Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to get rid of Spyware??? -- Help!!!

Status
Not open for further replies.
Rosee

Rosee

IS-IT--Management
Dec 12, 2001
187
US
My computer is acting different than before. It is very slow lately and has pop-up ads all the time. I ran Ad-aware, spyware-doctor, spybot, hijackThis. some of the spyware have been cleaned after running those programs. but it is not totally clean yet because there are still some pop-up screens. Below is the latest hijackThis log file. Any help will be appreciated.

------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 2:56:27 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Emergin WirelessOffice\wosrv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\kuhhmk.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\chen\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = O1 - Hosts: 100.100.100.240 AS400
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kuhhmk.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemks32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: symsupportutil - O16 - DPF: Yahoo! Chat - O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - O16 - DPF: {6D72E2C2-F8E6-11D1-8AFB-000000000000} (ArcotClientControl Class) - O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cmhhs.org
O17 - HKLM\Software\..\Telephony: DomainName = cmhhs.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{645F26CF-A3B3-42E3-B7C8-7FBE16CE36CB}: NameServer = 100.100.100.200
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cmhhs.org
O17 - HKLM\System\CS1\Services\Tcpip\..\{645F26CF-A3B3-42E3-B7C8-7FBE16CE36CB}: NameServer = 100.100.100.200
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cmhhs.org
O17 - HKLM\System\CS2\Services\Tcpip\..\{645F26CF-A3B3-42E3-B7C8-7FBE16CE36CB}: NameServer = 100.100.100.200
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
 
Sort by date Sort by votes
Rosee

I've had a quick run through your log using the automated scanner here. Nothing immediately leaps out, however it would be worth downloading and rescanning with the latest version of HijackThis (v1.99.1) using the direct download link from the above site.

HTH

TazUk

[pc] Blue-screening PCs since 1998
 
Upvote 0 Downvote
The following items look dodgy, that's why I gave the FAQ address as I don't have time to do a full analysis at the moment; regardless, do as tazuk says, get the latest hijackthis and rerun the log, then run it through the analyser again.

Running processes:
C:\WINDOWS\system32\kuhhmk.exe

Dodgy items:
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemks32.exe

John
 
Upvote 0 Downvote
These entries need to go, but only after you've disabled system restore:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kuhhmk.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemks32.exe

Further, reboot into safe mode and remove this:
C:\WINDOWS\system32\kuhhmk.exe


Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
go to add/remove and uninstall viewpointmanager, delete its folder from C:\program files.


Download the Hoster from:
UnZip
the file and press "Restore Original Hosts" and press "OK". Exit Program.


you need to run the findqoologic tool to find the hidden files for the first one. Deleting that file won't shift it, it will just come back!


O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kuhhmk.exe reg_run


The second is the elite bar.

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemks32.exe


Also download the EliteBar (searchmiracle) Removal Tool (must be run in safe
mode)



you'll need to go here to download the findqoologic.

go to post 4 in the threead an at the bottom right you can download the findqoologic zip.


download FindQoologic-Narrator.zip save it to your Desktop.



Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text opens, post it in a reply to your thread.

you might find you get an error message when first running this file, if so
close it & run again and wait until file.txt opens on desktop.

Ignore the first list that opens with a long list of files and wait for FILE.
TXT to pop up

It normally takes somewhere between 10 to 15 minutes depending on your
computer so don't panic if it takes some time.

post the qoologic log and another hijack this log
 
Upvote 0 Downvote
Hmmm - goes to show I shouldn't rely on the automated log scans... Nicely spotted folks.

TazUk

[pc] Blue-screening PCs since 1998
 
Upvote 0 Downvote
Thanks for all the help.

After I ran hijackThis v1.99.1, I don't get as many pop-up ads on the screen. But it places some icons (shortcuts) on the desktop, such as: Home Depot, Ebay, etc. Is there a way to stop the computer from creating these icons by itself?
 
Upvote 0 Downvote
you need to post the qoologic log then I can advise what files to delete with killbox!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
242
2ffat
2ffat
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
267
2ffat
2ffat
riobogmedacaliaires
  • Locked
  • Question
how to exclude folders in trend officescan 11 client side
Replies
0
Views
113
riobogmedacaliaires
riobogmedacaliaires
SantaMufasa
  • Locked
  • Question
How can I get rid of "PC Fix Speed", a particularly nasty PC malware infection. 2
Replies
18
Views
301
kjv1611
kjv1611
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
206
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top