Go Back   The Scream! > COMPUTER RELATED > Spyware Removal

Reply
 
Thread Tools Display Modes
  #1  
Old 13-May-2006, 21:48
Captain Kirk
Guest
 
Posts: n/a
Default Please help me

I have this virus which keep popping up messages and ads.
here are some screenshots of its messages.



Thanks in advance.

Not i have already used most popular removal programs including Spybot , Adaware, Avast Antivirus, AVG antivirus.
Reply With Quote
  #2  
Old 14-May-2006, 11:28
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

This looks like a SpyAxe/SpyFalcon variant. Please download HijackThis!, extract it to it's own unique folder, run it and post a logfile here.
Reply With Quote
  #3  
Old 14-May-2006, 12:57
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

Logfile of HijackThis v1.99.1
Scan saved at 12:56:52, on 14/05/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atmclk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ClocX\ClocX.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\PopupFree\NoPopupFull.exe
C:\Program Files\DS Clock\dsclock.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\VirtualDrive\rcache.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Toolbar\WSG.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Hi Jack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://escape.forumup.com/index.php?...fe124639e58082
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hpD98A.tmp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - (no file)
O3 - Toolbar: (no name) - {4D1C4E89-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O3 - Toolbar: &WebSearch Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System3

Last edited by Scoobs; 14-May-2006 at 15:28.
Reply With Quote
  #4  
Old 14-May-2006, 15:17
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

Could you please post your logfile exactly as it is and in the normal manner. Please don't use formatting.
Reply With Quote
  #5  
Old 14-May-2006, 15:19
Bluescrew's Avatar
Bluescrew Bluescrew is offline
Screamer
 
Join Date: Sep 2001
Location: Staffordshire
Posts: 128
Default Re: Please help me

I've had this vile spyaxe/spyfalcon/spywarestrike parasite when it first appeared courtesy of my young son's browsing, I used the removal tools from here, search the site for the variant removers.

http://www.2-spyware.com/remove-spyfalcon.html
Reply With Quote
  #6  
Old 14-May-2006, 15:29
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

Could you please post your logfile exactly as it is and in the normal manner. Please don't use formatting.
Originally Posted by Zer02004
That is in my normal manner, cut and paste, the only formatting is what Microsoft Word did automatically on load of it.
Reply With Quote
  #7  
Old 14-May-2006, 16:07
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

I have deleted certain .EXE & .DLL files as told to do by the site posted by bluescrew using safe mods, i have restarted in normal mode, it is yet to pop up any warnings, i think i might have got rid of it.
Reply With Quote
  #8  
Old 14-May-2006, 16:07
Twinkle's Avatar
Twinkle Twinkle is offline
Rambler
 
Join Date: Apr 2004
Location: Berkshire
Posts: 2,659
Default Re: Please help me

CK. I select all and copy and paste to notepad.
__________________
We can't all be a star*
But we can all Twinkle*
Reply With Quote
  #9  
Old 14-May-2006, 16:13
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

i am no longer getting the pop ups from post 1 but i am now getting this one.

every time this pops up Avast Antivirus - my antivirus software- aborts connection to a site.
Reply With Quote
  #10  
Old 14-May-2006, 16:43
Bluescrew's Avatar
Bluescrew Bluescrew is offline
Screamer
 
Join Date: Sep 2001
Location: Staffordshire
Posts: 128
Default Re: Please help me

Have you tried to copy and paste your log into this sites log analyzer, I have used it but don't know how safe it is, didn't give me any problems. According to it you have a few nasties.

http://www.hijackthis.de/index.php
Reply With Quote
  #11  
Old 14-May-2006, 19:19
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

2Spyware is not a safe site!!!
Please use Notepad to render your log files. Word messes up the formatting, makes them difficult to read and can indude errors.
If you have used MSConfig or similar to disable startup items, please undo those changes now and allow everything to start.
I won't be back for a few hours but in the meantime, please reboot and post another HijackThis! logfile.
Reply With Quote
  #12  
Old 14-May-2006, 19:31
Bluescrew's Avatar
Bluescrew Bluescrew is offline
Screamer
 
Join Date: Sep 2001
Location: Staffordshire
Posts: 128
Default Re: Please help me

2Spyware is not a safe site!!!
Originally Posted by Zer02004
It's not?, never caused me any problems.
Reply With Quote
  #13  
Old 14-May-2006, 19:35
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

i have backed up my registry before doing this so tell me if ive wrecked anything, i have used Hi Jack this, and manual techniques to edit the registry.
Hi Jack This now Reports this
@Zer02004 i would prefer not to activate everything on my startup list in msconfig, last time it took 5 minutes to get the system stable enough to do anthing, and after 3 reboots.

Logfile of HijackThis v1.99.1
Scan saved at 19:28:01, on 14/05/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Hi Jack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://escape.forumup.com/index.php?...fe124639e58082
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &WebSearch Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O9 - Extra button: ShopperReports - Compare product prices - {946B3E9E-E21A-49c8-9F63-900533FAFE15} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Reply With Quote
  #14  
Old 15-May-2006, 21:01
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

If you have disabled startup items using MSConfig or any other method, then I cannot guarantee that any of these instructions will work! You're probably wasting both yours and my time.
Empty all temp folders including Temporary Internet cache(s). EmpTemp is a useful tool in this respect.
Disable System Restore and reboot.
Re-run Hijackthis! and fix the following entries:

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O3 - Toolbar: &WebSearch Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

O9 - Extra button: ShopperReports - Compare product prices - {946B3E9E-E21A-49c8-9F63-900533FAFE15} - C:\WINDOWS\System32\shdocvw.dll

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)


Immediately reboor to Safe Mode and delete the following folder:
C:\Program Files\Toolbar

As soon as you are known to be clean, you really need to consider hardening your system and installing some preventative measures. Is XPs SP2 installed for starters?
Reply With Quote
  #15  
Old 15-May-2006, 22:37
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

I have servicre Pack 1, it will not allow me to install SP2

I have already tried the method u suggested for deleting toolbar folder, it just reappears.
Reply With Quote
  #16  
Old 15-May-2006, 23:53
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

This is why I need you to re-enable all startup items. I can't fix what I can't see!
If you're loathe to do so however, try the following:

Download the following to the root of your c: drive:
SmitRem.
FSReg
Run SmitRem.exe and follow the prompts. A folder will be created at C:\SmitRem\
Run FixSF.reg and follow the prompts. Answer yes when asked if you want to merge this info to the registry.
Reboot to Safe Mode and run the Control Panel>>>Add/Remove Programs applet. Remove anything that you don't know or don't use and in particular, SpyFalcon or SpyAxe if they exist.
Turn on "Show System Files" and "Show Hidden Files And Folders", turn off "Hide Extensions For Known Filetypes" and "Hide Protected Operating System Files" etc via the Control Panel>>>Folder Options>>>View applet. Click on "Apply", then "Apply To All Folders", then "OK".
Delete the following files and folders if they exist:
C :\Windows\System32\dxmpp.dll <----file
C:\Windows\System32\ginuerep.dll <----file
C:\Windows\System32\twain32.dll <----file
C:\Windows\System32\reglogs.dll <----file
C:\Windows\System32\appmagr.dll <----file
C:\Program Files\SpyFalcon <----folder

Close all open Windows and enter c:\smitrem\runthis in the Start>>>Run box.
Several screens will now appear. Read what they have to say and OK them. If an uninstaller starts, OK that too and allow it to run to it's conclusion.
Your desktop will now disappear, text will scroll across the screen and the Windows Disk CleanUp program will start. Please allow this to continue to it's conclusion.

Download, install and update the following. Run them in Safe Mode:

A Free. Close all other Windows and fix anything that it finds.
Spybot S&D. Close all other Windows and fix anything it finds.
Ad-Aware. Close all other windows and fix everything it finds.

Reboot normally and visit these online AV scanners:
Kaspersky Online Scanner.
Panda Active Scan.
Trend Housecall.
Please carefully note anything that is found and post any results here.

Post another HijackThis! logfile but before doing so, ensure that no utility is used to disable any startup items!!!

Last edited by Zer02004; 16-May-2006 at 16:45.
Reply With Quote
  #17  
Old 16-May-2006, 15:32
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

right i have used Run\MSCONFIG to enable all startup items,i have had about 7 popups about missing & corrupt files.

here is the latest log from Hi Jack This

Logfile of HijackThis v1.99.1
Scan saved at 15:30:31, on 16/05/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atmclk.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier. exe
C:\Program Files\FarStone\kazaa.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Activision\Star Trek Armada II Fleet Operations\FOData\foaric.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\vzisqzef.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0000.1082\en-us\bin\WindowsSearch.exe
C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
C:\Program Files\STScreenThemes\scthemes.exe
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0000.1082\en-us\bin\WindowsSearchIndexer.exe
c:\documents and settings\adam\local settings\temp\fsg_4203.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
E:\Program Files\Hi Jack This\HijackThis.exe
E:\Program Files\Hi Jack This\HijackThis.exe

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hpB99E.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zivyh] C:\WINDOWS\zivyh.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\WhenUSearch\whse.exe"
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\HbTools\Bin\4.7.3.0\HbtWeatherOnTray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\adam\local settings\temp\fsg_4203.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\c.bin\mwsoemon.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier. exe
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [klp] C:\WINDOWS\System32\PAL\KLP\explorer.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\FarStone\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.7.3.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [fwzij] C:\WINDOWS\fwzij.exe
O4 - HKLM\..\Run: [FleetOps ARIC] "C:\Program Files\Activision\Star Trek Armada II Fleet Operations\FOData\foaric.exe"
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [Error Safe] C:\Program Files\Error Safe Free\ers.exe /scan
O4 - HKLM\..\Run: [dpanuent] C:\WINDOWS\System32\vzisqzef.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [caowzq] c:\windows\system32\caowzq.exe
O4 - HKLM\..\Run: [bO#y-] C:\WINDOWS\nqxmq.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [1CQaS] C:\WINDOWS\nqxmq.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Error Safe] "C:\Program Files\Error Safe Free\ers.exe" /min
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\8.bin\MWSOEMON.EXE
O4 - Startup: ScreenThemes.lnk = C:\Program Files\STScreenThemes\scthemes.exe
O4 - Startup: Shortcut to dsclock.lnk = C:\Program Files\DS Clock\dsclock.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\8.bin\MWSOEMON.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0000.1082\en-us\bin\WindowsSearch.exe
O9 - Extra button: ShopperReports - Compare product prices - {946B3E9E-E21A-49c8-9F63-900533FAFE15} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/dba2218.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Reply With Quote
  #18  
Old 16-May-2006, 16:44
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

You'll have to put up with the popups for now.
You have many, many infections and you need to do exactly as I say.
Start by following the instructions in my post above!
Reply With Quote
  #19  
Old 17-May-2006, 02:22
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

i will do what you said withing the next few days, my internet has stopped working for some reason, so i will get back to you shortly :)
Reply With Quote
  #20  
Old 17-May-2006, 09:36
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

Your connection has failed because of the presence of several LSP hijackers. Download LSP Fix but do not run it until these hijackers are removed. Doing so may require a full reinstallation.
Reply With Quote
  #21  
Old 18-May-2006, 16:36
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

The affected computer will no longer boot up in Safe Mode, will this affect what you told me to do in previous posts?
Reply With Quote
  #22  
Old 18-May-2006, 17:30
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

It's better to use Safe Mode but not necessary. I don't usually advise this but with the sheer ammount of malware that you have, a reinstall from scratch is probably a quicker, safer and better option.

You really need to learn a little about securing your system before considering your options though.
Reply With Quote
  #23  
Old 18-May-2006, 17:35
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

I dont see what is wrong, i have a antivirus program and a Firewall
im using
Avast Antivirus
Zonealarm Firewall
Spybot S&E every fortnight
Microsoft Windows Disc Defrag every 3 month

*So far i have removed everything found by Spybot S&E = 201 files found it could only fix 183 of them
Ad-aware found 210 files, removed 201 of them.
Reply With Quote
  #24  
Old 18-May-2006, 17:43
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

I'm willing to carry this through with you but you have to weigh up your options.
If you want to attempt a full cleanup, carry out all above instructions to the letter and take note of what's been removed or is unable to be removed. Once you've exhausted the above procedures, post another HijackThis! log. Be aware though, this may take some time.
Reply With Quote
  #25  
Old 18-May-2006, 18:09
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

Cannot use any of the scanners, Internet Explorer does not work, im having to use Netscape & Firefox, the online scanners only use Iexplore.

Question, My PC is made up of two Hard Drives that have been split into 6 (six) partitions. is it possible to copy the Vital windows files to another partition whilst i wipe that one infected partition, whilst still using Windows. Or is this beyond Windows Capability.
Reply With Quote
  #26  
Old 18-May-2006, 23:56
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

Question, My PC is made up of two Hard Drives that have been split into 6 (six) partitions. is it possible to copy the Vital windows files to another partition whilst i wipe that one infected partition, whilst still using Windows. Or is this beyond Windows Capability.
Originally Posted by Captain Kirk
I'm afraid not. It's a case of kill or cure and you have to decide which. Even if it was possible, it's certainly not advisable because of the risk of cross infection.
Out of interest, why six partitions?
Reply With Quote
  #27  
Old 19-May-2006, 00:55
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

Out of interest, why six partitions?
CDRIVE = Windows and System Tools I.E Spybot
DDRIVE = Downloads
EDRIVE = Program Files
FDRIVE = Program Fiels
GDRIVE = Virtual Drive Data & Storage
HDRIVE = Mixture of everything
Reply With Quote
  #28  
Old 19-May-2006, 01:00
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

There is no point whatsoever in storing your program files away from your system drive.
Reply With Quote
  #29  
Old 19-May-2006, 01:03
Captain Kirk
Guest
 
Posts: n/a
Default Re: Please help me

I have done that for the reason that if the CDRIVE became infected such as now, i could wipe it without losnig all infomation.
Reply With Quote
  #30  
Old 19-May-2006, 11:12
Zer02004
Guest
 
Posts: n/a
Default Re: Please help me

That is a complete fallacy! You will still need to reinstall all your programs as virtually every one copies library files, makes registry and/or ini entries and app data entries.
In other words, you gain absolutely nothing by doing this.
Reply With Quote
Reply

Tags
compare, computer, connection, email, files, free, hijack, hijackers, hijackthis, intel, internet, line, messenger, online, player, product, screen, settings, software, tools, virus, windows, zone, zonealarm, zonelabs

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 00:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!