Spyware Help needed!

Juan_Pablo

Hi,
I am not very techy and need some help. I have think I have some spyware problem on my computer. I was getting re-directed to spyheal when I opened explorer. I read a few things and ran spybot search and destroy....it seemed to fix 3 of the 4 problems identified. But the problem relating to Windows could not be solved as the program was in use or someting.

Unfortunately I can not log in as administrator as it is a work computer. Which prevents me from downloading certain programsetc. Is there any way I can check to see that the problem is gone for good?
By the way....are my personal details at risk at the moment?
Cheers for any advice.
Juan

Browntoa

if the admin people at work have NOT done their job properly then there is an Adminstrator account if you boot up in safe mode , hit F8 on boot up

http://www.pchell.com/support/safemode.shtml

if the adminstrator account come up then you can change your user profile to admin

alternatively try running spybot in safe mode as it will be able to remove it then

Browntoa

you really need admin rights as you need to run

http://www.bleepingcomputer.com/forums/topic58129.html

Juan_Pablo

Thanks mate for the advice. I was able to reboot my computer in "safe mode with networking" and ran the program that you suggested. How do I know if it worked ok.

The program issued to the following text:

Sorry, I dont know what this means

SmitFraudFix v2.181

Scan done at 10:58:27.52, 12/05/2007
Run from C:\Documents and Settings\jmg\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 62.31.176.39
DNS Server Search Order: 194.117.134.19
DNS Server Search Order: 195.188.53.175

HKLM\SYSTEM\CCS\Services\Tcpip\..\!!451AAA5A-AE24-4A05-9656-7047810C669E}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS1\Services\Tcpip\..\!!451AAA5A-AE24-4A05-9656-7047810C669E}: DhcpNameServer=192.1.1.5 192.6.1.5
HKLM\SYSTEM\CS2\Services\Tcpip\..\!!451AAA5A-AE24-4A05-9656-7047810C669E}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS3\Services\Tcpip\..\!!451AAA5A-AE24-4A05-9656-7047810C669E}: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.1.1.5 192.6.1.5
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=62.31.176.39 194.117.134.19 195.188.53.175


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Browntoa

that should have dealt with the main problem, just rerun spybot to be sure

Browntoa

also run off a hijackthis log for me to check

http://www.tomcoyote.org/hijackthis/

download is by the flashing green icon

Juan_Pablo

Browntoa wrote: »

that should have dealt with the main problem, just rerun spybot to be sure

I ran it again and it seemed to find a few problems with;
Mediaplex
Doubleclick
Avenue A inc
Microsoft Window System

It could fix all of them except the last one.

I have not downloaded the other program.....cant see the flashing green icon.

Thanks again for your help

Juan_Pablo

This is what I got back from the scan.....any ideas???


Logfile of HijackThis v1.99.1
Scan saved at 12:25:27, on 12/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Temp\Temporary Internet Files\Content.IE5\4NKNAT8Z\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Enviros
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [itunesff] C:\WINDOWS\system32\itunesff.exe -go -c29 -w69
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - !!92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://atoz.enviros.com
O16 - DPF: !!17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: !!33331111-1111-1111-1111-611111193429} -
O16 - DPF: !!33331111-1111-1111-1111-615111193427} -
O16 - DPF: !!33331111-1131-1111-1111-611111193428} -
O16 - DPF: !!406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: !!9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://camb3/tempo%20reports/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = enviros.com
O17 - HKLM\Software\..\Telephony: DomainName = enviros.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = enviros.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = enviros.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = enviros.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: CLIENT32 - Productive Computer Insight Ltd - C:\Program Files\NetSupport Manager\Client32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

Browntoa

you have Hijackthis running a temp directory, you need to install it in it's own directory otherwise you lose the back ups (vital in case you delete something by mistake)

1. Download the HijackThis Setup Program
2. Save HJTsetup.exe to to folder of your choice, then navigate to that folder and double-click HJTsetup.exe to start the installation.
3. By default, HijackThis (HJT) will be installed in a folder called C:\Program Files\Hijackthis. A "desktop icon" or shortcut will also be created by default.
4. Accept all default options by continuing to click Next or Install during the setup process.
5. When you click 'Finish', HJT will automatically open, so you can perform your reference HJT scan.

then fix these

O4 - HKLM\..\Run: [itunesff] C:\WINDOWS\system32\itunesff.exe -go -c29 -w69

O16 - DPF: !!33331111-1111-1111-1111-611111193429} -

O16 - DPF: !!33331111-1111-1111-1111-615111193427} -

O16 - DPF: !!33331111-1131-1111-1111-611111193428} -

Browntoa

I'm assuming you know enviros.com

Juan_Pablo

Thanks mate...I have now done as you suggested. How can I confirm its ok now?
How can I thank you for your time