Trouble with some spyware

Discussion in 'Computers' started by Steve_Tk, Sep 4, 2006.

  1. Steve_Tk

    Steve_Tk Cinematographer

    Joined:
    Apr 30, 2002
    Messages:
    2,833
    Likes Received:
    1
    A while back I reformatted my entire hard drive, but forgot to load my firewall on my computer. So I was only using windows firewall, guess that was my first mistake.

    My girlfriend went to some site to look up lyrics to a song and all hell broke lose. Something changed my home page, I had strange icons on my task bar, my computer would take FOREVER to start up.

    It seems everything has been removed, and whatever programs were put into the C drive, except one thing. When browsing webpages Ill get a random pop up window every 10-15 minutes with some advertisement. It's not coming from web sites I'm looking at either. I know HTF, discover, and wachovia do not have advertisement pop ups.

    Any ideas? I'm thinking of just reformatting again.
     
  2. Alon Goldberg

    Alon Goldberg Screenwriter

    Joined:
    Jul 10, 2006
    Messages:
    1,131
    Likes Received:
    0
    Hi Steve - follow these steps:

    1. Run Microsoft Update and ensure all Windows and Office updates are installed: http://update.microsoft.com/
    2. Install Ad-Aware: http://www.lavasoftusa.com/software/adaware/
    3. Install Spybot S&D: http://www.safer-networking.org/en/download/index.html
    4. Install Windows Defender: http://www.microsoft.com/athome/secu...e/default.mspx
    5. Install the latest version of Java: http://www.java.com/
    6. Ensure your Anti Virus protection is up to date. Suggest installing AVG: http://free.grisoft.com/
    7. Ensure your Windows Firewall is enabled, and ensure you have a hardware firewall (for instance a wireless router)

    And last but not least... stop using IE. Firefox is a far superior browser: http://www.mozilla.com/firefox/
     
  3. Cees Alons

    Cees Alons Moderator
    Moderator

    Joined:
    Jul 31, 1997
    Messages:
    19,315
    Likes Received:
    289
    Real Name:
    Cees Alons
    Steve,

    I use Webroot SpySweeper. You could give it a try. I believe you'll have a free period for some time first. Another option is Lavasoft Ad-aware (see previous post), but I haven't used that one for a while.

    SpySweeper is good, I took a subscription.
    But the core-resident version of the latest release (V 5) takes a lot of core and "steals" the CPU for two or three seconds every two minutes (or so). I don't like that behaviour.
    But it really works great! You should try one of these, IMO, before formatting your HD.


    Cees
     
  4. ThomasC

    ThomasC Lead Actor

    Joined:
    Dec 15, 2001
    Messages:
    6,526
    Likes Received:
    0
    As far as I know, Windows Firewall is pretty good at what it does. Your girlfriend might have accidentally clicked on something that installed the spyware.
     
  5. Robert_Gaither

    Robert_Gaither Screenwriter

    Joined:
    Mar 12, 2002
    Messages:
    1,370
    Likes Received:
    0


    Wow looks like most of the short list that I have on my computer but I also use the following:

    Noadware to knock out those sites that likes to hijack the homepage. http://www.noadware.net/?hop=boost4

    AVG is resource friendly but the free one is not a continous scan product, I recommend Avast mostly though this is resource hungry (you will notice this will slow down your computer) but to me the security it provides if it's an only computer that does online transactions is a must. http://www.free-program-download.com/avast/
     
  6. Greg*go

    Greg*go Supporting Actor

    Joined:
    Jun 14, 2002
    Messages:
    941
    Likes Received:
    0
    Ewido is another anti-spyware option that offers a free version.

    http://www.ewido.net/en/

    You can run a scan with the free version, but the resident scanner is only with the pay for version.

    I myself don't run any adware programs on my desktop. I'll occasionally do a scan with one of the programs mentioned above (all are good options) and never find anything. I also have windows firewall & my router firewall setup as well. Running Firefox also does wonders.
     
  7. Carl Miller

    Carl Miller Screenwriter

    Joined:
    Mar 17, 2002
    Messages:
    1,461
    Likes Received:
    0
    I second the spysweeper recommendation. Their site has a free "spyaudit" tool you can use that's excellent.

    If the programs recommended (whichever you decide to run) don't remove this thing, search google for a program called HiJack This, download it, run it, print the log and go to petercoyote.com to post the log in the HiJack This forum area. Someone skilled will read the log, and tell you what you need to remove.
     
  8. Rommel_L

    Rommel_L Second Unit

    Joined:
    Apr 25, 2000
    Messages:
    355
    Likes Received:
    0
    Steve,

    Run HiJackThis and post the logfile here...
     
  9. Scott Merryfield

    Scott Merryfield Executive Producer
    Supporter

    Joined:
    Dec 16, 1998
    Messages:
    11,756
    Likes Received:
    807
    Location:
    Michigan
    Lots of great suggestions above. One other freeware tool I use is Spyware Blaster, which actively blocks known spyware.

    My "protection" toolkit includes:

    Hardware firewall
    Software firewall (ZoneAlarm on one PC, Windows FW on the other)
    AVG Anti-virus
    Spyware Blaster
    Windows Update (keep those security patches up-to-date)
    Lavasoft Adaware
    Spybot
    HiJack This! (only needed it a couple of times, but it's a powerful tool)
    Firefox browser

    I like ZoneAlarm better than the built-in Windows firewall. ZoneAlarm will alert you to any new application that attempts to access the Internet and allow you to either permit or deny access. Unfortunately, I've experienced problems with ZA locking up the Internet connection on my newer HP Pavilion, so I just use Windows firewall to supplement my external hardware firewall. I still run ZA on the Dell PC that my wife uses.
     
  10. Al.Anderson

    Al.Anderson Cinematographer

    Joined:
    Jul 2, 2002
    Messages:
    2,533
    Likes Received:
    67
    Real Name:
    Al
    All of the products mentioned are good. But if you already have an infection I strongly second the recommendation to run Hijackthis - it's an invaluable resource for find and getting rid of spyware.

    We can probably help you here; but for even more dedicated resources try http://www.spywareinfo.com/~merijn/index.php
    which is also good for some background on all the spyware activity.
     
  11. Don Giro

    Don Giro Supporting Actor

    Joined:
    Jan 22, 2004
    Messages:
    835
    Likes Received:
    15
    Location:
    New Jersey
    Real Name:
    Don
    Great advice here. One thing I'd like to add: Stay away from lyrics sites, they're usually LOADED with malware.
     
  12. Kimmo Jaskari

    Kimmo Jaskari Screenwriter

    Joined:
    Feb 27, 2000
    Messages:
    1,528
    Likes Received:
    0
    First of all; a firewall protects against active attacks over the Internet, ie if cracker x is sitting at his computer and trying to break into your machine actively, a firewall will make that more difficult. A firewall won't do squat about spyware etc.

    If you haven't installed too much stuff on the machine, I'd personally recommend you reformat to get rid of all the crap. Then, immediately get every update available for Windows before you do anything else.

    After that is done, install some form of antispyware software if you want to, then install Privoxy to filter out lots of crud and then never, ever surf with IE. If you must use it on some specific site because of bad web page design then load it up especially for that, but for daily browsing you should use either Opera 9 or Firefox. I prefer Opera - it has an unsurpassed security record and a really great user interface especially after you take an hour or two to explore and customize it.

    With Opera and Privoxy, there is no site out there that worries me in the slightest. I see hardly any unwanted popups, and I feel confident that nothing will just highjack the computer and load tons of garbage onto it. Of course, you can still foul something up by downloading something nasty which is why a solid antivirus program is a must, as well.
     
  13. Steve_Tk

    Steve_Tk Cinematographer

    Joined:
    Apr 30, 2002
    Messages:
    2,833
    Likes Received:
    1
    Logfile of HijackThis v1.99.1
    Scan saved at 4:35:54 PM, on 9/5/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:WINDOWSSystem32smss.exe
    C:WINDOWSsystem32winlogon.exe
    C:WINDOWSsystem32services.exe
    C:WINDOWSsystem32lsass.exe
    C:WINDOWSsystem32svchost.exe
    C:WINDOWSSystem32svchost.exe
    C:WINDOWSExplorer.EXE
    C:WINDOWSsystem32spoolsv.exe
    C:WINDOWSsystem32RUNDLL32.EXE
    C:WINDOWSsystem32CTHELPER.EXE
    C:WINDOWSsystem32nvsvc32.exe
    C:WINDOWSsystem32MsPMSPSv.exe
    C:WINDOWSsystem32wscntfy.exe
    C:Program FilesWindows DefenderMsMpEng.exe
    C:Program FilesWindows DefenderMSASCui.exe
    C:Program FilesInternet ExplorerIEXPLORE.EXE
    C:Program FilesInternet ExplorerIEXPLORE.EXE
    C:Program FilesInternet ExplorerIEXPLORE.EXE
    C:DOCUME~1StevenLOCALS~1TempTemporary Directory 1 for hijackthis.zipHijackThis.exe

    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = about:blank
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
    R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
    O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:WINDOWSsystem32nsv11.dll
    O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:WINDOWSsystem32xeymi.dll (file missing)
    O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
    O4 - HKLM..Run: [nwiz] nwiz.exe /install
    O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
    O4 - HKLM..Run: [CTStartup] C:Program FilesCreativeSplash ScreenCTEaxSpl.EXE /run
    O4 - HKLM..Run: [UpdReg] C:WINDOWSUpdReg.EXE
    O4 - HKLM..Run: [Jet Detection] "C:Program FilesCreativeSBAudigyPROGRAMADGJDet.exe"
    O4 - HKLM..Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
    O4 - HKLM..Run: [xload] "C:WINDOWSxload.exe"
    O4 - HKLM..Run: [keyboard] C:\kybrdff_13.exe
    O4 - HKLM..Run: [defender] C:\dfndrff_13.exe
    O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
    O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
    O15 - Trusted Zone: *.adgate.info
    O15 - Trusted Zone: *.adsextend.net
    O15 - Trusted Zone: *.dollarrevenue.com
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.matcash.com
    O15 - Trusted Zone: *.media-motor.com
    O15 - Trusted Zone: *.mediatickets.net
    O15 - Trusted Zone: *.snipernet.biz
    O15 - Trusted Zone: *.sxload.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.adgate.info (HKLM)
    O15 - Trusted Zone: *.adsextend.net (HKLM)
    O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
    O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.matcash.com (HKLM)
    O15 - Trusted Zone: *.media-motor.com (HKLM)
    O15 - Trusted Zone: *.mediatickets.net (HKLM)
    O15 - Trusted Zone: *.snipernet.biz (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1154817024468
    O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:WINDOWSsystem32xeymi.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
     
  14. Alon Goldberg

    Alon Goldberg Screenwriter

    Joined:
    Jul 10, 2006
    Messages:
    1,131
    Likes Received:
    0
    Yikes... remove all of the bad sites from your IE Trusted Zone and reset your Search Engine to Microsoft or Google, for starters.
     
  15. DaveMcFar

    DaveMcFar Extra

    Joined:
    Jan 2, 2005
    Messages:
    20
    Likes Received:
    0
    Here's the file after I ran Hijack. What do i need to do?

    Logfile of HijackThis v1.99.1
    Scan saved at 5:54:58 PM, on 9/5/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:WINDOWSSystem32smss.exe
    C:WINDOWSsystem32winlogon.exe
    C:WINDOWSsystem32services.exe
    C:WINDOWSsystem32lsass.exe
    C:WINDOWSsystem32svchost.exe
    C:WINDOWSSystem32svchost.exe
    C:WINDOWSsystem32spoolsv.exe
    C:WINDOWSExplorer.EXE
    C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
    C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
    C:WINDOWSSystem32mgabg.exe
    C:WINDOWSsystem32ZoneLabsvsmon.exe
    C:WINDOWSSystem32PDeskPDesk.exe
    C:PROGRA~1GrisoftAVGFRE~1avgcc.exe
    C:Program FilesZone LabsZoneAlarmzlclient.exe
    C:Program FilesNetZeroexec.exe
    C:Program FilesNikonPictureProjectNkbMonitor.exe
    C:WINDOWSSystem32svchost.exe
    C:Program FilesInternet Exploreriexplore.exe
    C:Program FilesNetZeroexec.exe
    C:Program FilesNetZeroqsaccx1exec.exe
    C:DOCUME~1OwnerLOCALS~1TempTemporary Directory 1 for hijackthis[1].zipHijackThis.exe

    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyServer = http=127.0.0.1:7900
    R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.un td.com;127.0.0.1;localhost;*microsoft.com;*windows update.com;*wustat.windows.com;*.pogo.com;*.worldw inner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*syman tec.com;*.nai.com;*.networkassociates.com;*photosi te.com;*.dir.untd.com;*.prod.untd.com;
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:Program FilesNZSearchSearchEnh1.dll
    O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:Program FilesNetZeroqsaccx1IEBHO.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:Program FilesAOLAOL Toolbar 3.0aoltb.dll
    O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:Program FilesNetZeroToolbar.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:Program FilesAOLAOL Toolbar 3.0aoltb.dll
    O4 - HKLM..Run: [Matrox Powerdesk] C:WINDOWSSystem32PDeskPDesk.exe /Autolaunch
    O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
    O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
    O4 - HKLM..Run: [Zone Labs Client] "C:Program FilesZone LabsZoneAlarmzlclient.exe"
    O4 - HKCU..Run: [NetZero_uoltray] C:Program FilesNetZeroexec.exe regrun
    O4 - HKCU..Run: [spc_w] "C:Program FilesNZSearchnzspc.exe" -w
    O4 - HKCU..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
    O4 - HKCU..RunOnce: [untd_recovery] "C:Program FilesNetZeroqsaccx1exec.exe"
    O4 - Global Startup: NkbMonitor.exe.lnk = C:Program FilesNikonPictureProjectNkbMonitor.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:program filesaolaol toolbar 3.0resourcesen-USlocalsearch.html
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:Program FilesNetZeroqsaccappres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:Program FilesNetZeroqsaccappres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:Program FilesAOLAOL Toolbar 3.0aoltb.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:Program FilesPartyGamingPartyPokerRunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:Program FilesPartyGamingPartyPokerRunApp.exe
    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:Program FilesBodog PokerBPGame.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1130697329761
    O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - file://C:Program FilesThe Tournament Directorcomdlg32.cab
    O17 - HKLMSystemCCSServicesTcpip..{F44A7F93-E13A-430F-9DB0-DE3CFF4C34D6}: NameServer = 64.136.28.120 64.136.20.120
    O20 - Winlogon Notify: WgaLogon - C:WINDOWSSYSTEM32WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe
    O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:WINDOWSSystem32mgabg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:WINDOWSsystem32ZoneLabsvsmon.exe

    thanks

    Dave
     
  16. Carl Miller

    Carl Miller Screenwriter

    Joined:
    Mar 17, 2002
    Messages:
    1,461
    Likes Received:
    0
    When I recommended HiJack This, I stupidly said to go to the wrong site....

    You guys who posted Hi Jack logs should go here: http://forums.tomcoyote.org/ to post your logs so someone can read them and recommend what to get rid of....HiJack This is a great tool, but you don't want to remove the wrong thing.
     
  17. Rommel_L

    Rommel_L Second Unit

    Joined:
    Apr 25, 2000
    Messages:
    355
    Likes Received:
    0
    Steve Tk,

    Yep, there are bugs in the PC. Do the ff:

    - If you don't have a third-party firewall program, turn on WinXP's built-in firewall program.
    - Create a folder C:Program FilesHiJackThis and move the HiJackThis.exe file here.
    - Connect to the internet.
    - Clear/clean cache and cookies folder of all internet browsers.
    - Delete all files and folders contained in the following folders, but not the folders themselves:
    • C:Documents and Settings -profile name- Application DataSunJavaDeploymentcachejavapiv1.0file
    • C:Documents and Settings -profile name- Application DataSunJavaDeploymentcachejavapiv1.0jar
    • C:Documents and Settings -profile name- Local SettingsTemp
    • C:WindowsPrefetch
    • C:WindowsTemp
    • Recycle Bin
    - Download, install, update and run the following antivirus / antispyware programs: AVG Free antivirus, Spybot S&D, Ad-Aware, MS Defender, SpywareBlaster and Cool Web Shredder.
    - Run Microsoft's Malware Removal Tool. The file's name is MRT.exe. Search for it in C:Windowssystem32.

    - Reboot in safe mode.
    - Permanently delete the following files:
    • C:WINDOWSsystem32xeymi.dll
    • C:\kybrdff_13.exe
    • C:\dfndrff_13.exe
    Permanently delete file by highlighting mentioned file, press and hold the ctrl key, right-click the file and click on delete.
    - Run HiJackThis, put a check beside the following processes and hit Fixed checked:
    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = about:blank
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
    R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
    R3 - Default URLSearchHook is missing
    O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:WINDOWSsystem32xeymi.dll (file missing)
    O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
    O4 - HKLM..Run: [xload] "C:WINDOWSxload.exe"
    O4 - HKLM..Run: [CTStartup] C:Program FilesCreativeSplash ScreenCTEaxSpl.EXE /run
    O4 - HKLM..Run: [UpdReg] C:WINDOWSUpdReg.EXE
    O4 - HKLM..Run: [Jet Detection] "C:Program FilesCreativeSBAudigyPROGRAMADGJDet.exe"
    O4 - HKLM..Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM..Run: [keyboard] C:\kybrdff_13.exe
    O4 - HKLM..Run: [defender] C:\dfndrff_13.exe
    O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
    O15 - Trusted Zone: *.adgate.info
    O15 - Trusted Zone: *.adsextend.net
    O15 - Trusted Zone: *.dollarrevenue.com
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.matcash.com
    O15 - Trusted Zone: *.media-motor.com
    O15 - Trusted Zone: *.mediatickets.net
    O15 - Trusted Zone: *.snipernet.biz
    O15 - Trusted Zone: *.sxload.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.adgate.info (HKLM)
    O15 - Trusted Zone: *.adsextend.net (HKLM)
    O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
    O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.matcash.com (HKLM)
    O15 - Trusted Zone: *.media-motor.com (HKLM)
    O15 - Trusted Zone: *.mediatickets.net (HKLM)
    O15 - Trusted Zone: *.snipernet.biz (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -


    - Reboot to normal boot.
    - Connect to the internet.
    - Download Java Runtime Environment (JRE) 5.0 Update 7, the latest version from Java. Remember to uninstall the old version first before installing the new one.
    - Disable Messenger Service. It will help protect the computer from unwanted spam and other potential threats.
    - Run Disk Defragmenter.
    - Run HiJackThis and post the logfile here just to make all the bugs are cleaned up.
     
  18. Rommel_L

    Rommel_L Second Unit

    Joined:
    Apr 25, 2000
    Messages:
    355
    Likes Received:
    0
    Dave,

    I did not find and bugs in the system but do the following anyway for maintenance:

    - Create a folder C:Program FilesHiJackThis and move the HiJackThis.exe file here.
    - Clear/clean cache and cookies folder of all internet browsers.
    - Delete all files and folders contained in the following folders, but not the folders themselves:
    • C:Documents and Settings -profile name- Application DataSunJavaDeploymentcachejavapiv1.0file
    • C:Documents and Settings -profile name- Application DataSunJavaDeploymentcachejavapiv1.0jar
    • C:Documents and Settings -profile name- Local SettingsTemp
    • C:WindowsPrefetch
    • C:WindowsTemp
    • Recycle Bin
    - Connect to the internet.
    - Download, install, update and run the following antivirus / antispyware programs: AVG Free antivirus, Spybot S&D, Ad-Aware, MS Defender, SpywareBlaster and Cool Web Shredder.
    - Download Java Runtime Environment (JRE) 5.0 Update 7, the latest version from Java. Remember to uninstall the old version first before installing the new one.
    - Disable Messenger Service. It will help protect the computer from unwanted spam and other potential threats.
    - I suggest to remove/uninstall AOL toolbar and use Google toolbar instead.

    - Reboot in safe mode.
    - Run HiJackThis, put a check beside the following processes and hit Fixed checked:
    O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
    O4 - HKCU..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
    O4 - Global Startup: NkbMonitor.exe.lnk = C:Program FilesNikonPictureProjectNkbMonitor.exe

    The following processes are unnecessary to run during startup.

    - Reboot to normal mode.
    - Run Disk Defragmenter.
     
  19. NickT

    NickT Stunt Coordinator

    Joined:
    Nov 20, 2001
    Messages:
    104
    Likes Received:
    0
    Real Name:
    Nick
    Steve TK, you have one nasty called Vundo on your system. It'll require a special fix to take care of beyond using Hijackthis. The suggestion to post at Tom Coyote is a good idea, and in fact, that is another forum I frequent. I am one of the people there who can answer Hijackthis logs, my profile. It's probably best to post over at Coyote, but here is what you need to do:

    ---------------------

    You are running Hijackthis from a temp folder. This is not a good idea, because you will lose any backups that Hijackthis creates. Do the following to create a permanent folder to put Hijackthis into:

    Click My Computer, then C:
    In the menu bar, File->New->Folder.
    That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:HJT folder. Put your HijackThis.exe there, and double click to run it later.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Once Vundofix is done, run Hijackthis and check the boxes next to all these, close all other windows, then click Fix Checked.

    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = about:blank
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = about:blank
    R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
    R3 - Default URLSearchHook is missing

    O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:WINDOWSsystem32nsv11.dll
    O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:WINDOWSsystem32xeymi.dll (file missing)

    O4 - HKLM..Run: [xload] "C:WINDOWSxload.exe"
    O4 - HKLM..Run: [keyboard] C:\kybrdff_13.exe
    O4 - HKLM..Run: [defender] C:\dfndrff_13.exe

    All of the O15 lines

    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

    O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:WINDOWSsystem32xeymi.dll


    After that, restart the computer and enable hidden files by doing this:

    * Double-click My Computer.
    * Click the Tools menu, and then click Folder Options.
    * Click the View tab.
    * Clear "Hide file extensions for known file types."
    * Under the "Hidden files" folder, select "Show hidden files and folders."
    * Clear "Hide protected operating system files."
    * Click Apply, and then click OK.

    Then find and delete these files:

    C:WINDOWSxload.exe
    C:\kybrdff_13.exe
    C:\dfndrff_13.exe


    When done with this, I'd recommend scanning with Ewido Antispyware.

    Download the trial version of Ewido anti-spyware from here and save it to your Desktop.

    Double click the ewido-setup file to begin installation and follow the prompts.
    When the program has been installed, and you click the Finish button, Ewido anti-spyware will open.
    • Updating Ewido:

      By default Ewido is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
    • Click the Update icon at the top and under "Manual Update" - click the Start update button.
    • Either Ewido will update or inform you that no update was available.
    • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
      Once you have installed Ewido, double click ewido-signatures-full-current.exe to update it.

      Disabling the Resident Shield:
    • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
      (When the PC has been cleaned you can activate the shield again, if you wish.)
    • Click the Shield icon at the top and under "Resident shield is..." - click active.
    • This should now change to inactive.

      Changing Recommended Actions
    • Click the Scanner icon at the top and then click the Settings Tab.
    • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.

    After you have installed and updated Ewido, Click the scanner button at the top and select select complete system scan. Let Ewido do it's scan and when done, do the recommended actions.


    That should help to clean up the mess on your computer Steve. If you still have problems, post back with a new Hijackthis log and the Vundo log.
     

Share This Page