I cant get rid of Ad-ware and spyware

  Andy 999 21:16 09 Jun 2004

Hi, new setup now....

The thing is whenever i launch IE, the home page changes from google.co.uk to some adware page downloaded onto my pc. I keep running adaware and S&D along with zone alarm pro, and i jsut cant get rid of it...I run adaware, it cleans about 10 objects, then i run it straight after its finished and it find more and more and more....I get to the point where it doesnt pick any up, and within 10minutes ive got more... I really need a solution as my homepage keeps changing...

  VoG II 21:21 09 Jun 2004

What does your homepage change to?

Try running CWShredder click here

If that doesn't work post a Hijackthis log, following the instructions to the letter click here

  rawprawn 21:25 09 Jun 2004

Try turning off system restore, booting in safe mode and running virus killers from there

  Andy 999 21:36 09 Jun 2004

the home page tries to change to 'about:blank' so i take it its an inside job. Ive run hijack blaster and bazooka at the mo but im still getting adware..

  VoG II 21:40 09 Jun 2004

You have got just about the nastiest piece of work that it is possible to get.

Here is some information but you really have to know what you are doing (I assume you have XP) click here

I suggest that you run Hijackthis (as above) then post your log on one of the specialist hijacking forums click here

  Andy 999 22:02 09 Jun 2004

thanks for the good news mate....here's the log:
Logfile of HijackThis v1.97.7
Scan saved at 22:02:31, on 09/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\Program Files\RAM Idle\RAM_XP.exe
D:\Program Files\tgtsoft\StyleXP\StyleXP.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\WinZip\WINZIP32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\System32\adcodga.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\System32\adcodga.dll/sp.html (obfuscated)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [RAM Idle Professional] D:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\tgtsoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - click here
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - click here
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - click here
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - click here

  VoG II 22:05 09 Jun 2004

I'll ask a specialist to look at this but as I said above you should have posted it on a spyware site.

  Nellie2 22:13 09 Jun 2004

Andy 999 I'm just having a quick look at this, why are all your program and system files on your D drive rather than your C drive?

  Nellie2 22:20 09 Jun 2004

ok... go to windows updates and download any critical updates you are missing, without them you will just get re-infected!!

Download: dllfix.exe from click here

Save it preferably to your Desktop.
Double-click dllfix.exe it will create its own folder.
From the "dllfix" folder, double-click start.bat
Run Option 1. which is "Run Find-All... ". (type) 1 (press Enter)
Let it complete and there will be a pop-up window with a log.
Generates: output.txt Paste the contents of "output.txt" in your next post.

  Andy 999 23:22 09 Jun 2004

1.The reason its on D;\ is simply cos im on a dual boto with win98 etc etc...

2. Im still gettin a load of requests to change hom page etc after clearing what i thought was all of the spyware (LOL)...Nellie, the output is this mate..:

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--


System Info:

Microsoft Windows XP [Version 5.1.2600]
D: "WINXP" (7C7A:6F0A) - FS:FAT clusters:32k
Total: 34 595 241 984 [32G] - Free: 3 184 918 528 [3.0G]

*IE version and Service packs:
6.0.2800.1106 D:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 D:\WINDOWS\system32\notepad.exe
5.1.2600.0 D:\WINDOWS\notepad.exe


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;

Locked or 'Suspect' file(s) found...
\\?\D:\WINDOWS\System32\D3DC.DLL +++ File read error
\\?\D:\WINDOWS\System32\D3DC.DLL +++ File read error


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]



[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"

@="AP Deflate Encoding/Decoding Filter "

@="AP GZIP Encoding/Decoding Filter "

@="AP lzdhtml encoding/decoding Filter"



@="WebView MIME Filter"


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (click here)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access BUILTIN\Administrators

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators

  Andy 999 23:31 09 Jun 2004

I cant find a permanent solution to end all of this spyware, its really slowing my system down, almost everything crashes, and its only a new athlon 64 3200+ cpu thats less than a week old:(

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

AMD Radeon Adrenalin release date, new features, compatible graphics cards

Inside the iMac Pro - Apple's most powerful Mac yet

iMac Pro release date, UK price & specs

Football : comment regarder la Ligue 1 en direct ?