Help with Adware/Spyware please.

u might want to start by getting a firewall since u dont have one that works. heres a link to comodo which i use on my other comp and have had no problems with http://www.personalfirewall.comodo.com/ . and then i would do what makler said about going into safe mode then trying to delete it.

 

I got Ewido and its not finished yet but it found some new toys...i mean problems, 'Downloader.small.on' and 'Trojan.agent.qt' both classed as high and a few medium things, i think i'll boot into safe mode, and run spybot, Ewido, bith Xoft's and NOD32 overnight, see how things go, and how the PC handles them all at once .

 

No i suggest you do NOT run them at the same time, if that is what you ment. One by one.


Again please please please !!! upload it to one of the scanners i linked to. This is important to figure out if the NOD32 miss is "for real" or just on your system. Pretty Please With Sugar On Top

 

If you do have something like that on your computer and you have done any online banking, then it would be strongly recommended that you change all passwords for any accounts, and get in touch with the financial institution(s) and get all cards cancelled (Visa, debit, etc), and new ones issued.

 

Who else have access to your PC ?

Wiretap Professional is a commercial keylogger it get's installed like any other app manually.

http://www.wiretappro.com/
http://atstake.com/avcenter/venc/data/spyware.wiretap.html

 

Could someone be playing a really aweful prank on you with that program, DCX? Did anyone have access to your PC that might want to know what you're doing? Siblings, parents, maybe?

 

No no-one has access to my PC its passworded, and my mum and sister are technologically retarded. Well Ewido took 9 and a half hours and found a few things, which it quaranteed, and NOD32 can only do an In-depth scan in safe mode, and i gave up after 10hours as it was only on the 4th out of my 10 partitions(500GB[2*250GB]{about 400GB full}) So now i'm running a normal NOD32 scan in windows and ewido again as for some reason it decided to ignore one, and that cool.exe hasn't come back since xoft got it for like the 9th time yesterday so i can't submit it.

 

Hmmm, it might be a good idea to start backing up your files if you have not already done so.

Oh, and I don't think there's any point in changing passwords or anything until you get rid of the keylogger.

 

Well Nothings been found yet and the PC's been on an hour, XOft found nothing and Ewido is still going but fine so far, NOD32 is on 66%of my C:\ and found nothing.

If i'm gonna back up i will only format C:\, i don't have the space to back up and format the rest so they'll stay.

 

off topic,,,,, where can I get NOD32 the free version?

 

There is no free version, only 30-day Trial http://www.eset.com/download/index.php

 

Back up your files and then reinstall windows. I did it and took out all the spyware that I couldn't remove.

Also try system restore and chose a date that was a date when your PC was fine, because that also worked for me.

Hope this helps/works.

 

Something is not right here. Are you sure it did not just pick up the installer ?

First off. Hackers do not use programs like that, it's ment as employee spying and parental control. It's way to easy to detect and remove.

Secondly it can only be installed by running a exe and installing the program as a user which is logged on to the system. This can only happen if you are vulnerable to remote exploitation. Although it do not say so on the web page, i would suspect that you also need admin rights to install/use the program. Which means total control of a system. If you have that kind of a hole god knows what might be compromised.

But why in god's name would you (the hacker) install something this lame after gaining total control of a system. That's like shooting yourself in the foot...and then in the head....twice....and as your dead body fall to the ground you shoot yourself in the foot again.

Also although it has remote logging and it seem to be using svchost, and as you have no PF it might get a bit further. The real point is, that what it takes to install is far more dangerous and much harder to accomplish remotely, so im not even sure a PF at this point would do much good. That is IF this really is the case. On a system truly compromised you can't really trust anything running on the system.


If you want to try some system lockdown and prevention have a look at some HIPS, apps like System Safety Monitor http://syssafety.com/ or Online armor http://www.tallemu.com/ or Appdefend http://www.ghostsecurity.com/index.php?page=appdefend (all trials).


However i think it might be time to backup and do a format. Then i would suggest you consider your habits and be more careful, or protect yourself REALLY well. Im talking sandboxs and VM for the really hot spots, HIPS and IPS/IDS, firewall, AV, anti-spyware, maybe even some rootkit detection. Basically if you want your system to be "nice and light" and not running "all this security crap" you need to draw a line about what your willing to do and go, otherwise this WILL happen again trust me. "Bunker up" or "stay clear".



NOD32 will likely not pick up Wiretap Pro until you use the (NOT default) option of scanning for "Potentionally dangerous applications". When your there (Setup tab) i would strongly suggest you have a look at the profiles and know what scan options is used for the different ones.

Extra settings for Nod32 v2.5 (long but very nice)
http://www.wilderssecurity.com/showthread.php?t=37509

 

That is why i asked you to please (do you not like the word please ? ) upload it to the scanner before starting to clean. It's common practice and it really helps others in the future.

 

Well i could always download the original thing that started all of this, infect myself again and then upload it?
The Keylogger programs exe was in my internets temp files. Also i've done those NOD32 extra settings. I didn't download it, and no-one else did as my PC is in my room and i've pretty much not left my pc alone since this started, + its passworded, and the only time it was alone was when i was away for 3 days, so unless someone has a key to my house then it was this adware thing.

After all the recent scans nothing is been picked up at all, but i am getting alot of similar pop ups, such as your pc is infected, or your registry needs cleaning etc.

 

Lol i hope your joking, don't do that

Installer or program exe ?

That sounds like smitfraud or a variant.

German (edit: duh it's Dutch sorry) but it shows some pics
http://www.hijackthis.nl/smitfraud.html

How To Remove The Smitfraud / Psguard / Virtualmaid, Self-Help Guide
http://www.bleepingcomputer.com/forums/topic17258.html

Run cwshredder as well
http://www.intermute.com/spysubtract/cwshredder_download.html

More tools
http://www.pchell.com/support/spywaretools.shtml

 

Thanks.

 

Oh after i've rebooted i'll get a new Hijack This log.

 

Sounds good, do that.


Oh and not that i care but are you only using IE ? Or do you have Firefox or Opera, hell even just some IE add-on might help a bit.

If your only using IE you need to make sure it's set up right and don't just let every kind of stuff run.

Yes it's a little big, but just take it bit by bit
http://www.cert.org/tech_tips/securing_browser/
http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer

 

Heres the one thing that keeps coming back:
Hijacker.Agent.A also my Content.IE5 is now umm invisible? i enabled hidden files and folders but its still not there.


Theye are the urls of some of the pop ups:
http://www.winantiviruspro.com/page...+038ee2ab4a0c4cf3873ab0c66a3718bc&lid=com nav

http://winantivirus.com/pages/scann...4cf3873ab0c66a3718bc&ed=2&ex=1&ax=1&lid=keyin

http://amaena.com/securityworm5827/...a+038ee2ab4a0c4cf3873ab0c66a3718bc&lid=secure

And in the screeny i dunno why it says unable to load bitmaps....I logged of logged back on and it was like that brb restarting.