Can't get rid of spyware

Slickone

Diamond Member
Dec 31, 1999
6,120
0
0
This was when it first started, but I'd guess things have changed quite a bit since then, considering all the scans I've done, deleted a few things, and since spyware seems to install more spyware.


I have followed flying penguin's guide several times including running M$AS (in addition to NAV, Spybot and Ad Aware), but then after I boot to normal windows, in task manager I still have spyware and/or trojans running. And I get online for a bit, then do the scans again later, and everytime, most of them keep finding spyware. Even Spybot will find a few that the others missed. How do they keep 'coming back'? Considering how many scanners I'm using, why can't I get rid of it completely?
Also is it possible that spyware can take over the normal windows files that run in the background, like csrss.exe, smss.exe, etc, so you're not even sure if spyware is running or not? If so, what would the scanners be able to do with them?


These are running when I boot that I'm wondering about:
mszx23.exe, wdfmgr.exe, winlogon.exe, wuauclt.exe, system, services.exe
BTW, oddly, if I search my drive for winlogon.exe and services.exe, they're not found, even though they are in my \system32 folder. Why?


Also after running all the scans, I still have quite a few suspicious files in my root, windows and windows\system32 folders. They have dates that are the same as or newer than when I got attacked. There were more, but some have been deleted by me and the scanners. Anyone care to tell me which of these I should rename/delete? I've tried googleing them, but get way too much conflicting info.

In c:
trig.dtl
1.dml

In c:\windows
streamhlp.dll
msxct1.ini
GDDIHJG.ini
ms3.exe
ms2.exe
hosts
tool2.exe
tool1.exe
dimak
bootstat.dat

Why is hosts located here? And there are a lot of sex site and other URLs in it, all with 127.0.0.3

In c:\windows\system32
p2.ini
ps.a3d
wpa.dbl
mszx23.exe
tmpf00.exe
vdmt16.sys
win32.exe
~update.exe
gcmd5query.dll
$$$_.log
gh4lm4tq.ini
frru241d.html
repecsvc.exe
ntpvc32.exe
u2rjmpr7.dat
kpsemimi.dat
ora5h6b0.ini
gt82lb9r.ini
07u5m4d7.dat
paytime.exe
trf32.dll
mscnf.dll
wcnl32.dll
hst32.dll
zlbw.dll
vx.tll

One of the scanners I had just run found paytime.exe. Why didn't it delete it?


My system.ini has a new file date as well. Anything I should delete in it?

; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[vicax]
msacm711=27464
msacm811=50565
msacm911=42405



Also when using M$ Antispyware in safe mode (640x480, I can't go higher), I can't see the bottom part of the window. Any idea how to?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Short answer: there's a utility that I guarantee will fix the problem, it's called Windows Setup :evil:

Long answer: well, I guess I already contributed some ideas in the last thread but you didn't say if you followed through or not? :confused: If you want to keep fighting with it, ditch your Norton Antivirus Antique Edition and get that 30-day trial of Kaspersky. Here's a routine I cooked up for one guy, maybe it will work for you too: thread with long step-by-step routine.

You'll want a router so you can safely operate in Safe Mode W/ Networking while still having firewall protection.
 

Slickone

Diamond Member
Dec 31, 1999
6,120
0
0
Well, I did try M$AS, but not Mcafee because of bad experiences with it in the past, nor did I have much faith in it's ability to find anything other AV & malware scanners couldn't. And I missed your suggestion to try Kaspersky there. Also I had then learned of the guide that I mentioned in the OP of this thread and thought that might get rid of everything.

I'll try the mini guide you posted here. But am worried about uninstalling NAV 2K. I've heard doing that can completely corrupt the HDD (or just make Windows unbootable?).

Is there anything 'different' in my OP here that you could answer, that your mini guide might not answer/get rid of?
And since you recommend M$AS, I can't view enough of it (bottom 1/4 or so) in safe mode (640x480) to use it. And I can't get down to the bottom of the window to grap the window sizer. Is there a way to move a window around without having to grap the title bar?

Thanks
 

SagaLore

Elite Member
Dec 18, 2001
24,036
21
81
Run HiJackThis, which can be downloaded from: -

Post the logs here or at -

We'll do a manual clean. Then you can followup by using all the free onlines scanners listed at -
 
Last edited:

Fokks

Senior member
Oct 31, 1999
371
0
0
format c:

If you really want to torture yourself and keep at it, make yourself a bootable BartPE disc with up to date spyware scanners, and antivirus. You could also hook up your drive as a secondary drive in another PC and then scan it.


Again... I'd reformat.
 

Valkerie

Banned
May 28, 2005
1,148
0
0
Go with the free stuff:

Adaware SE
Microsoft Antispyware Beta

then setup up a firewall with SP2 and free Firewall programs

you'll be set, you should never have to pay for anything when it comes to removing: spyware, adware, or trash-ware for all that matters.
 

Slickone

Diamond Member
Dec 31, 1999
6,120
0
0
mechBgon, I was going to follow your step by step guide. You mentioned to close every task you can except for Explorer, if possible. There are several I can't close though, and I'm concerned since after closing what I can, IE still tries to pop up every now and then, but somehow is quickly closed. And I'm wondering if something is hiding in one of these processes w/ a normal name.


Anyway, here's a summary of what I can't close if it means anything:

csrss.exe - says 'This is a critical system process. Task Manager can not end this process'
smss.exe - " "
lsass.exe - " "
services.exe - " "

System - "Warning. Terminating a process can cause undesired results including data loss and system instability. The process will not be given a chance to save it's state or data". I clicked yes to close it anyway but it wouldn't.

System Idle Process - same as above. But tried to close and got "The operation could not be completed. Not valid for this process."

I have 6 instances of svchost.exe. I'm able to close several of them (one pops back up after closing", but there is one that when I try to close, gives me a long message, something about NTAuthority/System, and then starts a 60 second countdown until it will reboot the system (which it does).


So I uninstalled Norton AV, rebooted, uninstalled Norton LiveUpdate.
Installed Kaspersky, tried to reboot but machine froze at the Windows XP Pro boot screen.
Powered off and booted into safe mode OK. Then booted to normal windows OK, but Kaspersky gives an error msg and won't run "Failed to start because MFC42.DLL was not found". This is the same error I get when I try to run ACDSee and Textpad, and started when I got attacked (or after the scanning).

Edit: I copied over MFC42.DLL from my XP CD, and those apps, incl. Kaspersky, are working now. KAV's auto scan when I booted to Windows found a trojan in windows\svchost.exe, and the trojan is Trojan-PSW.Win32.PdPinch.gen. When I clicked skip to delete it, it actually listed it 3 different times, all the same trojan, in svchost.exe (I think maybe in different svchost files). So it wants to delete svchost.exe. What happens if I do that? Will Windows still boot/work correctly?

I'd been worried and wondering if a trojan can hide in these normal windows files or not, and mentioned it a few times, but never really got an answer.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
If you have any files or data you can't afford to lose, then naturally the first thing you want to do is to back them all up someplace safe. No one's going to guarantee that you will win the fight without having to reinstall Windows.

Once you've backed up, sure, go ahead and let Kaspersky nuke that stuff. You should scan with Kaspersky while Windows is in Safe Mode, if you weren't already doing that.
 

Slickone

Diamond Member
Dec 31, 1999
6,120
0
0
Thanks, and I realize there's no guarantee. I tried to carefully document what's happened so I was hoping for some any answers to any individual questions possible to try my best to fix this, but I know that is asking a lot. That before I went out and bought another drive to install and copy everything over to. I absolutely cannot simply reformat.

So back up the file (svchost) that KAV says have trojans? Then what would I do if I couldn't boot after that? I wouldn't ever want to copy them back over. Could I copy them from the WinXP CD?
Also KAV later (after a reboot) found a Backdoor.win32.Haxdoor.cn trojan in \windows\system32\drct16.dll

What about all the running tasks I can't close down?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
The running tasks that you can't close down, you just gotta leave them as-is. Technically you could probably even get away with killing off Explorer.exe in Safe Mode if you had your scanning program poised to scan. By leaving Task Manager open, you could then start Explorer.exe again afterwards by going to the Applications tab and doing New task... > Explorer.exe.

So you got backdoors and stuff. You really ought to flatten that thing ASAP. Remind me again, do you have a router? If so, what brand & model.
 

Slickone

Diamond Member
Dec 31, 1999
6,120
0
0
No I don't have a router. I know I need one. I've been looking and might get one today.


Again, what happens if I delete svchost.exe and drct16.dll?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
If you delete the "real" svchost.exe then Windows would probably freak and pull out a replacement copy of it. It's a common tactic for malware to use the name of a legit Windows item like svchost.exe, except from a different directory, so you might search your rig for all files by that name (hidden & system included) and see where they all live.

The "real" svchost.exe lives in \WINDOWS\SYSTEM32. The other file, I doubt it has a legitimate purpose. Worst-case scenario, you could either do an "in-place upgrade" install of Windows or preferably a parallel install to a non-default folder such as C:\WIN2, if your original installation refused to start anymore.

I've probably harped on this before :D but if you need an easy-to-configure router, here's one I've used: Netgear RP614 and if you click there you'll see I have lockdown instructions to go with it. Considering you have at least one each of password-stealers and backdoors, you probably want to slam the door on that stuff at the router.

edit: for the short term, you could lock down both TCP and UDP traffic on all ports except 80 for web browsing and 53 for DNS.
 

biostud

Lifer
Feb 27, 2003
19,121
6,048
136
Do you have a firewall installed like zone alarm? Otherwise I suggest doing so so you can control which programs that should be allowed to acces the internet.
Do an online scan from trend.
 

Slickone

Diamond Member
Dec 31, 1999
6,120
0
0
I was looking at the Linksys WRT54G and Netgear WGR614, but thinking about buying the Linksys. Good choice?

By "in-place upgrade", you mean just install on top of previous installation?

I'm just using the default WinXP firewall. I guess I'm not quite sure how to lock down everything but certain ports then, since I thought the firewall was already doing that. I do know how to add services.
My firewall settings.

My search for svchost. Why are the paths listed like that (like reg. entries)? I did see a svchost.exe in both \Windows and \Windows\System32.
The path that's cut off for the first entry in that search ...\Application Data\SecTaskMan
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: Slickone
I was looking at the Linksys WRT54G and Netgear WGR614, but thinking about buying the Linksys. Good choice?
I'm not very well-informed in the wireless area :( I heard some good comments about that model of Linksys though. If you can get a good price on it, then hey :) If you'll be using the wireless side, take the time to get the WPA encryption set up so your neighbors can't mooch off your connection, etc. If you're not using wireless, then turn off the wireless capability until you need it.
By "in-place upgrade", you mean just install on top of previous installation?
Yeah, exactly right. "In-place upgrade" is Microsoft-ese for installing over the top, they have coverage on their site under "in-place upgrade" if you need it.
I'm just using the default WinXP firewall. I guess I'm not quite sure how to lock down everything but certain ports then, since I thought the firewall was already doing that. I do know how to add services.
My firewall settings.
Windows Firewall is primarily for keeping stuff out, not for keeping stuff in. ZoneAlarm would work in both directions, at least until the malware disables ZoneAlarm :p If I had broadband, I'd have a router with all unnecessary ports closed, and then I'd run Windows Firewall or ZoneAlarm on the system if I had other computers sharing my router, that might get infected and then attack my computer next. I would also run a Limited account for daily-driver stuff so that if something subverts my user account, it still doesn't have the power needed to do serious harm.
My search for svchost. Why are the paths listed like that (like reg. entries)? I did see a svchost.exe in both \Windows and \Windows\System32.
The path that's cut off for the first entry in that search ...\Application Data\SecTaskMan
Did you disable System Restore yet? Emptied your Recycle Bin?

 

Slickone

Diamond Member
Dec 31, 1999
6,120
0
0
Yes I disabled System Restore months ago, and The Recycle Bin is empty.

Don't most people now use Tiny Personal Firewall (Kerio?) instead of ZA?

BTW, got that Linksys router tonight.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Now block all unneeded ports on your router for both TCP and UDP to help turn off the supply of evil :)
 

Slickone

Diamond Member
Dec 31, 1999
6,120
0
0
I choose an open box router, and everything looks like it was never used, but there is no printed manual. Not sure if there's supposed to be. Just says to put the CD in and use the wizard. So, I'm wondering if I can do that in safe mode?

Hopefully the setup is similar to the Netgear in your guide. Also, what do you think about this guide?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: Slickone
I choose an open box router, and everything looks like it was never used, but there is no printed manual. Not sure if there's supposed to be. Just says to put the CD in and use the wizard. So, I'm wondering if I can do that in safe mode?

Hopefully the setup is similar to the Netgear in your guide. Also, what do you think about this guide?
Kim's tips look helpful, but then I'm a wireless 'tard :confused: You can download the manual from Linksys' website if needed, although the pictures are usually very fuzzy.