Spyware Removal

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

elusionx32

Thread Starter
Joined
Jan 21, 2007
Messages
16
Hello,
I recently tried to download Active x and instead downloaded major spyware. I ran Adaware and Spybot and removed everything that those programs found. There are still many pop-ups appearing on my computer. Here is my HIjack This log entry, please tell me what I need to do to return my computer back to normal, thanks alot!

Logfile of HijackThis v1.99.1
Scan saved at 1:13:33 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video ActiveX Object\isamonitor.exe
C:\Program Files\Video ActiveX Object\pmsngr.exe
C:\Program Files\Video ActiveX Object\isamini.exe
C:\Program Files\Video ActiveX Object\pmmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {157D64CA-E110-4646-4375-5B1709E9A30C} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {21F2AA44-F49A-7FB1-BB8F-78CB5A909AD1} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {2C2D32FD-D528-613D-D0F4-614C09BAF473} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {50DA8761-D937-5566-D5AC-5F4022815671} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096438925734
O16 - DPF: {76706878-AD00-1E89-7F37-193A22418DBE} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - C:\WINDOWS\system32\nbbrhbd.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi,

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Also, please post this from Hijackthis:

On the first window of Hijackthis, you may see "Config", use that, or/then hit the Misc Tools button, then Open Uninstall Manager, Save List and copy and paste the entire list of software into your next reply.
 

elusionx32

Thread Starter
Joined
Jan 21, 2007
Messages
16
Hi,
I did everything you requested but pop-ups still appear. Here are those 2 logs you needed thanks again!!!

SmitFraudFix v2.133

Scan done at 21:03:03.01, Sun 01/21/2007
Run from C:\Documents and Settings\Chris\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}"="hirtellous"

[HKEY_CLASSES_ROOT\CLSID\{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}\InProcServer32]
@="C:\WINDOWS\system32\nbbrhbd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}\InProcServer32]
@="C:\WINDOWS\system32\nbbrhbd.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\nbbrhbd.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\nbbrhbd.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\Chris\FAVORI~1\Online Security Test.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\Video ActiveX Object\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

HIJACK PROGRAM LIST:
µTorrent
Ad-Aware SE Professional
Adobe Reader 7.0.8
AOL Instant Messenger
AVI/MPEG/RM/WMV Joiner 4.11
BCM V.92 56K Modem
Bejeweled 2 Deluxe
BitTorrent 4.0.4
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window MC 5 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CCleaner (remove only)
Corel Paint Shop Pro X
Dell Digital Jukebox Driver
Dell ResourceCD
Dell Support 5.0.0 (766)
DS21Patch
DVDSentry
ewido security suite
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB926239)
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2
jetAudio VX for X5
LimeWire PRO 4.12.3
Logitech SetPoint
Macromedia Flash Player 8
Malware-Wiped 5.2
Microsoft .NET Framework 1.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
Mozilla Firefox (1.5.0.5)
Musicmatch® Jukebox
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
OpenMG Secure Module 4.6.01
PowerDVD
PowerQuest PartitionMagic 8.0
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Shockwave
Sonic DLA
Sonic RecordNow!
Sound Blaster Live!
Spybot - Search & Destroy 1.3
Spyware Doctor 3.2
System Alert Popup
Tweak-SE plug-in for Ad-Aware SE
überOptions 2.30
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Winamp (remove only)
WinAVIVideoConverter
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WordPerfect Office 11
XP Codec Pack
Yahoo! Photos Easy Upload Tool 1v6
ZoneAlarm Security Suite
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Yes, they may until we get it all fixed!


Uninstall this old version of SpyBot Spybot - Search & Destroy 1.3 we will get a new one...


This program ewido security suite has been discontinued, and replace with AVG Antispyware...

I suggest uninstalling Ewido (unless it is the paid for version, you may want to keep it, but set it to not
start when Windows does and disable the background protections...


Open Ewido by double-clicking the yellow 'E' icon in the system tray.
In the 'Your security status' section, toggle the Ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
When you reboot, Ewido will prompt you as to whether you would like to "Restart the guard?".
Reply 'no' and set it to 'inactive' for the duration of your cleanup.

You can turn it back on, but you would need to de-activate AVG Antispyware, one only running
at a time due to conflicts.


Then install AVG Antipsyware exactly as shown! Save the directions to a Notepad text file as steps.txt

to your desktop so you have them while working in Safe Mode when you will not be able to come here and read them....an alternative is to print it all out if you wish...

Download AVG Anti-Spyware from HERE and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
  4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
  1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
  2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG will now begin the scanning process. Please be patient as this may take a little time.
    Once the scan is complete, do the following:
  5. If you have any infections you will be prompted. Then select "Apply all actions."
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
  8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
 

elusionx32

Thread Starter
Joined
Jan 21, 2007
Messages
16
Hello,
Here is the active scan report, thanks for the help:


Incident Status Location

Adware:Adware/Malwarewipe Not disinfected C:\Program Files\Malware-Wiped\Malware-Wiped.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-4933.txt[.atwola.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-4942.txt[.apmebf.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5065.txt[.go.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5067.txt[.go.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5074.txt[.go.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5075.txt[.go.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5083.txt[.go.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5084.txt[.go.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5085.txt[.go.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5086.txt[.go.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5087.txt[.go.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5094.txt[.go.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5095.txt[.go.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5113.txt[.apmebf.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5114.txt[.apmebf.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5115.txt[.apmebf.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5116.txt[.apmebf.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5117.txt[.apmebf.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5118.txt[.apmebf.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5146.txt[.apmebf.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5147.txt[.apmebf.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5148.txt[.apmebf.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies.txt[.go.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Chris\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, From your Add/Remove Programs in the Control panel, Uninstall

*System Pop Up Alert

*Malware-Wiped <these uninstallers might not do anything, it's OK>

I will wait for the rest of the logs, please do not rush, do what you have to do and get back when you are free.
Run AVG A/S and make sure you follow the directions well- print out or save the steps you are to
do in Safe Mode.

Post that log and a new Hijackthis log when ready.
 

elusionx32

Thread Starter
Joined
Jan 21, 2007
Messages
16
HI,
I believe I was able to remove/uninstall those 2 programs System Pop Up Alert Malware-Wiped. I also ran the Avg Scan Log yesterday but first here's the Hijack Log. Thanks again:

Logfile of HijackThis v1.99.1
Scan saved at 8:39:42 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {157D64CA-E110-4646-4375-5B1709E9A30C} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {21F2AA44-F49A-7FB1-BB8F-78CB5A909AD1} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {2C2D32FD-D528-613D-D0F4-614C09BAF473} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {50DA8761-D937-5566-D5AC-5F4022815671} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096438925734
O16 - DPF: {76706878-AD00-1E89-7F37-193A22418DBE} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 

elusionx32

Thread Starter
Joined
Jan 21, 2007
Messages
16
the avg Log is too big to post, so I will just post the first few lines. The rest of the scan shows all of the cookies delelted:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:49:33 PM 1/22/2007

+ Scan result:



HKU\S-1-5-21-1811519581-696825478-127749295-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1811519581-696825478-127749295-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Malware-Wiped\Malware-Wiped.url -> Adware.MalwareWiped : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-4942.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.100:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5143.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.100:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5144.txt -> TrackingCookie.2o7 : Cleaned.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, As long as the AVG showed just cookies in the rest of that scan OK I trust you.


Run Hijackthis, and in your scan window put checks next to EACH of these items from my list below, make sure you have them all when you do, you must have ALL other windows, browsers, emails, IMs, including THIS window...all closed, then, "Fix Checked" button.

O16 - DPF: {157D64CA-E110-4646-4375-5B1709E9A30C} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {21F2AA44-F49A-7FB1-BB8F-78CB5A909AD1} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {2C2D32FD-D528-613D-D0F4-614C09BAF473} - http://205.252.161.238/1/gdnUS1878.exe
O16 - DPF: {50DA8761-D937-5566-D5AC-5F4022815671} - http://205.252.161.238/1/gdnUS1878.exe

O16 - DPF: {76706878-AD00-1E89-7F37-193A22418DBE} - http://205.252.161.238/1/gdnUS1878.exe

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} -


Post a new HJT log
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi,

Download ATFCleaner

by Atribune & save it to your desktop. DO NOT use it yet. We will use it in Safe Mode, later

As you probably know, deleting Cookies can result in you having to type in your username and passwords at ALL sites that use logins, like this site does, so if you willy nilly delete cookies, which is safe enough to do, you will have to re-establish these cookies and login the first time you visit any site like that.

ATF Cleaner has a way to save those cookies you would like to keep but it will require some time. If you DO KNOW or have saved all your passwords etc you are good to go to delete all Cookies.


* Restart your computer into safe mode now.To get into the Windows 2000 / XP Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu"
Use your arrow keys to move to "Safe Mode" and press your Enter key.

Next, start up ATFCleaner:

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Restart normally.




You need the newer version of SpyBot:

http://www.majorgeeks.com/SpyBot-Search_&_Destroy_Tools_d2471.html

The above is all you need to download, it has a built in web update feature.

Run Spybot and allow it to create a backup of your registry when prompted.
Do NOT elect the use of Tea Timer you have more than enough protective software now...
You DO want to use SDHelper for Internet Explorer.
Click on "Search for Updates". Choose the TDS (US) server using the little black drop down arrow next to the
server name, you can select various, in the US the TDS works well...
If any updates are found, place a check mark next to each one.
Click on "Download Updates".
Click on "Immunize" [When it detects what has or has not been blocked, block all remaining items].
Do this by clicking the green plus sign next to immunize at the top.
Click on "Check for Problems" and if any problems are found, click on "Fix Selected Problems".
Reboot your computer. SpyBot saves backups of all that is removed and they are restorable.
_ _ _ _ _ _ _

SpywareBlaster will prevent spyware from being installed and consumes no system resources.

More info and download is available at:

http://www.javacoolsoftware.com/spywareblaster.html *
 

elusionx32

Thread Starter
Joined
Jan 21, 2007
Messages
16
Logfile of HijackThis v1.99.1
Scan saved at 11:32:30 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096438925734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Looks clean to me!


You need to update your Java plugin software you are way behind...older version of Java are very vulnerable to a nasty
trojan called Vundo or Vitumonde and you need to get the newest version installed now.

www.java.com

It will install online, it does take awhile and you cannot or should not do very much else while it is installing.

There is a place to get a separate download to install locally yell if you want that one.

Next: We need to turn off System Restore since it will back up malware as easily as good files and will
put back same malware if and when you needed to use one of your old Restore Points.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab. ( If there is a check in "Turn Off System Restore...."= it is Off.)
Check Turn off System Restore.
Click Apply, and then click OK.Wait for hourglass to stop and it says
"Turned Off"


Restart your computer, turn System Restore back on and create a restore point.
To turn System Restore back on, take the checkmark out of the box where you did.
Wait till you see "Monitoring" for your drives.


To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top