My computer acts really strange...possible spyware

[imported_rogerwilco]

Well...

I'm using Vista Business.

A couple of days ago my computer started randomly getting the cpu usage for EXPLORER.EXE to 100% and I need to close it and reload it to get it to stop.

the default programs got all screwed up, Internet Explorer turned to my default instead of firefox and Windows Mail turned into my default mail program instead of Outlook 2007.

I used Spyware Doctor and found a spyware program and I removed it, I used Spy Sweeper, Ad-Aware & Spybot as well, but nothing but cookies was found in the latter.

My computer still refuses to change the default programs (especially the email program), and I don't know what else to try.

Here's my HijackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:37:51, on 14/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\spool\drivers\w32x86\3\fppdis3a.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF2D5F69-2808-4CFD-8868-1CA8A13E6DE4}: NameServer = 212.143.212.143 194.90.1.5
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4194 bytes




Thanks for your help!

 

[robisbell]

try using http://housecall.trendmicro.com and have it scan and clean, report back what it finds.

 

[coxmaster]

Assuming you have Realtek audio i dont see anything that is definately spyware. Have you run any scans just to see what they find?

 

[mechBgon]

The log appears to be clean. What spyware program was detected? You might want to try creating a new user account and see if the default-program problem is limited to just your present account, and/or try a System Restore to before the problem happened (although this may require removing the spyware program again if it gets restored too).

 

[imported_rogerwilco]

I disabled system restore, because mainly it's another home for spyware.

I use realtek audio.

Spyware Doctor found Trojan.FakeAlert, and after I posted the original message I scanned it again.
And surprisingly, it found a new one (that didn't appear before) named Application.Keystroke Spy.

robisbell, I'd really like to do what you're asking me, but I'm afraid to use any online scanners,
don't you have a downloadable program you'd like me to use and post its log here?


I've restarted my computer now, and now (after the cleaning of the second spyware) it's even worse, explorer.exe goes to 100% CPU usage everytime I restart it, I can work normally only without it....


thanks guys

 

[mechBgon]

There's no need to fear online scanners that I'm aware of, but if you'd rather try a resident scanner, one option is to uninstall AVG and give AntiVir's free version a whirl next. http://www.free-av.com AntiVir typically outperforms AVG by a significant margin in detection tests, including my own. Kaspersky is another top-notch performer, and they have trialware too.

I also suggest SuperAntispyware. The free version is fully functional except for the lack of realtime protection, and has high detection rates. You might also want to run some dedicated rootkit detectors such as GMER and Panda AntiRootkit.

 

[imported_rogerwilco]

Thanks a lot for the advice, mechBgon!!!!

I uninstalled AVG and that solved the problem of the default program on start menu (the EMAIL is finally pointing to Outlook and Internet points to Firefox)
perhaps the spyware took over AVG (hence the many "/runonce" commands, that were brand new there, on the hijackthis log)

I'll keep posting to update you about the other problems....


Thanks again

 

[olmer]

This has best db/dt ratio: http://www.kaspersky.com/virusscanner run it with iexplore.exe ?extoff and add only a new KAV ActiveX module.

Clean all yours/other accounts temp internet files, clear everything in both windows/temp and appdata/local/temp and disable all residents before scan.

 

[robisbell]

Housecall is a very well known and trusted online scanner, and with it being online, avoids whatever may be on a system from interfering with a scan. I'd still run it to see what mucked with AVG to cause that, I'd stay away from any program that is a trial or or does not offer real time protection.

 

[Crusty]

Originally posted by: robisbell
Housecall is a very well known and trusted online scanner, and with it being online, avoids whatever may be on a system from interfering with a scan. I'd still run it to see what mucked with AVG to cause that, I'd stay away from any program that is a trial or or does not offer real time protection.

Except for the fact that it uses either Java or ActiveX which are both executed on your computer, so if someone could compromise a non-web accessed program, they can compromise a Java or ActiveX program running. There's a reason that IE and Firefox ask if you really want to install the control, it's because it's insecure.

If you think about it, how can a remote webserver know whats on your computer if you aren't executing code that is reporting that back to the server. Essentially you are just downloading, installing, and running a lightweight AV/Spyware engine. Just because it's running inside your web browser does not mean it's not running on your computer.

 

[imported_rogerwilco]

OK,
I've run the AntiVir, it found 8 viruses,
some were INSIDE jpg files.

the most serious one, seems to be:
C:\Documents and Settings\*****\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\70a93cfe-3bb0800b
[DETECTION] Contains detection pattern of the exploits EXP/Java.Gimsh.A

anyway, I removed all of them.
I hope things would be OK now.

thanks for everything!