PDA

View Full Version : Help with removal of spyware problem...


Windle Poons
26th Mar 2005, 10:10
I am currently trying to clean a friends laptop which has suffered from more infestations of spyware than a thing with lots of infestations of spyware.

I believe they are now all gone, with the exception of an extremely annoying dl file that refuses to budge. The symptoms of the spyware are a DLL file that resets the home page to a screen telling you that your computer is corrupted and that it has spyware sending information to various sites. It is supposed to look like a Windows help page and suggests you click on various links to remove the problem (I think not).

It also has a search toolbar that appears on Windows and Internet Explorer with some unsavoury search options.

HijackThis has found the DLL under the R0 sections (full log below), but fixing it does not solve the problem, nor does running About:Buster. Could anyone with more knowledge of HijackThis or the specific spyware problem please give some help or pointers.

For info I have run CWShredder, in case it was a variation of CoolWebSearch, to no avail.

Thanks in advance. WP

Logfile of HijackThis v1.99.0
Scan saved at 10:48:19, on 26/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpl.dll/security.htm#subID=MPV;401
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

18greens
26th Mar 2005, 12:48
I don't know if this is the same one but it sounds like one I just disposed of .

The pop up box came with the message something like 'You have been infected with winsterHJKv2011'. Press OK to download the fix- yeah right.

I serched google for winsterHJKv2011 and the solution was to delet file c:windows\system32\systr.dll. you need to download killbox to delete it.

Hope this helps

Windle Poons
26th Mar 2005, 13:08
Cheers chap. Will try it later today and then let you know.

WP. :ok:

Devlin Carnet
31st Mar 2005, 11:03
I think your problem lies here:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpl.dll/security.htm#subID=MPV;401

I think it is a homepage re direct. But I am quite new to this, (due to neccesity, not choice)

I would do a google search on shdocpl.dll, to check, and see if there are hints for its removal. if it is a baddie.