BIIIIIIIIIIIIG PROBLEM

OK:

For the past few months I have been having spyware/trojan/viral problems with my pc. Well, I bit the bullet and FINALLY decided to re-format. Big Mistake?

Now, I formatted it 3 times already tonight and re-installed XP, and it does the same thing.

As soon as I start up windows XP for the first time, it runs OK. I don't have an anti-virus or whatnot as of that point. So I setup my internet connection and I access it. I open internet explorer on the google homepage, and go to the avg site. I download the program, install it, and then find multiple viruses that cannot by cured. I go to lavasoft and download Ad-aware, which detects around 70 different spyware programs.

Thats ALL I do so that it happens. Nothing else. A few clicks and 2 websites. And it brings me the world war on my PC.

Now. That's where my PC screws up COMPLETELY and I cannot run stuff normally. As we speak I was struggling to get IE to open on this webpage. Even, at some point, I tryed opening my ad-aware and it said that it cannot execute itself because it is corrupted.

When I open the tasks list, there some crazy processes there running under my username, such as: rundll32.exe, shost.exe, yahootray.exe (even though I've never even come close to installing that program), ssk.exe, gimmygame.exe, and whatnot.... Some of them I can end, some of them I cannot.

Oh, and a LOT of popups as we speak.

Now... COULD IT BE that there are hundreds of online malicious programs that are just getting into my pc with my IP address, cause, since I have a dsl, it's the same as before? (trojan doors are still open or something?). If that's the case, will making my ISP change my IP address solve the issue?

Im confused... help :(

#1. Get spy bot...way better than ad aware.
#2. Get zonealarm. It blocks those incoming attacks
#3. Get Yahoo toolbar which allows you to block pop ups
#4. Back up your sh**! That way you do not lose your data in future

Then your computer should be ok

download all the programs that you want and save to a cd. then reformat the computer and dont setup the interent or anything until you have all of that stuff from the cd installed, then when you have all of that running and setup, then setup the internet.

yeah ive done the burn on a cd backup data sh!t already...

now i jsut downloaded hijackthis!, holy ****, that thing works nicely. i will try the progs you guys gave ina few moments.

cool, cool. Backups are always the way to go. The other programs will help you out a lot. I had this prob bout a month ago, drove me nuts.

i know the whole backup story all too well.
i have 10 full dvds just for music alone, and 2 or 3 just for progs and photos that i cant afford to loose

im running spybot as we speak right now

i feel a bit better, feels like i could actually be able to do something. any other progrs there? i know theres something called cw***** or something.. what is it?

i have no clue... but one thing with my comp. battles as of late, i noticed that everytime that i run adaware, the comp restarts. doesnt do that for RegScrubXP or Spybot lol

personally i use ad-aware (sometimes), zonealarm, and ez anti-virus (Computer Associates).

if you reformatted your system.. none of those files should be on there. are you doing a quick sweep, or a full format? if you boot your XP disc, it will take you to a blue screen. You should completely erase it using the full method (takes a little longer), and make sure you delete the partition before reinstalling. that way, XP will reinstall on a like-new hard drive, and you will not have any of that crap left on your computer. i do it to my laptop whenever i get infected, and i've seen that gimmygame **** before too. once i erased it the way i just described, it was completely gone.

Also, for those few files that don't get deleted even after running all the utilities, i use "move on boot". basically what it does is edit the boot file temporarily, marking the files you choose to be deleted at the next boot. then just restart.. and they're gone :)

I'm kinda interested to know how many spybot found.

spybot usually doesnt find anything for me. ad-aware does. also after u finish scanning and cleaning with spybot immunize your system so they cant get back on. and if you want to clean more thoroughly, run all your cleaning utilities in safe mode.

and as far as avast! goes, run it with a thorough scan in both all file dirctories and hard drives, this may take many hours (8 in my case) but i run it every 48 hours and havent found much except that one time that i had 18 trojans and 20 viruses (about half of which i had written to test the dectecting skills of the prog)

make sure whenever you're running any of these ad-aware & spybot type programs that you are loading your computer in safe mode. these programs, even if they find a threat, will not delete it if it is being used by a process. safe mode ensures that only the most basic drivers are loaded, so that you can delete 99% of all that crap in one sweep

As above, just being connected to the internet makes you vulnerable. I run AVG, AdAware, Spybot AND SpywareBlaster. I have a router that hides the IP addresses behind but also have XP's Firewall switched on. IE is getting much safer but I use Firefox unless the site will only work with IE (like HMA). so far so good :) Good Luck

Ok....

Here's the latest hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 2:35:11 PM, on 2/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\nav32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 4 for HijackThis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139410106562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139410089734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45B3D7E0-4957-44B1-94E4-58E4277D7E77}: NameServer = 206.47.244.17 206.47.244.51


The ones in bold are the ones I have never seen. Can anybody shed some light on those?

Found this page which explains HijackThis codes... What is HijackThis ..? (http://www.pchell.com/support/hijackthistutorial.shtml) ...looks like it might help

Do you have "Messenger" installed (09 codes)?

Is the 017 line your Internet Service Provider?

i use xoftspy for my spyware/adware... and CA for antivirus, no problems with my system wut so ever

P4 3.0ghz w/ ht
1gb Ram
120gb SATA hd
dvd+/- RW
Nvidia 6800 AGP 8x
Windows XP Home ed.

line O17, if not from your ISP, should be deleted. that is the server IP that the spyware would connect to to download all the crap onto your computer (provided that its not your ISP's IP address)

the other two.. i know you have MSN messenger BUT i've never seen an "extra buttons" & "extra tools" download for the messenger. if its a third party download.. i would uninstall it to see if thats whats causing the spyware to be downloaded. if not.. then i'd suggest reinstalling messenger to be on the safe side.

I'm surprised no one hase mentioned the Microsoft Antispyware beta. It's free and it seems to be very effective. It found and cleaned out a lot of things that neither spybot or ad-aware were able to clean for me.

Damn.... It's starting again.

I have made a partition with all my important stuff (like Office XP, bla bla), and I will install windows 98 on it. Format the other partition an reinstall XP on it. Dual boot on that **** in case of extreme conditions, only I will use windows 98, in order to install/uninstall just like I will do right now. Install zonealarm pro PRIOR to accessing the internet for the first time, and make the ISP change my IP.

In the past 2 days, zonealarm has told me it block around 300 attacks... I think my IP is targetted, LOL. Thanks TNT, that program rocks.

Wish me luck :(

I don't use internet explorer, at all...ever. Firefox has far less programs designed to infect it but I'm sure they will increase now that it's become a more popular program. Internet Explorer allowed so many programs to infect my computer in the past. - Subvibe

Id suggest doing exactly what Paki has mentioned. You should NEVER see those items after you've just formatted. What i think you may have done is an "over the top" install. Basically, XP re-installs the sytem files .dll files etc etc. It however does not delete your programs and all associated files ( good or bad)

Try the complete xp re-install deleting and recreating your partitions. I also prefer to format using NTFS- Smaller block size allows for more efficient hard drive usage"

Later

I agree on microsoft spyware...it works really well. kaspersky is my favorite firewall. it block EVERYTHING. stuff that even norton lets in

actually it sucks. spyware terminator is the best that i have found so far. it works like avast and microsoft combined.

felix.. if after your experiment it still doesn't help i'll ask the other 2 guys that i work with about it. spyware & adware removal is a day-to-day thing with these guys :)

What i think you may have done is an "over the top" install. Basically, XP re-installs the sytem files .dll files etc etc. It however does not delete your programs and all associated files ( good or bad)

Try the complete xp re-install deleting and recreating your partitions. I also prefer to format using NTFS- Smaller block size allows for more efficient hard drive usage"

Later

I appreciate your help, but, I have mentionned it before, I did a FULL FORMAT. I am not a complete idiot when it comes to these things, I know I remember typing in "format c:" on the dos prompt. :)

Those files dont come out out of nowhere, they come as soon as i connect to the internet for the first time.

Paki ill let you know about the turn out

it is normal for zone alarm to kick off so many aletrs of attacks because half of them are acctually comertials and stuff like that
but leave zone alarm on it prevents some unexpirienced hackers wannabe from your system
btw when you formated your hard drive did you format only the partiontion where windows are or did you format all of your hard drive
if you formated only one partition from what you said i think the virus or what ever you hawe has it's copies on evry partition (not unusal)..
if you cant solve this in any way you will need to format all of your hard drive and from windovs boot screen (or from dos if you are using an older version of windows)
and of course youll need to reinstal your windows
but i would advise you before you connect to internet for the first time to install ad-aware, zone alarm, AVG(free anti virus), spybot and if you can get it from somewhere norton antivirus or better yet kaspersky.
and when ever you dissconect from the internet and turn off your modem your IP adress changes no matter if you are on DSL.
at least so is the system here in Croatia.

you don't need more than 1 firewall installed.. they'll eventually start conflicting and you wont be able to get on at all..

over here most providers give you the same IP address even after you reset the modem.. sometimes they dont but most do :)

but i agree.. install at least 1 spyware removal, 1 adware removal, and a firewall and you are set.

oh and for formatting.. i normally just use my boot disk that came with my laptop.. if i restart with it in my cd-rom drive it'll take me to XP installation :)