[Help with SPYWARE and Virus removal] -
Help with SPYWARE and Virus removal
Discuss Help with SPYWARE and Virus removal
Posted by: Christie Achor
Please help me with removal of Spyware and viruses. Hijack this log file posted below. Thanks In advance!!
Logfile of HijackThis v1.99.0
Scan saved at 11:51:20 AM, on 1/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\s3hotkey.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINNT\system32\iurivi.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\awmsevt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\WINNT\system32\winupdt.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\system32\winupdt.exe
C:\WINNT\TEMP\Rar$EX00.289\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url]
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\system32\winb2s32.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe
O4 - HKLM\..\Run: [wyverc] C:\WINNT\system32\wyverc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [a0oERTipT] awmsevt.exe
O4 - Startup: AdDestroyer.lnk = AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [url]http://www.ipix.com/viewers/ipixx.cab[/url]
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab[/url]
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - [url]http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0[/url]
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe (file missing)
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)
Posted by: Aleksander
If you don't have any antivirus download avast here : [url]www.avast.com[/url]
It's free and much more better than norton for example...
And for the spyware it's good to scan with ad-aware spybot and spysweeper...
And to cleen your registry (it's very useful to do that) use regcleaner...
Posted by: southernlady
Okay, you have MAJOR problems so we are going to do this one step at a time and you need to [COLOR=red][B]write this down on a notepad[/B][/COLOR] to avoid any problems since most of this will be done while offline.
First, you are running HiJack This out of a [COLOR=red][B]temporary directory[/B][/COLOR] on your desktop. Can you please create a folder in My Documents or in your My Programs in your C Drive and call it Hijack (or something similar). Then extract HiJack This into the folder you have created and run it from there. The reason for this is that HiJack This backup files may be deleted if it is being run from a temporary folder.
Next, download and run this file: [URL=http://www.cexx.org/LSPFix.exe]LSPFix.exe[/URL]
Then download and run: [URL=http://www.microsoft.com/athome/security/spyware/software/default.mspx]Windows AntiSpyware (Beta)[/URL]
Then download and run this: [URL=http://www.majorgeeks.com/download.php?det=4113]CoolWWWSearch.SmartKiller (v1/v2) MiniRemoval[/URL]
Run Hijack This again and put a check by any of these left. Close ALL windows except HijackThis and click [B]"Fix checked"[/B]
[B]R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =[/B]
[B]R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)[/B]
[B]R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)[/B]
[B]O1 - Hosts: 64.91.255.87 [url]www.dcsresearch.com[/url][/B]
[B]O1 - Hosts: 69.20.16.183 auto.search.msn.com[/B]
[B]O1 - Hosts: 69.20.16.183 search.netscape.com[/B]
[B]O1 - Hosts: 69.20.16.183 ieautosearch[/B]
[B]O1 - Hosts: 69.20.16.183 ieautosearch[/B]
[B]O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\system32\winb2s32.dll[/B]
[B]O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe[/B]
[B]O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe[/B]
[B]O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe[/B]
[B]O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe[/B]
[B]O4 - HKLM\..\Run: [wyverc] C:\WINNT\system32\wyverc.exe[/B]
[B]O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe[/B]
[B]O4 - HKCU\..\Run: [a0oERTipT] awmsevt.exe[/B]
[B]O4 - Startup: AdDestroyer.lnk = AdDestroyer\AdDestroyer.exe[/B]
[B]O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)[/B]
[B]O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)[/B]
[B]O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll[/B]
[B]O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll[/B]
[B]O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll[/B]
[B]O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll[/B]
[B]O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll[/B]
[B]O23 - Service: ISEXEng - Unknown - C:\WINNT\system32\angelex.exe (file missing)[/B]
[B]O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe[/B]
[B]O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)[/B]
Restart to [URL=http://www.spyware911.net/safemode.htm]Safe Mode[/URL]
Because 2000 will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" [URL=http://www.spyware911.net/forum/index.php?showtopic=27]Show hidden files & folders[/URL]
Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
Now find and delete these files:
C:\PROGRA~1[B]\EFFICI~1\ENTERN~1\app\pppoeservice.exe[/B]
C:\PROGRA~1[B]\VBouncer\VirtualBouncer.exe[/B]
C:\WINNT\system32[B]\iurivi.exe[/B]
C:\WINNT\system32[B]\awmsevt.exe[/B]
C:\WINNT\system32[B]\winupdt.exe[/B]
C:\Program Files[B]\AdDestroyer\AdDestroyer.exe[/B]
C:\WINNT\system32[B]\winupdt.exe[/B]
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Go to Start > Run and type [B]%temp%[/B]in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Reboot
Empty the Recycle Bin
Then post another log. Liz
Posted by: southernlady
Closed due to lack of activity. Liz