Greetings. I'm in urgent need of help with spyware attacks

I have ad-aware 6 spybot s and d
hijack this
Thats it

Well i get a pop up every minute or so... just 1 every minute for some random thing ... i know i dont have the big stuff like 180searchware or coolwwwsearch

Its not big thats why its wierd
but ok i scan on all 3 and get rid of all 3

i think its called elitejky32.exe and vimml.exe or something
and i get rid of them... but they come back...
Spyware gets rid of it then it just comes back.

What do i do, I really cant just reformat.


EDIT : Ok I figured out some things

Its called Ebates Moneymaker , i got rid of the registry thing
so ebates is gone

my new one is in the processes its called

Vimmll.exe
I cant find it in spybot or ad-aware and it only shows up on hijack but it comes back too... is there somthing i do for that?

If you have the elite toolbar download the elite toolbar remover:
http://www.majorgeeks.com/download.php?det=4465

If you are getting popups every minute or so, this may (or may not) be qoologic. If so, what is your OS?

Can we see your hijack this log?

What OS you got? XP?

If you got XP then:
Disable Simple File Sharing
1. Open My Computer from the Start Menu or Windows XP Desktop. A new My Computer window will appear.
2. Open the Tools menu and choose the "Folder Options..." option from this menu. A new Folder Options window will appear.
3. Click on the View tab and locate the "Use Simple File Sharing (Recommended)" checkbox in the list of Advanced Settings.
4. To enable Simple File Sharing, ensure this checkbox is checked. To disable Simple File Sharing, ensure this checkbox is not checked. Click inside the checkbox to alternately enable and disable the option.
5. Click OK to close the Folder Options window. The settings for Simple File Sharing are now updated; no computer reboot is required.

jerry atrik's tip

Logfile of HijackThis v1.99.1
Scan saved at 11:36:52 AM, on 4/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\vimmll.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jordan\Desktop\Krap\HijackThis.exe

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitejky32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vimmll.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



I've known how to keep a clean fast computer until this everything feels slow i just cant stand it...
Any other info
Win xp pro

See, That's the hard thing
I could have done that

"What Jarry Ark" said

but the thing is i cant find the file and if i delete it it will come back so i have to use that tip but i cant find the file it says its in the sys32 folder, Apparnetly not after my searching

It is probably a hidden file. Bring up my computer, select Tools, Folder options, view tab, click the radial button on "Show hidden files and folders". Also, uncheck "Hide protected operating system files". Select yes, on the warning, hit okay. Search for that file again.

when i cant find the offending file i scan with adaware and look at the files it "can't" delete

Alright, All good tips guys. Thanks a bunch, I'm still finding it because Theefools tip helped and jarry your help worked but im still findint out some stuff but thanks so much already

Ahhhh, It wont stop... I use all the spyware i can use to get rid o f it... It wont go away... i look for it , its not there i used all your tips... it just keeps coming with the popups... NOOOOO evil popups what do i do... nothings working

http://www.majorgeeks.com/download.php?det=4465
download this and run in safe mode

Also, download the following:
http://lineofire.geekstogo.com/FindIt%20NT-2K-XP.zip

# Unzip the contents of FindIt NT-2K-XP.zip to a convenient location.
# Navigate to the FindIt NT-2K-XP directory.
# Double-click on FindVX2.bat and wait for it to run.
# It should open a Notepad window with the FindVX2 log.
# Post the contents of FindVX2.txt into your next post.

This is a nice batch file. I've used it a couple times. In fact I already have an improved version of this, that I did on my own.

Also, download and post the log of this program too.

http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981

Ok this is kind of big but

---------------- FindVX2 NT-2K-XP ----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows XP Professional 5.1 (Build 2600)

********* Date/Time ********

Thursday, April 21, 2005 (4/21/2005)
1:44 PM, Pacific Daylight Time

*********** Path ***********

FindVX2.bat is running from: C:\Documents and Settings\Jordan\Desktop\FindIt NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 50D1-34D6

Directory of C:\WINDOWS\System32

04/21/2005 12:14 PM <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 62,642,429,952 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 50D1-34D6

Directory of C:\WINDOWS\System32

04/21/2005 12:14 PM <DIR> dllcache
04/14/2005 01:06 PM 488 WindowsLogon.manifest
04/14/2005 01:06 PM 488 logonui.exe.manifest
04/14/2005 01:06 PM 749 nwc.cpl.manifest
04/14/2005 01:06 PM 749 sapi.cpl.manifest
04/14/2005 01:06 PM 749 wuaucpl.cpl.manifest
04/14/2005 01:06 PM 749 cdplayer.exe.manifest
04/14/2005 01:06 PM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 62,642,429,952 bytes free

--------------- Files Named "Guard" --------------

Volume in drive C has no label.
Volume Serial Number is 50D1-34D6

Directory of C:\WINDOWS\System32


-------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 50D1-34D6

Directory of C:\WINDOWS\System32

08/23/2001 05:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 62,642,425,856 bytes free

------------------- User Agent -------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"iebar"=""

--------------- Keys Under Notify ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------ Shell Extensions Approved -----------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

--------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
logonu~1.man Thu Apr 14 2005 1:06:48p A..HR 488 0.48 K
ncpacp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
nwccpl~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
sapicp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K
window~1.man Thu Apr 14 2005 1:06:48p A..HR 488 0.48 K
wuaucp~1.man Thu Apr 14 2005 1:06:44p A..HR 749 0.73 K

7 items found: 7 files, 0 directories.
Total of file sizes: 4,721 bytes 4.61 K

---------------- FindVX2 NT-2K-XP ----------------


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINDOWS\JMHHV.DLL
* qoologic C:\WINDOWS\JMHHV.DLL
* qoologic C:\WINDOWS\UNADBEH.EXE

* ad-beh C:\WINDOWS\System32\ADPPQ.DLL
* ad-beh C:\WINDOWS\System32\TSHHBBR.DLL
* ad-beh C:\WINDOWS\System32\WINUP2~1.DLL
* ad-beh C:\WINDOWS\System32\BDRRQQM.EXE
* ad-beh C:\WINDOWS\System32\VIMMLL.EXE
* ad-beh C:\WINDOWS\System32\WMCONFIG.CPL
* ad-beh C:\WINDOWS\UNADBEH.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\NRPP.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f7ecc3

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
nrpp.exe

User Startup:
C:\Documents and Settings\Jordan\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmttkkxk
<NO NAME> REG_SZ {ff549842-977e-454e-a730-3e4f5f3d81e3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 14:54
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
"6cb1abe1-2bcc-47a0-8a90-2ac368f47d8b\(Default)" = ""
\StubPath = "C:\WINDOWS\System32\bdrrqqm.exe" [null data]

Okay.

This might be a pain, but go into safe mode.
bring up a command prompt.
Also, I prefer going into the Recovery Console.

go to the c:\windows directory by typing in:
cd\windows
then type in
attrib -r -h -s -a jmhhv.dll
attrib -r -h -s -a unadbeh.exe
erase jmhhv.dll
erase unadbeh.exe
cd system32
attrib -r -h -s -a adppq.dll
attrib -r -h -s -a tshhbbr.dll
attrib -r -h -s -a winup2~1.dll
attrib -r -h -s -a bdrrqqm.exe
attrib -r -h -s -a vimmll.exe
attrib -r -h -s -a wmconfig.cpl
erase adppq.dll
erase tshhbbr.dll
erase winup2~1.dll
erase bdrrqqm.exe
erase vimmll.exe
erase wmconfig.cpl
cd\docume~1\alluse~1\starm~1\programs\startup
attrib -r -h -s -a nrpp.exe
erase nrpp.exe
exit
then click start, run, regedit
now migrate to HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fmttkkxk

delete the key fmttkkxx

now migrate to

HKLM\Software\Microsoft\Active Setup\Installed Components\

delete the key "6cb1abe1-2bcc-47a0-8a90-2ac368f47d8b\(Default)

reboot back into normal mode, and give me your logs again.

If you have any questions before doing any of this, feel free to ask them.

Your problem is from the qoologic trojan downloader. Avast can find it, but not get rid of it. Norton can't find it, mcafee can't find it, adaware doesn't do anything, spybot nothing, MS antispyware doesn't fix it.

This roundabout way is the only way I know how to fix this. Though, I'm presently (unless someone beats me to it) making a program that is a bit more optimized.

Thanks, And good luck with your project.

Originally posted by theefool:

Good luck in your project.

The hard part is that not everything in those logs are considered bad.

I already have at home a batch file that does exactly the same as findit, except it is a bit more friendly. Also, it autocreates a batch file that needs to be run to fix these issues. But, it still needs some work. Like some error level checks.

I've been writing batch files for about 10 years. My favourite ones were when ansi.sys was popular......