Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I have definately got hidden malware/spyware says BT

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I have definately got hidden malware/spyware says BT

Unread postby The_Banshee » May 22nd, 2005, 10:57 am

Hya,

After recently finding out that my pc was only running at 7% of its average speed and contacting BT, their conclusion is that there is a heck of a lot of spyware, etc, hidden in my system, even though I regularly use Spybot, Adaware, and various other cleaners etc. I did get the speed up to around 42% but, today, it has slowed right back down to 7% again.

I have used MWAV scanner in safe mode and then used Spybot and Adaware and then CCleaner while still in safe mode and MWAV scanner found 80 viruses - 14 were cleaned or removed automatically by the programme but 66 are floating around - or so I thought - I ran the scan a second time and this time there were only 15 riskware/spyware files found.
The thing is, what happened to the rest of them? Now, I did the first scan without turning system restore off and the second with it off!

I am now at a loss as to what to do now as my usual pc cleaners are not picking up any and saying I have a clean machine, but judging by the MWAV scan and the pc moving as fast as a slug I would say that I have a few beasties hidden still. Could someone please, please look at my hjt log or suggest any other things I could be doing.

Thanks in advance,

The Banshee
ogfile of HijackThis v1.99.0
Scan saved at 15:49:52, on 5/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BearShare\BearShare.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{88402CC6-9D8A-49D4-9FAB-21A37294A6B3}: NameServer = 194.72.9.38 194.74.65.68
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
The_Banshee
Active Member
 
Posts: 1
Joined: May 20th, 2005, 7:59 pm
Advertisement
Register to Remove

Unread postby askey127 » May 22nd, 2005, 3:21 pm

Hi Banshee,

Welcome to MalwareRemoval!
I will be researching your log and get back to you.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » May 22nd, 2005, 8:48 pm

Hi Banshee,

The main problem with your machine is probably centered around Bearshare. It is known to carry and download spyware.
Let's remove it and take a few other precautions, then recheck.

===========================================================
Run an Online scan. Go tohttp://www.trendmicro.com and click Free Online Scan. Click Scan now, it's free.
It'll take a few minutes to download, especially with a dialup connection, so be patient. When it's done, select all available drives. Check Auto Clean, and Scan.
When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them along with your next log.

===========================================================
Uninstall Bearshare
Click the Start button, and select Control Panel.
Click the Add or Remove Programs link.
From the Currently Installed Programs list, select Bearshare
Choose Change/Remove
Follow the on-screen instructions.
If you get an error saying that an instance of the program you want to remove is in use:

Press Ctrl+Alt+Del.
Click the Task Manager button.
Select the Applications tab.
Select the program you are want to remove.
Click the End Task button.

If you get a message that the program is not responding, click the End Task button.
Close the Windows Task Manager window.

If the Remove Shared File window opens, click the No to All button.
===========================================================
Bearshare folder deletion.
In Windows Explorer, find (F3) and delete this folder, if present:
C:\Program Files\Bearshare
You may have to delete all the underlying files and folders before the target folder can be deleted.
===========================================================
Run CCleaner. Choose the Windows tab. Check everything EXCEPT be sure the Advanced part of the menu is all Unchecked. Choose Analyze. Let the Analyze portion finish. In heavily junk-laden older machines it could take up to 15 minutes. Then choose Run Cleaner. When cleaning is finished, click Exit.
===========================================================
Post a new log.
Download the latest version of HiJackThis
Reboot your computer.
Start HijackThis.
If the opening screen shows, choose None of the above, just start the program.
Click Do System Scan and Save Log. When the Scan is complete, paste the log contents in a reply.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Nick-YF19 » June 3rd, 2005, 1:52 am

While we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 22 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware