Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Newbie here - spyaxe problem!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Newbie here - spyaxe problem!

Unread postby Confused » December 12th, 2005, 5:54 pm

Hi all - I'm not a very computery person, so please have patience with me! :oops:
My computer has been infected by Spyaxe. I've tried Vundofix and smitRem, but they have no effect as far as I know. I'm using Windows XP if it's any help.
Thanks!
Confused
Active Member
 
Posts: 6
Joined: December 12th, 2005, 4:58 pm
Advertisement
Register to Remove

Unread postby LDTate » December 12th, 2005, 6:42 pm

Hello Confused, welcome to the forum.

There's a new version of HijackThis.

Please delete any HijackThis Folders and Files you have now.


Please download this self extracting file to your My Downloads folder or My Received Files (dependent on your Operating System):

Click this link.
http://www.forums.security-central.us/s ... .php?t=112

Click the "Save" button.

Navigate to My Documents>Chose My Downloads or My Received Files folder once inside that folder click "Save".

Now go to the folder you saved HijackThis_sfx.exe in.

Double click HijackThis_sfx.exe and select Unzip. When done click "OK".
Close the WinZip self Extractor window.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here [Submit].

Someone will help you.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby Confused » December 12th, 2005, 6:56 pm

Cheers LDTate! There's hope!

Logfile of HijackThis v1.99.1
Scan saved at 22:54:36, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\esbaoce.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Windows AdTools\WinAdTools.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows AdTools\WinRatchet.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Peter\My Documents\My Received Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.rapidial.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://results.cafefind.net/exact/rotat ... er_Movies/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.idealcomputing.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = rapidial Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp28E0.tmp
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKLM\..\Run: [lnbyic] C:\WINDOWS\system32\esbaoce.exe r
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.rapidial.co.uk
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwe ... .0.0.8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol023.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
Confused
Active Member
 
Posts: 6
Joined: December 12th, 2005, 4:58 pm

Unread postby LDTate » December 12th, 2005, 7:27 pm

I'm checking you log now.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby LDTate » December 12th, 2005, 7:41 pm

I suggest you print this out.

Download the following programs.

a.
Download Killbox
http://www.downloads.subratam.org/KillBox.exe"
and put it on your desktop

b.
Download System Security Suite http://www.igorshpak.net/software/3ssetup104.zip"
unzip and install it.

c.
Download Ewido security suite http://download.ewido.net/ewido-setup.exe"



1. After the download of Ewido is complete, double click on the file to launch the install process.
2. During installation under the Additonal Options menu, you will be asked if you want to "Install background guard (required for automatic updates)" and "Install scan via context menu". Please UNCHECK both of these options.
3. Once installation is complete, launch Ewido by double-clicking the big "E" icon on your desktop. The program will prompt you to update -- click the 'OK' button.
4. The program will now go to the main screen. On the left hand side of the main screen, click on Update and then click 'Start Update'. The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see 'Update Successful' in the lower left corner.
5. Close Ewido.

Next:

Reboot into Safemode:
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

This can take a few minutes to get into Safe Mode.



use Add/Remove Programs and remove:
Windows AdTools
BullsEye Network
WebRebates4


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://results.cafefind.net/exact/rotat ... er_Movies/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.idealcomputing.co.uk/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = rapidial Internet Explorer

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp28E0.tmp

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe

O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe

O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"

O4 - HKLM\..\Run: [lnbyic] C:\WINDOWS\system32\esbaoce.exe r

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Close ALL windows and browsers except HijackThis and click "Fix checked"



Next:
Open System Security Suite
Set it up like http://www.forums.security-central.us/s ... .php?t=318"


Click the "Clear Selected Items" button and accept the reboot option (you will want to shut down all other programs before running System Security Suite so you will be ready to reboot).


Next:
Open Ewido

1. Click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'
2. Please make sure 'Scan Every File' is selected. Finally, please click 'OK'
3. On the main screen, please select 'Complete System Scan' and the scan should begin.
4. While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
5. When the scan is complete, click "Save Report". You scan results will be saved in a textfile. Please submit that with your next post.

If during your scan Ewido "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. Click 'OK' and then follow the instructions from step #8 again.

Exclamation Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days (which is the reason we uncheck them during installation). You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan.

If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

Now close ewido security suite.

Next:
Then double-click on the killbox.exe program.


Start Killbox, Use standard file kill.(default settings).
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\conscorr.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\system32\esbaoce.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\zeta.exe


Back in Killbox go > file > paste from clipboard, now click the red X
that looks like a stop sign, wait until a success message appears.
Repeat those same step's until each file has been deleted.



If your computer does not restart automatically, please restart it manually.

After Reboot, "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby Confused » December 13th, 2005, 2:01 pm

Hi again!
Thanks SO MUCH! :D :D :D No more Spyaxe. Unofrtunately, I still have adware and the right hand side of my browser is missing. Plus when I click on one of my favourites when
"The page you are looking for is blocked by the adware on your PC. Remove it with Spy Trooper software. CLICK HERE." scrolled along the top of a "The page cannot be displayed".

:( Oh well, the main problem is dealt with. Here are my 2 scan reports:




+ Created on: 16:42:32, 13/12/2005
+ Report-Checksum: 78A8CB52

+ Scan result:

HKLM\SOFTWARE\180solutions -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\ASDPLUGIN -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\ASDPLUGIN\restore -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\ASDPLUGIN\restore\DefaultInternet -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\ASDPLUGIN\restore\EnableAutodial -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\ASDPLUGIN\restore\InternetProfile -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\ASDPLUGIN\restore\Start Page -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Apuc.UrlCatcher -> Spyware.TinyBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Apuc.UrlCatcher\CLSID -> Spyware.TinyBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Apuc.UrlCatcher.1 -> Spyware.TinyBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{83DE62E0-5805-11D8-9B25-00E04C60FAF2} -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564EA119} -> Spyware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A42C0EF4-1C76-43CC-989F-EADC7E4B755D} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED14177} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\VX2.VX2Obj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\VX2.VX2Obj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\VX2.VX2Obj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\WinadX.Installer -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WinadX.Installer\CLSID -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WUSN.1 -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\eXactUtil -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng\Security -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng\Enum -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT -> Spyware.NaviSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Security -> Spyware.NaviSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Enum -> Spyware.NaviSearch : Cleaned with backup
HKU\S-1-5-21-1694720459-3292285946-2165517387-1006\Software\180solutions -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-1694720459-3292285946-2165517387-1006\Software\LocalNRD -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1694720459-3292285946-2165517387-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30CE93AE-4987-483C-9ABE-F2BD5301AB70} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1694720459-3292285946-2165517387-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1694720459-3292285946-2165517387-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DE62E0-5805-11D8-9B25-00E04C60FAF2} -> Spyware.BlazeFind : Cleaned with backup
HKU\S-1-5-21-1694720459-3292285946-2165517387-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B83FC273-3522-4CC6-92EC-75CC86678DA4} -> Spyware.CnsMin : Cleaned with backup
HKU\S-1-5-21-1694720459-3292285946-2165517387-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1694720459-3292285946-2165517387-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1694720459-3292285946-2165517387-1006\Software\Pynix -> Spyware.MediaMotor : Cleaned with backup
[1268] C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
[1408] C:\WINDOWS\system32\ioctrl.dll -> Adware.Spyaxe : Cleaned with backup
[1756] C:\WINDOWS\system32\srgyri.exe -> Trojan.Agent.cp : Cleaned with backup
C:\!KillBox\SpyAxe.exe -> Adware.Spyaxe : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@counter2.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@media.fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\8ISTU4EF\WinFixer2005ScannerInstall[1].exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\OP8RSBCV\dbaccess[1].exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Peter\My Documents\My Received Files\backups\backup-20051213-161724-359.dll -> Downloader.Zlob.co : Cleaned with backup
C:\Program Files\BTopenworld\btwebcontrol.dll -> Dialer.Generic : Cleaned with backup
C:\Program Files\BTopenworld ReInstall\btwebcontrol.dll -> Dialer.Generic : Cleaned with backup
C:\Program Files\BullsEye Network -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\bin -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\bin\bargains.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\ub.dat -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\Montorgueil\beurette_ejac.avi\beurette_ejac.avi.exe -> Dialer.Generic : Cleaned with backup
C:\Program Files\SpyAxe\SpyAxe.exe -> Adware.Spyaxe : Cleaned with backup
C:\Program Files\Winad Client\ClientCom.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\conscorr.exe -> Spyware.ConsCorr : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dbaccess.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\preInsln.exe -> Spyware.BiSpy : Cleaned with backup
C:\WINDOWS\satmat.exe -> Downloader.Stubby.d : Cleaned with backup
C:\WINDOWS\system32\angelex.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\WINDOWS\system32\dbaccess.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exdl0.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exul.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\hpF4D.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\instsrv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\ioctrl.dll -> Adware.Spyaxe : Cleaned with backup
C:\WINDOWS\system32\javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\msexreg.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/exul.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/msexreg.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/system32/instsrv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\nvctrl.exe -> Downloader.Zlob.cs : Cleaned with backup
C:\WINDOWS\system32\polall1l.exe -> Downloader.Agent.ae : Cleaned with backup
C:\WINDOWS\system32\srgyri.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\trkgif.exe -> Spyware.Winpup32 : Cleaned with backup
C:\WINDOWS\UnstSA2.exe -> Dropper.Delf.z : Cleaned with backup
C:\WINDOWS\zeta.exe -> Spyware.BargainBuddy : Cleaned with backup


::Report End


2nd report:

+ Created on: 17:15:37, 13/12/2005
+ Report-Checksum: 8A14F610

+ Scan result:

[1268] C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Error during cleaning
[1408] C:\WINDOWS\system32\ioctrl.dll -> Adware.Spyaxe : Error during cleaning
[3696] C:\WINDOWS\system32\iuaalgp.exe -> Trojan.Agent.cp : Cleaned with backup
C:\!KillBox\nvctrl.exe -> Downloader.Zlob.cs : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\hp1702.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hp1BCA.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hp1F3F.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hp2385.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hp6114.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hp6952.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hp697.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hp717F.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hp79CC.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hp820A.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hpED4.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\hpF4D.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\iuaalgp.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\nvctrl.exe -> Downloader.Zlob.cs : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__ioctrl.dll -> Adware.Spyaxe : Cleaned with backup


::Report End



And my log:

Logfile of HijackThis v1.99.1
Scan saved at 18:00:58, on 13/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\fiwoqgh.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\System Security Suite 1.04\sss.exe
C:\Documents and Settings\Peter\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.rapidial.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpFD.tmp
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eltbrzl] C:\WINDOWS\system32\fiwoqgh.exe r
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.rapidial.co.uk
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol023.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Again, thanks a lot! :D

P.S. What (free) software should I dowload and install to prevent this from happening again?
Cheers!
Confused
Active Member
 
Posts: 6
Joined: December 12th, 2005, 4:58 pm

Unread postby LDTate » December 13th, 2005, 6:45 pm

I suggest you print this out.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050711214630636
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpFD.tmp

O4 - HKLM\..\Run: [eltbrzl] C:\WINDOWS\system32\fiwoqgh.exe r


Close all open windows except for HijackThis and click Fix Checked.


Delete these files if listed.
C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\hpFD.tmp
C:\WINDOWS\system32\fiwoqgh.exe

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby Confused » December 14th, 2005, 7:08 pm

Argh!!! It's come back!!!!

Logfile of HijackThis v1.99.1
Scan saved at 17:23:13, on 14/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\giiaae.exe
C:\Documents and Settings\Peter\My Documents\My Received Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.rapidial.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.rapidial.co.uk
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol023.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:12:40, 14/12/2005
+ Report-Checksum: 8FE234A2

+ Scan result:

[808] C:\WINDOWS\system32\giiaae.exe -> Trojan.Agent.cp : Cleaned with backup
[1292] C:\WINDOWS\system32\ioctrl.dll -> Adware.Spyaxe : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@media.fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Peter\Cookies\peter@sel.as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\WINDOWS\system32\giiaae.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\hpFD.tmp -> Downloader.Zlob.co : Cleaned with backup
C:\WINDOWS\system32\ioctrl.dll -> Adware.Spyaxe : Cleaned with backup


::Report End

Grrrrrrrrrr! Who MAKES THIS SPYWARE!?!?!? SURELY ITS ILLEGAL!!!
Confused
Active Member
 
Posts: 6
Joined: December 12th, 2005, 4:58 pm

Unread postby LDTate » December 14th, 2005, 7:12 pm

Argh!!! It's come back!!!!
Hang in there. ;)

Can you reboot in Normal Mode and post a new HijackThis log please?
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby Confused » December 15th, 2005, 5:20 pm

Logfile of HijackThis v1.99.1
Scan saved at 21:18:48, on 15/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Peter\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.rapidial.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpFDE8.tmp
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.rapidial.co.uk
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol023.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks LDTate. Sorry for the late reply! :cry:
Confused
Active Member
 
Posts: 6
Joined: December 12th, 2005, 4:58 pm

Unread postby LDTate » December 15th, 2005, 5:29 pm

Download Pocket Killbox version 2.0.0.175
http://www.atribune.org/downloads/KillBox.exe
If you already have Killbox first ensure it is this version !.

Then double-click on the killbox.exe program.


Start Killbox and click on Tools->Delete Temp Files.
Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.


When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\hpFDE8.tmp


Return to Killbox, go to the File menu and select Paste from Clipboard.


Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually


"copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby Confused » December 15th, 2005, 6:21 pm

Ah, for each of them a message appears: "This file could not be deleted"...
Confused
Active Member
 
Posts: 6
Joined: December 12th, 2005, 4:58 pm

Unread postby LDTate » December 15th, 2005, 6:26 pm

We need to do this step again. Make sure you do this in Safe Mode.

Restart your computer in Safe Mode:

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.


Open the smitfraud folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. When the tool completes:


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpFDE8.tmp


Close ALL windows and browsers except HijackThis and click "Fix checked"



Delete these files if listed.
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe



Open Ewido Security Suite
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop



In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info" if present.

Empty recycle bin.

Reboot and "copy/paste" a new HijackThis log and the Ewido log.
Also please describe how your computer behaves at the moment.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby NonSuch » December 29th, 2005, 4:14 am

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27221
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware