This is topic OK guys, tech help for me in forum Books, Films, Food and Culture at Hatrack River Forum.

To visit this topic, use this URL:;f=2;t=031365

Posted by Jeni (Member # 1454) on :
The past couple of weeks I've been battling spyware. I have constant pop ups, new stupid little programs that suddenly appear out of no where, mysterious icons on my desktops, and who knows what else. Sometimes windows just briefly bluescreens and restarts itself. It's insane.

I have both adaware and spybot (both updated) and have been running them all the time. I'll run adaware, find hundreds of files, delete everything, and run it fifteen minutes later and have hundreds of items again. Sometimes some of the things it finds just add themselves to its ignore list!

I just ran adaware once again, and it found over 700 objects. I got rid of them, but I'm sure they'll find their way back soon.

I am *this close* to going completely insane everytime I use this computer. Please help!

[ January 29, 2005, 01:14 AM: Message edited by: Jeni ]
Posted by Papa Moose (Member # 1992) on :
Quit visiting the pr0n sites, Jeni.
Posted by Jeni (Member # 1454) on :
Very funny, pops. [Smile]

This all started shortly after I decided to let my sister use my computer. I should have known better!
Posted by raventh1 (Member # 3750) on :
Don't use IE.
Posted by Papa Moose (Member # 1992) on :
Sorry, Jeni -- it was the only advice I had. I mean, hey... worked for me. Er, I mean, it worked for this friend of mine. Yeah.
Posted by Jeni (Member # 1454) on :
I am not using IE. I use Firefox.
Posted by raventh1 (Member # 3750) on :
Use with your Task manager, kill things that are running that you don't want.

You should also use msconfig to see what runs at startup, in case there is anything running on startup.
Posted by Jeni (Member # 1454) on :
I have been trying to kill the processes. Sometimes it works, but usually it either tells me that access is denied or it ends but then starts back up again.

I will check out the startup items.
Posted by Nato (Member # 1448) on :
Me, in the other tech help thread:

Check what processes are running on the computer.

Instead of using the Windows Task Manager, I recommend Process Explorer (Win 98/2000/XP). That might give you a decent picture of what's running on the computer.

The safest thing to do would be to backup and nuke, but you could probably figure out if anything fishy is going on without doing that.

Make your friend run a software firewall, such as ZoneAlarm, scan the computer with Spybot Search & Destroy and Ad-Aware, and run an anti-virus scan. Also, check to see what is starting up with the computer (You can use Merijn's StartupList)

From this post, Process Explorer and StartupList would be most useful. Use these along with (or just a google search for whatever process name you have running that you don't know about.)

StartupList can find things that are starting up that don't show up on msconfig.
Posted by Farmgirl (Member # 5567) on :
Running Windows XP, Jen?

Are you turning off System Restore before you run your spyware programs? Just so Windows doesn't keep restoring the files you delete?

Posted by Jay (Member # 5786) on :
What kind of anti virus prog you have?
What other system info can you give too?
What kind of security settings you have on your internet options?
Posted by Boris (Member # 6935) on :
Okay, what you have is a downloader trojan. Ad Aware doesn't catch it because it isn't meant to. What it does is this, every time you get onto the Internet, the virus does two things, makes a new version of itself and downloads a bunch of spyware. The easiest way to get rid of these things is to use something like AVG's Free virus scanner. That's the one I use at work, and it tends to find more stuff than norton or McAfee or just about any virus scanner I've seen (However, I've noticed that it is a little buggy sometimes when you try to update the virus definitions. Luckilly, you can download the file directly from Grisoft and update from that file). Since you use Firefox, it's probably going to be pretty simple to get rid of this thing. However, if you were to go into IE and check the homepage, you'll probably find that it has been changed to something that you've never seen before in your life. If that happens, I'd suggest never ever using IE after that, because the virus is stored in a very well hidden file that is taking over your IE browser. It probably won't perpetuate itself fully until you open IE again after everything is removed with the virus scanner. Removing that file, if it exists, is sometimes a pain in the neck. Sometimes you get lucky and the virus scan grabs it.
Posted by Boris (Member # 6935) on :
Are you turning off System Restore before you run your spyware programs? Just so Windows doesn't keep restoring the files you delete?
This is also very important [Smile]
Posted by Jeni (Member # 1454) on :
Thanks for the response, folks.

I ran the AVG scan and it found 17 downloader trojan objects. After it took care of them, it prompted me to restart the computer, which I did. Now Windows won't load! I get a screen telling me that Windows did not start successfully, but it's ok because they apologize for any inconvenience. As if an operating system not starting would ever NOT be an inconvenience. [Wink]

Anyway, it gives me a choice to start windows normally, but that just takes me back to the same screen. I can also start it with the last good configuration, but will that just reverse everything that AVG just fixed?

[ January 29, 2005, 06:25 PM: Message edited by: Jeni ]
Posted by Nato (Member # 1448) on :
Wow, that sucks.

Some of those things are really insidious.

What OS are you running? (i.e. Windows XP Home, Service Pack 1)

What I would say to do is get the computer working again. Try booting into Safe Mode. If that works, shut down, then try to boot normally again. If that doesn't work, use the last known configuration.

Then, download a program called HijackThis. (link)
It scans your computer for things that are "hijacking" your browser, etc. Run it and post the log that it generates here. Somebody here can tell you what on that list you need to get rid of.

If you have a CoolWebSearch trojan, you're going to need CWS Shredder.

But your first priority is to get it working again. Try the last known working configuration.
Posted by Jeni (Member # 1454) on :
I have Windows XP Home.

Okay, we're up and running again. I tried HijackThis, it shows a whole bunch of stuff but then encounters and error and is forced to close. I don't have the CoolWebSearch thing.

[ January 29, 2005, 07:33 PM: Message edited by: Jeni ]
Posted by Boris (Member # 6935) on :
You have some REALLY deep stuff running, Jeni. Did you have to restore everything the way it was, or did everything just start working?
Posted by Jeni (Member # 1454) on :
I had to start it with the last working configuration.
Posted by Oosoom (Member # 7220) on :
I was so inundated with crud that my computer was next to unusable. I ran virus checks, adware, all that stuff and nothing helped.

I went to Computer City and bought Spy Sweeper, by Webroot. I ran a deep virus check, ran Spy Sweeper twice and have had no problems for the last two months. I swear by it.

Hope this helps. I read the suggestions from others on this thread--I'm sorry, but most of the time it was like trying to read a foreign language. If you just want your computer to run, not necessarily know how it works, try this. It kept me from commiting real violence.
Posted by Boris (Member # 6935) on :
I ran a deep virus check, ran Spy Sweeper twice and have had no problems for the last two months. I swear by it.
This would work great, except that there are viruses on her system, as well as registry values, that are capable making XP inoperable only when removed. These are a little nastier than what you had, I'm willing to bet, and Spy Sweeper will likely cause the same thing to happen.

Jeni, I would suggest starting your computer in safe mode (hit f8 right before the Windows XP splash screen pops up and select safe mode from the menu). While in safe mode, try running Hijack This from there. Hijack this is a little tough to work with sometimes, because you might accidentally shut down something you want, so be careful when using that.

Once that is done, run both AVG and Ad Aware while in safe mode. Use Ad Aware's full system scan rather than the smart scan. Run AVG first, but DO NOT reboot until both programs have finished their work. Once that is done, reboot. If the same thing happens again, you're probably looking more at a wipe and reinstall situation (If you can get what files you need backed up) than anything else. However, someone else may have more knowledge than me in virus removal, so I'd wait until I get some more input before going that far.
Posted by Jeni (Member # 1454) on :
Boris, I'll try that when I get back from work today. Thanks much!
Posted by Jeni (Member # 1454) on :
Boris, I followed your instructions. Hijack This did the same thing in safe mode. I still ran AVG and AdAware, both completed successfully and healed or deleted whatever they found. I rebooted with no problems. All seemed well until I connected to the internet and opened firefox. Constant pop ups!

For whatever reason, though, Hijack This can now complete successfully. log

I don't recall seeing sp.dll, but I will take a look.

[ January 31, 2005, 10:14 PM: Message edited by: Jeni ]
Posted by Boris (Member # 6935) on :
Whew, you got lotso baddies on your computer...Here's a list of items you should have Hijack This fix...

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [casc] C:\WINDOWS\system32\casc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [s77O38j] d3drpres.exe
O4 - HKCU\..\Run: [dwoERUHng] cryxcl35.exe
O4 - HKCU\..\Run: [prutict] C:\WINDOWS\System32\prutict.exe
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V1.0\EzButton.exe
O15 - Trusted Zone:
O16 - DPF: NDWCab -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - (These last few look tricky to me, if you have something that you use from, don't disable these)

Also, I typically tell Hijack this to fix all the R1 and R0 instances, as doing so more or less resets IE to its default navigation settings, and there can be some bad things in there as well.

This one:
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

Looks suspicious to me, as I don't recognize the file name as being necessary.

O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
Also looks suspicious to me, since I've seen processes with a similar name running on all computers, but never inside a Hijack This log file. (In fact, now that I think about it, this file should be fixxed, since it has its own directory, and any system file that resembles this one's file name is hard coded into the OS and wouldn't show up in the registry like this one does. I would do the same with the other file I listed as Suspicious, but if you have Divx and it stops running after that one gets turned off, restore it)

Finally, it also looks like you have an LSP problem. I'm not real familiar with this, but I have seen issues where Hijack this returns LSP errors. I just looked it up for info and I think this might be the cause of some of your problems. LSP tells your computer how to send information. This can be hijacked and used to send information to an outside source for marketing, spying, what have you.
Go here to get a program that can fix this problem.

I have three entries listed for my computer in this program. They are:

You have two files that Hijack This is screaming at that are going to show up with this program...

Remove those two for sure, if there are more than the three I listed as running on my computer, I would personally remove those as well.

Also make sure and delete these directories in safe mode after you get Hijack this and LSP fix to repair everything (Boot into safe mode immediately after these programs do their job, as the whole process isn't done yet)...
C:\Program Files\AutoUpdate\
C:\Program Files\ltmoh\
C:\Program Files\EzButton System V1.0\ (I don't know if you use anything called EzButton, but it's a suspect in my mind)
C:\Program Files\CxtPls\

That should cover everything, but once these files are deleted, run both Ad Aware and AVG again in safe mode before you do a final reboot. Also, make sure you are disconnected from the internet while you do all this, as being connected can cause everything to perpetuate itself. If it still does the same thing after you get through it with all this work, it may be better to reformat. If you have to reformat, the February 2005 edition of Maximum PC has a good article on bottling up your computer, if you can find a copy.
Posted by Boris (Member # 6935) on :
Whew, you got lotso baddies on your computer...Here's a list of items you should have Hijack This fix...

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [casc] C:\WINDOWS\system32\casc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [s77O38j] d3drpres.exe
O4 - HKCU\..\Run: [dwoERUHng] cryxcl35.exe
O4 - HKCU\..\Run: [prutict] C:\WINDOWS\System32\prutict.exe
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V1.0\EzButton.exe
O15 - Trusted Zone:
O16 - DPF: NDWCab -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - (These last few look tricky to me, if you have something that you use from, don't disable these)

Also, I typically tell Hijack this to fix all the R1 and R0 instances, as doing so more or less resets IE to its default navigation settings, and there can be some bad things in there as well.

This one:
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

Looks suspicious to me, as I don't recognize the file name as being necessary.

O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
Also looks suspicious to me, since I've seen processes with a similar name running on all computers, but never inside a Hijack This log file. (In fact, now that I think about it, this file should be fixxed, since it has its own directory, and any system file that resembles this one's file name is hard coded into the OS and wouldn't show up in the registry like this one does. I would do the same with the other file I listed as Suspicious, but if you have Divx and it stops running after that one gets turned off, restore it)

Finally, it also looks like you have an LSP problem. I'm not real familiar with this, but I have seen issues where Hijack this returns LSP errors. I just looked it up for info and I think this might be the cause of some of your problems. LSP tells your computer how to send information. This can be hijacked and used to send information to an outside source for marketing, spying, what have you.
Go here to get a program that can fix this problem.

I have three entries listed for my computer in this program. They are:

You have two files that Hijack This is screaming at that are going to show up with this program...

Remove those two for sure, if there are more than the three I listed as running on my computer, I would personally remove those as well.

Also make sure and delete these directories in safe mode after you get Hijack this and LSP fix to repair everything (Boot into safe mode immediately after these programs do their job, as the whole process isn't done yet)...
C:\Program Files\AutoUpdate\
C:\Program Files\ltmoh\
C:\Program Files\EzButton System V1.0\ (I don't know if you use anything called EzButton, but it's a suspect in my mind)
C:\Program Files\CxtPls\

That should cover everything, but once these files are deleted, run both Ad Aware and AVG again in safe mode before you do a final reboot. Also, make sure you are disconnected from the internet while you do all this, as being connected can cause everything to perpetuate itself. If it still does the same thing after you get through it with all this work, it may be better to reformat. If you have to reformat, the February 2005 edition of Maximum PC has a good article on bottling up your computer, if you can find a copy.
Posted by Jeni (Member # 1454) on :
Boris is my new hero.

Time to get to work on this.
Posted by Nato (Member # 1448) on :
Boris said:
This one:
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

Looks suspicious to me, as I don't recognize the file name as being necessary.

Yeah, that's one to get rid of. Just Google search for a process name if you don't recognize it; that usually comes up with something.

Copyright © 2008 Hatrack River Enterprises Inc. All rights reserved.
Reproduction in whole or in part without permission is prohibited.

Powered by Infopop Corporation
UBB.classic™ 6.7.2