Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

CWShredder 2

Status
Not open for further replies.
farmor

farmor

Technical User
Joined
Dec 2, 2001
Messages
38
Location
US
Is anyone familiar with CW Shredder? I have something on my second hand computer. ZA was on when purchased and finds the same something W32.Bardust.A almost every day and supposedly treats it, however it keeps reappearing, often under different file names. It's located in a variety of non-existent Windows files. I've also been trying a 30-day F-Prot trial which finds a possible variant of W32/VB:EMU etc., but it's ondemand scan can't remove it or treat it. Trend Micro relates Bardust to Troj_VB.APP but I can't run Housecall to identify a name. I downloaded CW Shredder (now owned by Trend Micro) and it found CWS.msconfig, which I suspect may be the same malware. It says that the malware overwrites the Msconfig file and that removing it will require reinstallation of Msconfig, however their link to provide this file for those with pre-purchase Windows installation (and thus no CD's) doesn't work. None of the companies have sent meaningful replies to my e-mails.
Is CW Shredder reliable? Can I safely let it "fix" the problem? Any other suggestions? How can I get an MSconfig replacement? [Running XP Home. computer doesn't have a DVD burner. Have been tryng to identify a good one to purchase so as to make back-up disks.] Thanks for any help.
 
Sort by date Sort by votes
CW Shredder usually works BUT new versions of malware keep coming out that try to thwart anti-malware programs. Have you tried running your programs in safe mode?

Also, Sysinternals has a MSConfig work-alike. See: Look around at their web site for more interesting tools, too.

James P. Cottingham
-----------------------------------------
I'm number 1,229!
I'm number 1,229!
 
Upvote 0 Downvote
CWS is reliable but you might need a more advanced tool to remove the very bad CWs hijackers like aboutbuster.

You should post a hijack this log as already requested!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
It's also a great idea to use a tool that comes on a "live cd" like BartPE, which let's you install your own apps on a custom configured bootable win32 platform. So you could run CWshredder, or any of the Anti-v programs (that you can figure out how to make them work on BartPE) and run them on your system when none of the virius programs can run because it's not using that system to load the OS.
In other words, you can get to the files that the OS would normally lock, because you've loaded it from the CD.
This is also great for running defrags, or fixing messed up systems.
 
Upvote 0 Downvote
Thanks for all of your replies.
Please send the address for downloading HiJack This as I read that CWS.msconfig misdirects Google searches. I had downloaded it some time ago but never used & it has disappeared. Also explain what things to scan with it.
Does Sysinternals work in Windows setting Startup functions, etc.?
I ran F-Prot in safe mode. It deleted some files, but said it couldn't treat the possible W32/VB:EMU variant. If it is the same as CWS.msconfig, that is more than a year old so wonder why they can't treat it.
Paintballer - please explain further what you said about setting up a custom configured bootable Win32 platform (purpose, problems, etc.)
I can run Zone Labs AV scans, and F-Prot scans. They just don't disinfect or quarantine sufficiently. I had unsatisfactory experiences with Norton & McAfee previously. Plan to download AVG when have the time to tie up my phone.
 
Upvote 0 Downvote
Upvote 0 Downvote
Thanks 2ffat, I just checked the site and downloaded it. That looks like just what I've been wanting.

Here is the HiJackThis log
Logfile of HijackThis v1.99.1
Scan saved at 12:24:56 PM, on 09/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {48449BC2-7ED5-EC64-7BC9-6BD81753E04A} - C:\WINDOWS\System32\txfbkovw\muhkxgcu.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} - O16 - DPF: {CA8A9780-280D-11CF-A24D-444553540000} - O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\koinsvc.exe
 
Upvote 0 Downvote
Please don't follow my instructions yet - I may have missed something important. Wait for others to double-check my findings (pechenegs, where are you ;) ?).

O2 - BHO: (no name) - {48449BC2-7ED5-EC64-7BC9-6BD81753E04A} - C:\WINDOWS\System32\txfbkovw\muhkxgcu.dll (file missing)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\koinsvc.exe

The above are all bad and will require removal using HijackThis. I suggest you boot into Safe Mode to do this but first download eWido and update it, don't enable the resident feature and don't run it yet - run it and save the logfile from Safe Mode after you've removed the above entries using HijackThis.

Once you have posted a new hjt log and the eWido log and are given the all clear, I suggest you turn off System Restore, reboot and re-enable it. You can then create a new Restore Point from msconfig.

 
Upvote 0 Downvote
My apologies, I forgot I had tweaked Startup & Task Manager when I started this morning. Here is a more accurate scan which shows two more (at least) suspect files - Windows\iurpdll and Windows\gtbxenc:
Logfile of HijackThis v1.99.1
Scan saved at 1:17:55 PM, on 09/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\koinsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\iurpdll.exe
C:\WINDOWS\gtbxenc.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {48449BC2-7ED5-EC64-7BC9-6BD81753E04A} - C:\WINDOWS\System32\txfbkovw\muhkxgcu.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [iurpdll] C:\WINDOWS\iurpdll.exe
O4 - HKLM\..\Run: [gtbxenc] C:\WINDOWS\gtbxenc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} - O16 - DPF: {CA8A9780-280D-11CF-A24D-444553540000} - O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\koinsvc.exe
 
Upvote 0 Downvote
Just realised I forgot to flag
O1 - Hosts: 216.39.69.102 view.atdmt.com

The following also need to be added to the original list to fix:
gtbxenc.exe
iurpdll.exe
O4 - HKLM\..\Run: [iurpdll] C:\WINDOWS\iurpdll.exe
O4 - HKLM\..\Run: [gtbxenc] C:\WINDOWS\gtbxenc.exe
C:\WINDOWS\koinsvc.exe


The following are not needed, just hogging resources, flag them if you wish - I would.
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
 
Upvote 0 Downvote
Thanks very much.
Ewido ran itself after downloading the updates and I let it clean & quarantine iurpdll, gtbxenc and koinsvc. Will this prevent their complete removal?
I'm also wondering about 4 items under #016:
DPF ...Quicksilver
DPF ... digitalcity etc.
and two "download.games
The games are of no interest to me. Can I remove them safely?
What are the other two entries?
 
Upvote 0 Downvote
Download the pocket killbox




Download the Hoster from:


UnZip the file and press "Restore Original Hosts" and press "OK". Exit
Program.



Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Windows VisFx Components
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.

Note: You may get an error here when trying to access the properties of the
service. If you do get an error, just select the service and look there in
the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.




Download ewido!



* Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
* Once the setup is complete you will need run Ewido and update the definition files.
* On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select "Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.



* Click here to download ATF Cleaner by Atribune and save it to your desktop.



* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.




* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.



O2 - BHO: (no name) - {48449BC2-7ED5-EC64-7BC9-6BD81753E04A} - C:\WINDOWS\System32\txfbkovw\muhkxgcu.dll (file missing)
O4 - HKLM\..\Run: [iurpdll] C:\WINDOWS\iurpdll.exe
O4 - HKLM\..\Run: [gtbxenc] C:\WINDOWS\gtbxenc.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} - O16 - DPF: {CA8A9780-280D-11CF-A24D-444553540000} - O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\koinsvc.exe




Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



C:\WINDOWS\iurpdll.exe
C:\WINDOWS\gtbxenc.exe
C:\WINDOWS\koinsvc.exe




Run Ewido!

# IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
# Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
# Ewido will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
# Close Ewido and reboot your system back into Normal Mode.



reboot to normal mode and run a few online scans!


Make sure your ActiveX controls are set as follows:

Go to Internet Options - Security - Internet, press 'default level', then OK.
Now press "Custom Level."

In the ActiveX section, set the first two options (Download signed and
unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
controls not marked as safe" to 'disable'.


Active X settings





Run ActiveScan online virus scan here


When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and active scan logs



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Your also using msconfig, go back into msconfig and recheck all boxes which are unchecked and click ok, and reboot your computer. Then post a new hijack this log as some viruses might be disabled in there!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Thank you very much. There was one item which Satrow mentioned which you didn't confirm:
020-AppInit_DLLs:repairs.dll Should this also be deleted?

I've taken all the steps except for running the on-line scans. Panda won't work with Firefox and I hesitate to let IE run for 4+ hours (time estimated by TrendMicro's Housecall). I'm attaching the HiJackThis and ewido logs.
I've also run HiJack with all items checked (it took a half hour to boot up!) and will also attach that log. I'm sure there are a lot of viruses in there. I'd like to get rid of all the junk (pre-dating my ownership) as well as the viruses.
CWShredder is still finding CWS.msconfig.

Logfile of HijackThis v1.99.1
Scan saved at 12:36:25 PM, on 09/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:32:40 PM 09/22/2006

+ Scan result:



C:\Program Files\Microsoft AntiSpyware\Quarantine\B43C2A61-6A09-4EC7-9962-40D8A8\940C93E8-30AD-4E24-9C96-03B904 -> Adware.Beginto : Cleaned.
C:\Program Files\Microsoft AntiSpyware\Quarantine\A7B76E8F-2A10-4135-BDAF-A8204B\88DE9C53-886F-4A6C-8DEE-959457 -> Adware.BetterInternet : Error during cleaning.
C:\Program Files\Microsoft AntiSpyware\Quarantine\1CF34D58-E22B-403F-BDC6-F54F4D\8EC86CB6-C6BD-48E9-9C61-5D19A9 -> Adware.BookedSpace : Cleaned.
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Adware.EliteBar : Cleaned.
HKU\.DEFAULT\Software\intexp -> Adware.IEPlugin : Cleaned.
HKU\.DEFAULT\Software\intexp\Config -> Adware.IEPlugin : Cleaned.
HKU\.DEFAULT\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned.
HKU\S-1-5-18\Software\intexp -> Adware.IEPlugin : Cleaned.
HKU\S-1-5-18\Software\intexp\Config -> Adware.IEPlugin : Cleaned.
HKU\S-1-5-18\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned.
C:\Program Files\Microsoft AntiSpyware\Quarantine\1CF34D58-E22B-403F-BDC6-F54F4D\C71AB1CE-1A74-4A72-98CE-9CA1E0 -> Adware.Pacer : Cleaned.
C:\Program Files\Microsoft AntiSpyware\Quarantine\754B7EDE-998E-4441-A168-27F081\FB652CE1-828C-4BD2-A029-256B0D -> Adware.Sahat : Cleaned.
C:\Program Files\Microsoft AntiSpyware\Quarantine\453B06F7-6EB7-479F-B624-B3039B\0C07700F-7622-4DE1-9431-1C5025 -> Adware.WebRebates : Cleaned.
C:\Program Files\Microsoft AntiSpyware\Quarantine\453B06F7-6EB7-479F-B624-B3039B\4C587166-3C39-4254-A369-9BC38C -> Adware.WebRebates : Cleaned.
C:\Program Files\Microsoft AntiSpyware\Quarantine\453B06F7-6EB7-479F-B624-B3039B\EED7BDAE-6CF8-409B-98C1-E655AC -> Adware.WebRebates : Cleaned.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned.
C:\WINDOWS\system32\bwimenl.exe -> Downloader.Delmed.a : Cleaned.
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@abetterinternet[2].txt -> TrackingCookie.Abetterinternet : Cleaned.
:mozilla.157:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@ads19.bpath[1].txt -> TrackingCookie.Bpath : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@ads49.bpath[1].txt -> TrackingCookie.Bpath : Cleaned.
:mozilla.149:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@cliks[2].txt -> TrackingCookie.Cliks : Cleaned.
:mozilla.8:C:\Documents and Settings\jljackson\Application Data\Mozilla\Firefox\Profiles\3iy05bfk.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.9:C:\Documents and Settings\jljackson\Application Data\Mozilla\Firefox\Profiles\3iy05bfk.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.135:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.105:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.106:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.197:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.255:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.33:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.37:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
:mozilla.65:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.67:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.101:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.102:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.103:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.104:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@premiumnetworkrocks.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.99:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.190:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.226:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.227:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\cjh6eead.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 7:49:40 PM, on 09/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [zbkyybvo] c:\windows\system32\zbkyybvo.exe
O4 - HKLM\..\Run: [yakbk] C:\WINDOWS\System32\rbcrp\yakbk.exe
O4 - HKLM\..\Run: [wtqsenc] C:\WINDOWS\wtqsenc.EXE
O4 - HKLM\..\Run: [WMDPENC] C:\WINDOWS\WMDPENC.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [vucrgq] C:\WINDOWS\System32\betjgmkp\vucrgq.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\ibxjdyk.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [unhxye] C:\WINDOWS\System32\nakst\unhxye.exe
O4 - HKLM\..\Run: [tof] C:\WINDOWS\tof.exe
O4 - HKLM\..\Run: [TJJKDLL] C:\WINDOWS\TJJKDLL.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Jmeavz.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [qxhn] C:\WINDOWS\System32\hgvfxfct\qxhn.exe
O4 - HKLM\..\Run: [psoj39W] cewcfgex.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [nsetdll] C:\WINDOWS\nsetdll.exe
O4 - HKLM\..\Run: [nrksdll] C:\WINDOWS\nrksdll.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [mopkl] C:\WINDOWS\System32\niyck\mopkl.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [kidrk] C:\WINDOWS\System32\jeed\kidrk.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [KaZooM] C:\Program Files\Blue Haven Media\KaZooM\KaZooM.Exe
O4 - HKLM\..\Run: [iurpdll] C:\WINDOWS\iurpdll.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iswuvocscddk] C:\WINDOWS\System32\zbkyybvo.exe
O4 - HKLM\..\Run: [ilijdll] C:\WINDOWS\ilijdll.exe
O4 - HKLM\..\Run: [ijcyt] C:\WINDOWS\System32\prgvds\ijcyt.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hmegbqf] C:\WINDOWS\System32\fhbtm\hmegbqf.exe
O4 - HKLM\..\Run: [hloq] C:\WINDOWS\System32\bwlb\hloq.exe
O4 - HKLM\..\Run: [hiagdll] C:\WINDOWS\hiagdll.exe
O4 - HKLM\..\Run: [gffifjq] C:\WINDOWS\System32\cytith\gffifjq.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [fofiidr] C:\WINDOWS\System32\gxhola\fofiidr.exe
O4 - HKLM\..\Run: [fngish] C:\WINDOWS\System32\rqbjquy\fngish.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [evvenlbl] C:\WINDOWS\System32\srouwpx\evvenlbl.exe
O4 - HKLM\..\Run: [ennxf] C:\WINDOWS\System32\ubjf\ennxf.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedso32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [bijoenc] C:\WINDOWS\bijoenc.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [abocl] C:\WINDOWS\System32\ilguackr\abocl.exe
O4 - HKLM\..\Run: [?nrksdll] C:\WINDOWS\nrksdll.EXE
O4 - HKCU\..\Run: [YB7tRVa4V] cc3psetu.exe
O4 - HKCU\..\Run: [usrdtea] C:\WINDOWS\System32\usrdtea.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MBKWBarManager] C:\Program Files\MBKWBar\TManager.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Startup: SpamSubtract.lnk = C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Once I get rid of the various pests, what is the best combination of AV, anti-spyware, etc. to run regularly?
 
Upvote 0 Downvote
wait you have a lot more now that you rechecked the boxes in msconfig.



Before you proceed with the removal directions below you need to turn off MS
Anti-Spyware's realtime protection as it will interfere with the changes we
are trying to make.

Open MS Anti-Spyware and click on Options > Settings. Click on "Realtime
Protection" in the left pane.

Remove the check by these:

"Enable the Microsoft Security Agents on startup (recommended)"

"Enable real-time spyware threat protection (recommended)"

Click "Save"

Now right click the MS Anti-spyware icon in your system tray and choose
"Shutdown Microsoft Anti-Spyware"

You should re-enable these when we are finished here.



spysweeper.

Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make.

Open Spysweeper and click on Options > Program Options.
Uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.
Leave it disabled until we are finished here.




Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Ewido
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.

Note: You may get an error here when trying to access the properties of the
service. If you do get an error, just select the service and look there in
the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


You can re-enable this after you are clean!





First make a folder In C:\ & call it BFU then

please download BFU from



and save it to the folder you have just made.
Open the folder & double click BFU.exe to run it


Run the program and click the Web button.


Use this URL below and copy it into the address bar of the Download script
window:





Execute the script by clicking the Execute button.
Note that you should see a progress bar while the script is being executed.

If you have any questions about the use of BFU please read here:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.



O4 - HKLM\..\Run: [zbkyybvo] c:\windows\system32\zbkyybvo.exe
O4 - HKLM\..\Run: [yakbk] C:\WINDOWS\System32\rbcrp\yakbk.exe
O4 - HKLM\..\Run: [wtqsenc] C:\WINDOWS\wtqsenc.EXE
O4 - HKLM\..\Run: [WMDPENC] C:\WINDOWS\WMDPENC.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [vucrgq] C:\WINDOWS\System32\betjgmkp\vucrgq.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\ibxjdyk.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [unhxye] C:\WINDOWS\System32\nakst\unhxye.exe
O4 - HKLM\..\Run: [tof] C:\WINDOWS\tof.exe
O4 - HKLM\..\Run: [TJJKDLL] C:\WINDOWS\TJJKDLL.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Jmeavz.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKLM\..\Run: [qxhn] C:\WINDOWS\System32\hgvfxfct\qxhn.exe
O4 - HKLM\..\Run: [psoj39W] cewcfgex.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [nsetdll] C:\WINDOWS\nsetdll.exe
O4 - HKLM\..\Run: [nrksdll] C:\WINDOWS\nrksdll.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [mopkl] C:\WINDOWS\System32\niyck\mopkl.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [kidrk] C:\WINDOWS\System32\jeed\kidrk.exe
O4 - HKLM\..\Run: [iurpdll] C:\WINDOWS\iurpdll.exe
O4 - HKLM\..\Run: [iswuvocscddk] C:\WINDOWS\System32\zbkyybvo.exe
O4 - HKLM\..\Run: [ilijdll] C:\WINDOWS\ilijdll.exe
O4 - HKLM\..\Run: [ijcyt] C:\WINDOWS\System32\prgvds\ijcyt.exe
O4 - HKLM\..\Run: [hmegbqf] C:\WINDOWS\System32\fhbtm\hmegbqf.exe
O4 - HKLM\..\Run: [hloq] C:\WINDOWS\System32\bwlb\hloq.exe
O4 - HKLM\..\Run: [hiagdll] C:\WINDOWS\hiagdll.exe
O4 - HKLM\..\Run: [gffifjq] C:\WINDOWS\System32\cytith\gffifjq.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [fofiidr] C:\WINDOWS\System32\gxhola\fofiidr.exe
O4 - HKLM\..\Run: [fngish] C:\WINDOWS\System32\rqbjquy\fngish.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [evvenlbl] C:\WINDOWS\System32\srouwpx\evvenlbl.exe
O4 - HKLM\..\Run: [ennxf] C:\WINDOWS\System32\ubjf\ennxf.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedso32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [bijoenc] C:\WINDOWS\bijoenc.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [abocl] C:\WINDOWS\System32\ilguackr\abocl.exe
O4 - HKLM\..\Run: [?nrksdll] C:\WINDOWS\nrksdll.EXE
O4 - HKCU\..\Run: [YB7tRVa4V] cc3psetu.exe
O4 - HKCU\..\Run: [usrdtea] C:\WINDOWS\System32\usrdtea.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MBKWBarManager] C:\Program Files\MBKWBar\TManager.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O20 - AppInit_DLLs: repairs.dll





1. Please download The Avenger by Swandog46 to your Desktop.


* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop


2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):



Files to delete:
c:\windows\system32\zbkyybvo.exe
C:\WINDOWS\System32\rbcrp\yakbk.exe
C:\WINDOWS\wtqsenc.EXE
C:\WINDOWS\WMDPENC.EXE
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dl
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\betjgmkp\vucrgq.exe
C:\WINDOWS\System32\ibxjdyk.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINDOWS\System32\nakst\unhxye.exe
C:\WINDOWS\tof.exe
C:\WINDOWS\TJJKDLL.EXE
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\System32\Jmeavz.exe
c:\program files\180searchassistant\sac.exe
C:\WINDOWS\System32\hgvfxfct\qxhn.exe
cewcfgex.exe
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\nsetdll.exe
C:\WINDOWS\nrksdll.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\WINDOWS\System32\niyck\mopkl.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\System32\jeed\kidrk.exe
C:\WINDOWS\iurpdll.exe
C:\WINDOWS\System32\zbkyybvo.exe
C:\WINDOWS\ilijdll.exe
C:\WINDOWS\System32\prgvds\ijcyt.exe
C:\WINDOWS\System32\fhbtm\hmegbqf.exe
C:\WINDOWS\System32\bwlb\hloq.exe
C:\WINDOWS\hiagdll.exe
C:\WINDOWS\System32\cytith\gffifjq.exe
C:\WINDOWS\System32\gah95on6.exe
C:\WINDOWS\System32\gxhola\fofiidr.exe
C:\WINDOWS\System32\rqbjquy\fngish.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\srouwpx\evvenlbl.exe
C:\WINDOWS\System32\ubjf\ennxf.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
C:\windows\system32\elitedso32.exe
C:\WINDOWS\cfgmgr51.dll
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\bijoenc.exe
C:\WINDOWS\System32\ilguackr\abocl.exe
C:\WINDOWS\nrksdll.EXE
C:\WINDOWS\cc3psetu.exe
C:\WINDOWS\System32\usrdtea.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\MBKWBar\TManager.exe
C:\PROGRA~1\Web Offer\wo.exe


Folders to delete
C:\WINDOWS\System32\ilguackr
C:\Program Files\SpyKiller
C:\Program Files\MBKWBar
C:\PROGRA~1\Web Offer
C:\Program Files\CashBack
C:\Program Files\BullsEye Network
C:\WINDOWS\System32\rqbjquy
C:\WINDOWS\System32\srouwpx
C:\WINDOWS\System32\ubjf
C:\Program Files\Ebates_MoeMoneyMaker
C:\WINDOWS\System32\fhbtm
C:\WINDOWS\System32\bwlb
C:\WINDOWS\System32\cytith
C:\WINDOWS\System32\gxhola
C:\WINDOWS\System32\rqbjquy
C:\WINDOWS\System32\niyck
C:\Program Files\Media Access
C:\WINDOWS\System32\jeed
C:\WINDOWS\System32\prgvds
C:\WINDOWS\System32\fhbtm
C:\WINDOWS\System32\nakst
C:\PROGRA~1\Toolbar
c:\program files\180searchassistant
C:\WINDOWS\System32\hgvfxfct
C:\Program Files\NaviSearch
C:\PROGRA~1\COMMON~1\WinTools
C:\Program Files\WildTangent
C:\Program Files\Web_Rebates
C:\PROGRA~1\VBouncer
C:\WINDOWS\System32\nakst
Click to expand...



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

* It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
* On reboot, it will briefly open a black command window on your desktop, this is normal.
* After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.


Now run ewido again and then run spysweeper again!




Run an online antivirus check from


choose extended database for the scan!


Run ActiveScan online virus scan here


When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and the kaspersky scna log!




Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
And post the avenger log!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
?????????
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

eyec
  • Locked
  • News News
CWShredder
Replies
0
Views
96
eyec
eyec
Hawkide
  • Locked
  • Question Question
New CWShredder not helping :(
Replies
10
Views
324
diogenes10
diogenes10
kevotron
  • Locked
  • Question Question
CWshredder crashes at "hidden.dll" then disables NIC
Replies
3
Views
193
kevotron
kevotron
bcastner
  • Locked
  • News News
CWShredder Updated to Version 2 - October, 2004
Replies
4
Views
153
diogenes10
diogenes10
humour
  • Locked
  • Question Question
wast.exe found by cwshredder...
Replies
1
Views
152
diogenes10
diogenes10

Part and Inventory Search

Sponsor

Back
Top