Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyware Infection Notice/Box

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Spyware Infection Notice/Box

Unread postby a. drongo » October 30th, 2005, 7:39 pm

I have a box every time the computer starts which says:

Spyware Infection ( in red)
Your system is infected with spyware. Windows recommends etc

I am fairly confident that I have got rid of the spyware but the box won't go away. Please help.
Al
a. drongo
Active Member
 
Posts: 4
Joined: October 30th, 2005, 7:01 pm
Location: England
Advertisement
Register to Remove

Unread postby Susan528 » October 30th, 2005, 9:40 pm

http://www.malwareremoval.com/forum/viewtopic.php?t=12

Please follow the instructions in the link above and post(reply) with a hijackthis log so we can better evaluate your situation.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Spyware Infection Notice/Box

Unread postby a. drongo » November 1st, 2005, 8:36 pm

Logfile of HijackThis v1.99.1
Scan saved at 00:20:35, on 02/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\PROGRA~1\eScan\avpm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\eScan\TRAYICOS.EXE
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\PROGRA~1\eScan\MAILSCAN.EXE
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\PROGRA~1\eScan\kavss.exe
C:\PROGRA~1\eScan\AvpM.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {10000000-1000-0000-0000-000000000000} - file://C:\\Recycler\\Q678341.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0686771139
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37390.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/ ... reQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CE92303-636E-4E80-90CF-966FAFC0A41F}: NameServer = 85.255.113.138,85.255.112.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B25FCBB-23B9-4578-BA96-0B63D034A8DF}: NameServer = 85.255.113.138 85.255.112.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A662DD6-0112-44B1-B00D-650048CAC098}: NameServer = 85.255.113.138,85.255.112.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{D47B5CB1-ECD9-4B56-96CA-4412B97E2066}: NameServer = 85.255.113.138,85.255.112.18
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CE92303-636E-4E80-90CF-966FAFC0A41F}: NameServer = 85.255.113.138,85.255.112.18
O17 - HKLM\System\CS2\Services\Tcpip\..\{1CE92303-636E-4E80-90CF-966FAFC0A41F}: NameServer = 85.255.113.138,85.255.112.18
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
a. drongo
Active Member
 
Posts: 4
Joined: October 30th, 2005, 7:01 pm
Location: England

Unread postby Susan528 » November 1st, 2005, 10:11 pm

Hello and Welcome a. drongo,

I would like you to run some scans and post the results.
STEP 1.
======
Let’s check for Malware/Spyware on your computer which is best dealt with by spyware-removal programs used one after the other.

Spybot: Search and Destroy:

1.Download 'Spybot: Search And Destroy'.
2. Install it according to the instructions in 'How To Setup Spybot SD and Ad-Aware SE'.
3. Next, 'Search for Updates' as the definitions are not likely to be up-to-date.
4. Close ALL windows except Spybot SD
5. Click the "Check for Problems" button
6. Click 'Fix Selected Problems' and fix only the RED items.
7. REBOOT to finish removing what Spybot SD found and clear memory


Ad-Aware SE by Lavasoft:

1. Download 'Ad-Aware SE'.
2. Install according to the instructions in "How To Setup Spybot SD and Ad-Aware SE"
3. Next, 'Check for Updates' by clicking on the 'world globe' second from the right at the top of your Ad-Aware SE window.
4. Install the updates.
5. Close ALL windows except Ad-Aware SE
6. Click on 'Start' and choose 'full scan' for a full scan.
7. Quarantine anything that it finds and SAVE the log file.
8.REBOOT to finish removing what Ad-Aware SE found and clear memory.

Please let me know if anything can not be cleaned by these utilities.
STEP 2.
======
Download Ewido
  1. Download and install Ewido Security Suite It is a free trial version of the program.
  2. Install ewido security suite
  3. Launch ewido, there should be an icon on your desktop double-click it.
  4. The program will now go to the main screen
STEP 3.
======
Update Ewido
You will need to update ewido to the latest definition files.
  1. On the left hand side of the main screen click update
  2. Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use Ewido manual updates

STEP 4.
======
Ewido Scan
Once the updates are installed do the following:
  1. Click on scanner
  2. Click on Complete System Scan and the scan will begin.
  3. NOTE: During some scans with ewido it is finding cases of false positives.**
    o You will need to step through the process of cleaning files one-by-one.
    o If ewido detects a file you KNOW to be legitimate, select none as the action.
    o DO NOT select "Perform action on all infections"
    o If you are unsure of any entry found select none for now.
  4. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  5. Click Save report.
  6. Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


Scan again with HijackThis

Please POST
  • a New HijackThis log
  • the results from the Ewido log

in this thread using 'Add Reply'.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby a. drongo » November 2nd, 2005, 7:20 pm

Hello,

Just to let you know that this horrible box was no longer there when I turned on my computer 10 minutes ago. What a relief!
I followed all your instructions and now have more anti-spyware/ virus programs than anything else. I don't know which one did the trick but the main thing is that it's gone.
I am immensely grateful for all the good advice given. Many thanks.

A. Drongo
a. drongo
Active Member
 
Posts: 4
Joined: October 30th, 2005, 7:01 pm
Location: England

Unread postby Susan528 » November 2nd, 2005, 8:35 pm

Hello A. Drongo,

Glad everything is better! Please post another hijackthis log though. I do want to double-check a couple of entries. Please post the ewido log. I would like to make sure that everything was cleaned.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby a. drongo » November 3rd, 2005, 3:56 am

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:33:12, 02/11/2005
+ Report-Checksum: BF096226

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjliskcjmkp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjlocndpokp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wjlyqgcjwho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Droog\Cookies\droog@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Droog\Cookies\droog@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Droog\Cookies\droog@e-2dj6wflismazclq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Droog\Cookies\droog@e-2dj6wjk4wldpmgp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Droog\Cookies\droog@e-2dj6wjlyegdpcep.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Droog\Cookies\droog@e-2dj6wjmialajifq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Droog\Cookies\droog@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Droog\Cookies\droog@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Droog\Cookies\droog@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Droog\Local Settings\Temp\Cookies\droog@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Droog\Local Settings\Temp\Cookies\droog@downloads-zdnet.com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Droog\Local Settings\Temp\Cookies\droog@e-2dj6wfk4sod5who.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Droog\Local Settings\Temp\Cookies\droog@e-2dj6wjk4ohd5eho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Program Files\eScan\scaninst.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base.avd -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base001.avd -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base002.avd -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur000.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur001.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur002.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur003.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
C:\WINDOWS\system32\csdti.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\WINDOWS\system32\hlkdo.exe -> TrojanDownloader.Agent.tc : Cleaned with backup
C:\WINDOWS\system32\ncaho.exe -> TrojanDownloader.Agent.tc : Cleaned with backup
C:\WINDOWS\system32\TFTP2728 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\zjojf.exe -> TrojanDownloader.Agent.tc : Cleaned with backup


::Report End
a. drongo
Active Member
 
Posts: 4
Joined: October 30th, 2005, 7:01 pm
Location: England

Unread postby Susan528 » November 3rd, 2005, 9:50 am

Thank you! I would like to see your hijackthis log please. Is SpyBot finding any entries too? If so, please post that too.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby NonSuch » November 16th, 2005, 8:15 pm

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 486 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware