Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I need help removing spyaxe and spyware strike

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I need help removing spyaxe and spyware strike

Unread postby mwbsl » January 7th, 2006, 5:18 pm

I would appreciate any help that I can get removing spyaxe and spyware strike. I tried spybot, adaware, and system mechanic 6. Attached is my hijackthis report.

Logfile of HijackThis v1.99.1
Scan saved at 3:56:21 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hp6CA4.tmp
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [SystemGuardAlerter] C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/c ... /kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/c ... /et1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/c ... jst4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://ohclewras01.nationalcity.com/postauthI/epi.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families ... yTeleX.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://209.67.146.68/ePlayer/2_0/ACNePlayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
mwbsl
Active Member
 
Posts: 4
Joined: January 7th, 2006, 5:08 pm
Location: Ohio
Advertisement
Register to Remove

Unread postby ChrisRLG » January 7th, 2006, 5:40 pm

Welcome to MWR.

AS you can see spywarestrike is a new infection.

The experts are working on an automatic fix, also some are working on a tempary fix (till the auto one is available).

We will post back as soon as one of those fixes is available.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby amateur » January 7th, 2006, 6:03 pm

Hi mwbsl,

I am sorry you have this terrible pest. :( One of my gurus tried this fix and it seemed to have worked. If you would like, we can try it too.


Make sure that you can see hidden files

Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK

======================================

Please open a blank notepad (not a wordpad) and copy the bolded text below, just as it
appears, then paste it into the blank notepad.

dir %windir%\system32 /a:-d /o:-d >files.txt
cls
exit

Close it, saving it to the drive root (Local Disk C) as;

Filename: files.bat
Save As Type: All files
Double click the file to run it. It will create files.txt, also in C:

Please copy the information in that log for all files dated in the past 30 days here. They will be at the top of the list.
_________________
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby amateur » January 7th, 2006, 6:52 pm

Hi again,

The expert (many thanks) has come up with the latest fix for this. Please visit this site
whic has the fix complete with simple instructions and pictures to help remove SpyAxe/Spywarestrike from your computer.

http://malwareremoval.com/plog/index.ph ... 8&blogId=3

Follow the instructions in Nick's site, then scan once more with HijackThis and paste the log to this thread.

I'll be watching for your reply
Last edited by amateur on January 7th, 2006, 7:16 pm, edited 1 time in total.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby ChrisRLG » January 7th, 2006, 7:13 pm

The link to nicks post at his blog is this :-
http://malwareremoval.com/plog/index.ph ... 8&blogId=3
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby amateur » January 7th, 2006, 7:15 pm

Oh.... :oops: Thanks.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Thank you very much!

Unread postby mwbsl » January 7th, 2006, 11:53 pm

I followed the link to Nick's page, and this fix worked great. Thank you for the advice and the quick response!

Here is my new report:
Logfile of HijackThis v1.99.1
Scan saved at 10:46:35 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [SystemGuardAlerter] C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/c ... /kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/c ... /et1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/c ... jst4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://ohclewras01.nationalcity.com/postauthI/epi.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families ... yTeleX.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://209.67.146.68/ePlayer/2_0/ACNePlayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D09234AA-0C4D-4B93-B821-CCB309221B13}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
mwbsl
Active Member
 
Posts: 4
Joined: January 7th, 2006, 5:08 pm
Location: Ohio

Unread postby amateur » January 8th, 2006, 10:54 am

Hi mwbsl, :)

I am glad that it worked. :D Great. :D We'll continue with a little bit more clean up.

Please go to Start>Control>Add/Remove Programs and remove/delete AdwareAlert. It's a bogus program. Next, using Windows Explorer, navigate and delete the following folder in bold:

C:\Program Files\AdwareAlert

Then, please reboot in Safe Mode. You already know how to do that.
=============================================

Once in Safe Mode run HijackThis. Put a checkmark against the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx


Close all other windows, including control panel, etc, except HijackThis and click on "Fix checked".
=============================================
While still on Safe Mode, do a little clean up:

Click Start>>>Run
Type into the box: cleanmgr.exe
Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

Also in Safe Mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

==============================================

Reboot in Normal Mode.

==============================================

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

===============================================
Restart your computer one more time. Run HijackThis again.
===============================================
Post the Panda scan results and the new HijackThis log in your next reply
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Surprised to keep finding junk on my computer

Unread postby mwbsl » January 9th, 2006, 8:54 pm

Thank you again, and here are the new reports you requested:

:arrow:
Incident Status Location

Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\JoAnn Butler\Cookies\joann butler@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\JoAnn Butler\Cookies\joann butler@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\JoAnn Butler\Cookies\joann butler@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\JoAnn Butler\Cookies\joann butler@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\JoAnn Butler\Cookies\joann butler@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\JoAnn Butler\Cookies\joann butler@perf.overture[1].txt
Possible Virus. Not disinfected C:\Program Files\Canon\ZoomBrowser EX\Program\DatabaseManager.dll
Possible Virus. Not disinfected C:\Program Files\Common Files\aolshare\Coach\ACHtmfu.dll
Adware:Adware/SpywareStrike Not disinfected C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{4D470854-2D9A-486E-8EBE-15358B0F6E38}\{093E84AC-6ED9-445F-8038-CE920FED76E7}.tmp[{AB94A31B-F112-4021-B576-34054D5E021C}.tmp]
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{4D470854-2D9A-486E-8EBE-15358B0F6E38}\{09A28375-C138-436F-AA15-70F5B53C484C}.txt[{09A28375-C138-436F-AA15-70F5B53C484C}.txt]
Adware:Adware/SpyAxe Not disinfected C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{4D470854-2D9A-486E-8EBE-15358B0F6E38}\{2C18D4B6-BD54-428A-9391-F2FE2EBF4503}.tmp[{8E9CCA88-BDFA-4ECF-9F14-497E244573FE}.tmp]
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{4D470854-2D9A-486E-8EBE-15358B0F6E38}\{398161FE-0E69-4C3B-9433-EA153BC7ADB9}.txt[{398161FE-0E69-4C3B-9433-EA153BC7ADB9}.txt]
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{4D470854-2D9A-486E-8EBE-15358B0F6E38}\{758C6E13-9B82-49C3-8165-FC7689E3F1D7}.txt[{758C6E13-9B82-49C3-8165-FC7689E3F1D7}.txt]
Adware:Adware/SecurityError Not disinfected C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{4D470854-2D9A-486E-8EBE-15358B0F6E38}\{78EEAF23-223C-4A05-BFC7-2760361F3599}.tmp[{237F44C4-1B6A-451A-8CCD-799F345EA26B}.tmp]
Dialer:Dialer.FGG Not disinfected C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{9D771E9A-33B0-4400-BFBB-91C7C0BC6101}\{1CC772AF-6C8B-44A1-AED0-EEAA1984EBCF}.exe[{1CC772AF-6C8B-44A1-AED0-EEAA1984EBCF}.exe]
Dialer:Dialer.FGG

:arrow:
Logfile of HijackThis v1.99.1
Scan saved at 7:30:37 PM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/c ... /kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/c ... /et1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/c ... jst4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://ohclewras01.nationalcity.com/postauthI/epi.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families ... yTeleX.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://209.67.146.68/ePlayer/2_0/ACNePlayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
mwbsl
Active Member
 
Posts: 4
Joined: January 7th, 2006, 5:08 pm
Location: Ohio

Unread postby amateur » January 9th, 2006, 10:17 pm

Hi mwbsl, :)

Please go to Start>Control Panel>Add/Remove Programs and remove the program in bold, as it seems to be the source of your infection, unless they are showing in the back ups made by this program, which is a strong possibility. Then you may want to delete the back up or uninstall/reinstall the program.

iolo

Then using Windows explorer, navigate and delete the folder in bold:
C:\Program Files\iolo

======================================

Please download and update Ccleaner.

Click on Options, Select Advanced Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
Make sure the Cleaner block on the left is selected. (Do not use the "Issues" block) Choose the Windows tab.
Check everything EXCEPT cookies, the Autocomplete Form History and the Advanced part of the Menu.
Choose Run Cleaner. This process could take a while.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.

============================================

Please download the free Ad-Aware SE and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:

  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Click Proceed.

3) To start the scan, Click > "Scan Now" at left

  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
4) When the scan has completed, select Next.

  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.


=========================================

Download, update and run Spybot

Spybot S & D

Remember to "immunize" after updating so that the latest definitions can be enabled.

a. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
b. Close ALL windows except Spybot S&D
c. Click the button to 'Search for Updates' then download and install the Updates.
d. Next click the button 'Check for Problems'
e. When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
f. Make sure that there is a check mark beside all of the RED entries ONLY.
g. Choose Fix Selected Problems and allow Spybot to fix the RED entries.

If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.

At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows.

h. REBOOT to complete the scan and clear memory.

===========================================

Download and install Ewido Anti-Malware

During the installation, uncheck the following under Additional Options:
Install background guard
Install scan via context menu


Check for updates but do not run it yet.list]

===========================================
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for more information.

===========================================

Run Ewido.
Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close ewido security suite.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

===========================================

Restart your computer in Normal Mode and run Panda online scan again.

===========================================

Post a new HijackThis log, Ewido log and the result of the Panda onlin scan please.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

The saga continues

Unread postby mwbsl » January 15th, 2006, 11:12 am

Here are the reports you requested with the exception of the panda report. The panda scan did not find anything. I am guessing that this is good news.

:arrow:
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:45:17 AM, 1/15/2006
+ Report-Checksum: 300BC096

+ Scan result:

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP521\A0043381.tlb -> Downloader.Zlob.dx : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP521\A0043398.tlb -> Downloader.Zlob.dx : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP522\A0043521.tlb -> Downloader.Zlob.dx : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP523\A0043535.tlb -> Downloader.Zlob.dx : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP523\A0043609.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0043642.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0043652.tlb -> Downloader.Zlob.dx : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0043689.tlb -> Downloader.Zlob.dx : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0043702.tlb -> Downloader.Zlob.dx : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0043720.tlb -> Downloader.Zlob.dx : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0043946.tlb -> Downloader.Zlob.dx : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0043953.exe -> Downloader.Zlob.dx : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0044086.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0044119.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525\A0044159.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP526\A0044338.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP526\A0044346.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP526\A0044469.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP526\A0044495.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP526\A0044557.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP526\A0044642.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP526\A0044650.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP527\A0044679.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP527\A0044797.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP527\A0044878.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP527\A0044893.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP527\A0044922.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP527\A0044937.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP528\A0044948.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP528\A0044962.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP528\A0045151.exe/{1CC772AF-6C8B-44A1-AED0-EEAA1984EBCF}.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP528\A0045152.exe/{4F047732-F235-4590-89DE-665D52D0E532}.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP528\A0045170.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP529\A0045174.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP529\A0045191.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP529\A0045380.exe/{1CC772AF-6C8B-44A1-AED0-EEAA1984EBCF}.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP529\A0045381.exe/{4F047732-F235-4590-89DE-665D52D0E532}.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045402.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045417.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045606.exe/{1CC772AF-6C8B-44A1-AED0-EEAA1984EBCF}.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045607.exe/{4F047732-F235-4590-89DE-665D52D0E532}.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045625.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045636.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045655.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045670.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045674.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045678.dll -> Not-A-Virus.Hoax.Win32.Renos.am : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045679.dll -> Downloader.SpyAxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045682.tlb -> Downloader.Zlob.dz : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045683.exe -> Downloader.Zlob.dw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045685.exe -> Downloader.Zlob.ef : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP530\A0045686.exe -> Downloader.Zlob.dy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP537\A0047300.exe/{1CC772AF-6C8B-44A1-AED0-EEAA1984EBCF}.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP537\A0047311.exe/{4F047732-F235-4590-89DE-665D52D0E532}.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup


::Report End

:arrow:
Logfile of HijackThis v1.99.1
Scan saved at 10:06:44 AM, on 1/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/c ... /kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/c ... /et1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/c ... jst4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://ohclewras01.nationalcity.com/postauthI/epi.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families ... yTeleX.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://209.67.146.68/ePlayer/2_0/ACNePlayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
mwbsl
Active Member
 
Posts: 4
Joined: January 7th, 2006, 5:08 pm
Location: Ohio

Unread postby amateur » January 15th, 2006, 11:36 am

Hi mwbsl, :D

Welcome back! :D

The panda scan did not find anything. I am guessing that this is good news.

Yes, it's great news. :D What Ewido reports is in the System Restore which we'll take care of in a minute. Your log is clean too. :thumbright: You've done a great job. There is only one orphaned line which is basically a clutter. You can run HijackThis again and have it fixed. You are all set to go.

Scan with HijackThis. Close all other windows/applications except HijackThis and put a checkmark against the following entry:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=

Click "Fix checked".

Now that you are clean, or seem to be, please follow these simple steps in order to keep your computer clean and secure.

Disable and Enable System Restore If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you put Windows back to such a restorepoint, this malware will be put back, as well.

This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)
1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.

4. Restart the computer.
5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'.

Reboot normally.

You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

And that's all. But to help protect you against further infections, and also to help prevent criminals using your computer to infect other people's computers on the web, I recommend the following: (You may already have some of the items)

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.
If you haven't got a antivirus, you can download and install one of the following free ones: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

AntiVir here
AVG Free here
Avast here

It is essential to keep the anti-virus program fully updated. New virus infections are being produced all the time, and unless the program downloads the latest 'definitions', it cannot protect you against the newer versions. If you want to check for updates manually I'd recommended doing so at least once a week. However, a better option is to set the program to download and install updates automatically every time you are connected to the Internet. The first time you use it, please set it to perform a full system scan.
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site <http://windowsupdate.microsoft.com/> to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site <http://office.microsoft.com/officeupdate/maincatalog.aspx?lc=en-us> and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them allready):
AdAware here
Spybot here Remember to "immunize" after each update
Microsoft Antispyware here
Install realtime pestware-scanners and keep them up-to-date.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster here Remember to "enable all protection" after each update.
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet.
If there is no firewall installed on your computer, you can download and install one of the following free firewalls:
ZoneAlarm here
Sygate here
Kerio Personal Firewall (Will be discontinued as from the end of 2005) here
Outposthere
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

Test your firewall here to make sure that it's working properly

Install these programs, to make surfing with Internet Explorer safer:

A popup-blocker, f.e. Google Toolbar here: A popup-blocker prevents popup-windows from opening, when you come along a websites that uses them, during internet-surfing.

IE-SPYAD here: This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer.

SiteHound by Firetrust
here:

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
· Fraudulent claims or scams
· Offensive material
· Security vulnerabilities
· Spyware or Adware
· Spam related material
· or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

• Adult • Spyware • Spam Advertising • Phishing • Possible scam or fraud • Misleading or False Advertising
• Pharming • Rogue or Suspect Product • Adware • Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Install and use an alternative browser to surf on the internet.

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite here
Mozilla Firefox here
Opera here
Netscape here
Important: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, fe. most of the Online Malware-scanners.

But above all, keep all your software UP-TO-DATE at all time!!

Also, I would recommend reading the excellent advice by Tony Klein: So how did I get infected in the first place

Happy and safe surfing. ;)
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby ChrisRLG » January 15th, 2006, 4:14 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 61 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware