1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware Removal

Discussion in 'Virus & Other Malware Removal' started by elusionx32, Jan 21, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. elusionx32

    elusionx32 Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    16
    Hello,
    I recently tried to download Active x and instead downloaded major spyware. I ran Adaware and Spybot and removed everything that those programs found. There are still many pop-ups appearing on my computer. Here is my HIjack This log entry, please tell me what I need to do to return my computer back to normal, thanks alot!

    Logfile of HijackThis v1.99.1
    Scan saved at 1:13:33 PM, on 1/21/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Video ActiveX Object\isamonitor.exe
    C:\Program Files\Video ActiveX Object\pmsngr.exe
    C:\Program Files\Video ActiveX Object\isamini.exe
    C:\Program Files\Video ActiveX Object\pmmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {157D64CA-E110-4646-4375-5B1709E9A30C} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {21F2AA44-F49A-7FB1-BB8F-78CB5A909AD1} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {2C2D32FD-D528-613D-D0F4-614C09BAF473} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {50DA8761-D937-5566-D5AC-5F4022815671} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096438925734
    O16 - DPF: {76706878-AD00-1E89-7F37-193A22418DBE} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - C:\WINDOWS\system32\nbbrhbd.dll
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm


    Also, please post this from Hijackthis:

    On the first window of Hijackthis, you may see "Config", use that, or/then hit the Misc Tools button, then Open Uninstall Manager, Save List and copy and paste the entire list of software into your next reply.
     
  3. elusionx32

    elusionx32 Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    16
    Hi,
    I did everything you requested but pop-ups still appear. Here are those 2 logs you needed thanks again!!!

    SmitFraudFix v2.133

    Scan done at 21:03:03.01, Sun 01/21/2007
    Run from C:\Documents and Settings\Chris\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}"="hirtellous"

    [HKEY_CLASSES_ROOT\CLSID\{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}\InProcServer32]
    @="C:\WINDOWS\system32\nbbrhbd.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}\InProcServer32]
    @="C:\WINDOWS\system32\nbbrhbd.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    C:\WINDOWS\system32\nbbrhbd.dll -> Hoax.Win32.Renos.gen.i
    C:\WINDOWS\system32\nbbrhbd.dll -> Deleted


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\DOCUME~1\Chris\FAVORI~1\Online Security Test.url Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
    C:\Program Files\Video ActiveX Object\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    HIJACK PROGRAM LIST:
    µTorrent
    Ad-Aware SE Professional
    Adobe Reader 7.0.8
    AOL Instant Messenger
    AVI/MPEG/RM/WMV Joiner 4.11
    BCM V.92 56K Modem
    Bejeweled 2 Deluxe
    BitTorrent 4.0.4
    Canon Camera Support Core Library
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DS for ZoomBrowser EX
    Canon Camera Window MC 5 for ZoomBrowser EX
    Canon MovieEdit Task for ZoomBrowser EX
    Canon PhotoRecord
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities PhotoStitch 3.1
    Canon ZoomBrowser EX
    CCleaner (remove only)
    Corel Paint Shop Pro X
    Dell Digital Jukebox Driver
    Dell ResourceCD
    Dell Support 5.0.0 (766)
    DS21Patch
    DVDSentry
    ewido security suite
    Hijackthis 1.99.1
    HijackThis 1.99.1
    Hotfix for Windows XP (KB926239)
    HP Memories Disc
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet
    Internet Explorer Default Page
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2
    jetAudio VX for X5
    LimeWire PRO 4.12.3
    Logitech SetPoint
    Macromedia Flash Player 8
    Malware-Wiped 5.2
    Microsoft .NET Framework 1.1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Data Access Components KB870669
    Microsoft Office XP Professional with FrontPage
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Modem Helper
    Mozilla Firefox (1.5.0.5)
    Musicmatch® Jukebox
    NVIDIA Display Driver
    NVIDIA Windows 2000/XP Display Drivers
    OpenMG Secure Module 4.6.01
    PowerDVD
    PowerQuest PartitionMagic 8.0
    QuickTime
    RealPlayer
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901190)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Shockwave
    Sonic DLA
    Sonic RecordNow!
    Sound Blaster Live!
    Spybot - Search & Destroy 1.3
    Spyware Doctor 3.2
    System Alert Popup
    Tweak-SE plug-in for Ad-Aware SE
    überOptions 2.30
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB910437)
    VideoLAN VLC media player 0.8.5
    Viewpoint Media Player
    Winamp (remove only)
    WinAVIVideoConverter
    Windows Backup Utility
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890047
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893086
    Windows XP Service Pack 2
    WinRAR archiver
    WinZip
    WordPerfect Office 11
    XP Codec Pack
    Yahoo! Photos Easy Upload Tool 1v6
    ZoneAlarm Security Suite
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Yes, they may until we get it all fixed!


    Uninstall this old version of SpyBot Spybot - Search & Destroy 1.3 we will get a new one...


    This program ewido security suite has been discontinued, and replace with AVG Antispyware...

    I suggest uninstalling Ewido (unless it is the paid for version, you may want to keep it, but set it to not
    start when Windows does and disable the background protections...


    Open Ewido by double-clicking the yellow 'E' icon in the system tray.
    In the 'Your security status' section, toggle the Ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
    When you reboot, Ewido will prompt you as to whether you would like to "Restart the guard?".
    Reply 'no' and set it to 'inactive' for the duration of your cleanup.

    You can turn it back on, but you would need to de-activate AVG Antispyware, one only running
    at a time due to conflicts.


    Then install AVG Antipsyware exactly as shown! Save the directions to a Notepad text file as steps.txt

    to your desktop so you have them while working in Safe Mode when you will not be able to come here and read them....an alternative is to print it all out if you wish...

    Download AVG Anti-Spyware from HERE and save that file to your desktop.

    When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


    1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
    2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
    4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
    1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
    2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. AVG will now begin the scanning process. Please be patient as this may take a little time.
      Once the scan is complete, do the following:
    5. If you have any infections you will be prompted. Then select "Apply all actions."
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
    8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
     
  5. elusionx32

    elusionx32 Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    16
    Hello,
    Here is the active scan report, thanks for the help:


    Incident Status Location

    Adware:Adware/Malwarewipe Not disinfected C:\Program Files\Malware-Wiped\Malware-Wiped.exe
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-4933.txt[.atwola.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-4942.txt[.apmebf.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5065.txt[.go.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5067.txt[.go.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5074.txt[.go.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5075.txt[.go.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5083.txt[.go.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5084.txt[.go.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5085.txt[.go.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5086.txt[.go.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5087.txt[.go.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5094.txt[.go.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5095.txt[.go.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5113.txt[.apmebf.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5114.txt[.apmebf.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5115.txt[.apmebf.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5116.txt[.apmebf.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5117.txt[.apmebf.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5118.txt[.apmebf.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5146.txt[.apmebf.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5147.txt[.apmebf.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5148.txt[.apmebf.com/]
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies.txt[.adultfriendfinder.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies.txt[.go.com/]
    Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Chris\Cookies\[email protected][1].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris\Desktop\SmitfraudFix\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chris\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, From your Add/Remove Programs in the Control panel, Uninstall

    *System Pop Up Alert

    *Malware-Wiped <these uninstallers might not do anything, it's OK>

    I will wait for the rest of the logs, please do not rush, do what you have to do and get back when you are free.
    Run AVG A/S and make sure you follow the directions well- print out or save the steps you are to
    do in Safe Mode.

    Post that log and a new Hijackthis log when ready.
     
  7. elusionx32

    elusionx32 Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    16
    HI,
    I believe I was able to remove/uninstall those 2 programs System Pop Up Alert Malware-Wiped. I also ran the Avg Scan Log yesterday but first here's the Hijack Log. Thanks again:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:39:42 PM, on 1/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {157D64CA-E110-4646-4375-5B1709E9A30C} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {21F2AA44-F49A-7FB1-BB8F-78CB5A909AD1} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {2C2D32FD-D528-613D-D0F4-614C09BAF473} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {50DA8761-D937-5566-D5AC-5F4022815671} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096438925734
    O16 - DPF: {76706878-AD00-1E89-7F37-193A22418DBE} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
     
  8. elusionx32

    elusionx32 Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    16
    the avg Log is too big to post, so I will just post the first few lines. The rest of the scan shows all of the cookies delelted:


    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 11:49:33 PM 1/22/2007

    + Scan result:



    HKU\S-1-5-21-1811519581-696825478-127749295-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Cleaned with backup (quarantined).
    HKU\S-1-5-21-1811519581-696825478-127749295-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined).
    C:\Program Files\Malware-Wiped\Malware-Wiped.url -> Adware.MalwareWiped : Cleaned with backup (quarantined).
    :mozilla.100:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-4942.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.100:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5143.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.100:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\wi26xqzk.default\cookies-5144.txt -> TrackingCookie.2o7 : Cleaned.
     
  9. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, As long as the AVG showed just cookies in the rest of that scan OK I trust you.


    Run Hijackthis, and in your scan window put checks next to EACH of these items from my list below, make sure you have them all when you do, you must have ALL other windows, browsers, emails, IMs, including THIS window...all closed, then, "Fix Checked" button.

    O16 - DPF: {157D64CA-E110-4646-4375-5B1709E9A30C} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {21F2AA44-F49A-7FB1-BB8F-78CB5A909AD1} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {2C2D32FD-D528-613D-D0F4-614C09BAF473} - http://205.252.161.238/1/gdnUS1878.exe
    O16 - DPF: {50DA8761-D937-5566-D5AC-5F4022815671} - http://205.252.161.238/1/gdnUS1878.exe

    O16 - DPF: {76706878-AD00-1E89-7F37-193A22418DBE} - http://205.252.161.238/1/gdnUS1878.exe

    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} -


    Post a new HJT log
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,

    Download ATFCleaner

    by Atribune & save it to your desktop. DO NOT use it yet. We will use it in Safe Mode, later

    As you probably know, deleting Cookies can result in you having to type in your username and passwords at ALL sites that use logins, like this site does, so if you willy nilly delete cookies, which is safe enough to do, you will have to re-establish these cookies and login the first time you visit any site like that.

    ATF Cleaner has a way to save those cookies you would like to keep but it will require some time. If you DO KNOW or have saved all your passwords etc you are good to go to delete all Cookies.


    * Restart your computer into safe mode now.To get into the Windows 2000 / XP Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu"
    Use your arrow keys to move to "Safe Mode" and press your Enter key.

    Next, start up ATFCleaner:

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    Restart normally.




    You need the newer version of SpyBot:

    http://www.majorgeeks.com/SpyBot-Search_&_Destroy_Tools_d2471.html

    The above is all you need to download, it has a built in web update feature.

    Run Spybot and allow it to create a backup of your registry when prompted.
    Do NOT elect the use of Tea Timer you have more than enough protective software now...
    You DO want to use SDHelper for Internet Explorer.
    Click on "Search for Updates". Choose the TDS (US) server using the little black drop down arrow next to the
    server name, you can select various, in the US the TDS works well...
    If any updates are found, place a check mark next to each one.
    Click on "Download Updates".
    Click on "Immunize" [When it detects what has or has not been blocked, block all remaining items].
    Do this by clicking the green plus sign next to immunize at the top.
    Click on "Check for Problems" and if any problems are found, click on "Fix Selected Problems".
    Reboot your computer. SpyBot saves backups of all that is removed and they are restorable.
    _ _ _ _ _ _ _

    SpywareBlaster will prevent spyware from being installed and consumes no system resources.

    More info and download is available at:

    http://www.javacoolsoftware.com/spywareblaster.html *
     
  11. elusionx32

    elusionx32 Thread Starter

    Joined:
    Jan 21, 2007
    Messages:
    16
    Logfile of HijackThis v1.99.1
    Scan saved at 11:32:30 PM, on 1/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\rundll32.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096438925734
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
     
  12. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Looks clean to me!


    You need to update your Java plugin software you are way behind...older version of Java are very vulnerable to a nasty
    trojan called Vundo or Vitumonde and you need to get the newest version installed now.

    www.java.com

    It will install online, it does take awhile and you cannot or should not do very much else while it is installing.

    There is a place to get a separate download to install locally yell if you want that one.

    Next: We need to turn off System Restore since it will back up malware as easily as good files and will
    put back same malware if and when you needed to use one of your old Restore Points.

    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab. ( If there is a check in "Turn Off System Restore...."= it is Off.)
    Check Turn off System Restore.
    Click Apply, and then click OK.Wait for hourglass to stop and it says
    "Turned Off"


    Restart your computer, turn System Restore back on and create a restore point.
    To turn System Restore back on, take the checkmark out of the box where you did.
    Wait till you see "Monitoring" for your drives.


    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/537158

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice