is http://hjt2.iamnotageek.com/log-43500.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
HI
The best way to remove adware and spyware is to go to this site
http://www.freespywareguide.com
Click on free scan on the left and run the active x applet.
your pc will be clean as a whistle
The best way to remove adware and spyware is to go to this site
http://www.freespywareguide.com
Click on free scan on the left and run the active x applet.
your pc will be clean as a whistle
Full removal and Prevention instructions are available on my website,
http://www.petenetlive.com/Tech/Browsers/hijack.htm
Please don't "Gum up" the TA's here by posting Hijack This Logs
go here and have it analysed.
http://www.hijackthis.de/index.php?langselect=english
The EE Official Link to info is,
http:Q_20975384.html#10973783