Need help removing spyware/adware [RESOLVED]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Need help removing spyware/adware [RESOLVED] helping to fix someone's computer

#1 Rybo

Group: Member
Posts: 24
Joined: 13-April 06

Posted 13 April 2006 - 08:00 PM

I ran the panda scan and saw that this person had winfixer, so I ran the vundo fix. I'm sure there is probably other stuff on here as well. Any help would be appreciated.

Panda Scan:

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@ad.yieldmanager[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@adultfriendfinder[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@advertising[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@atwola[1].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@bfast[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@fastclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@hitbox[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@landing.domainsponsor[1].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@linksynergy[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@mediaplex[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@revenue[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@server.iad.liveperson[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@stats1.reliablestats[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@tribalfusion[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@winfixer[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Jeffrey\Cookies\jeffrey@z1.adserver[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@ads.pointroll[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@adultfriendfinder[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@advertising[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@as-eu.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@azjmp[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@belnk[2].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@bfast[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@bluestreak[2].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@burstnet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@casalemedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@com[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@cs.sexcounter[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@doubleclick[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@landing.domainsponsor[1].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@linksynergy[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@revenue[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@rn11[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@serving-sys[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@stats1.reliablestats[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@statse.webtrendslive[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@tribalfusion[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@valueclick[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@winfixer[21].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@www.burstbeacon[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@www.myaffiliateprogram[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jenniferrr\Cookies\jenniferrr@zedo[2].txt
Potentially unwanted tool:Application/iWon Not disinfected C:\Program Files\iWon\iWonSlot\1.bin\IWONSLOT.DLL
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\WinFixer\prcheck.dll
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\WinFixer\wfxcwr.exe
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32a.sys
Spyware:Cookie/Linksynergy Not disinfected C:\WINDOWS\Temp\Cookies\jeffrey@linksynergy[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\WINDOWS\Temp\Cookies\jeffrey@stats1.reliablestats[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\WINDOWS\Temp\Cookies\jeffrey@statse.webtrendslive[2].txt
Vundo fix file:

VundoFix V4.2.68

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Scan started at 9:46:10 PM 4/13/2006

Listing files found while scanning....

C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\wycdd.ini
C:\WINDOWS\system32\wycdd.bak1
C:\WINDOWS\system32\wycdd.bak2
C:\WINDOWS\system32\wycdd.ini2
C:\WINDOWS\system32\wycdd.tmp

C:\WINDOWS\SYSTEM32\wycdd.bak1
C:\WINDOWS\SYSTEM32\wycdd.bak2
C:\WINDOWS\SYSTEM32\wycdd.tmp
C:\WINDOWS\SYSTEM32\wycdd.ini
C:\WINDOWS\SYSTEM32\wycdd.ini2
C:\WINDOWS\SYSTEM32\ddcyw.dll
C:\WINDOWS\SYSTEM32\wycdd.ini2
C:\WINDOWS\SYSTEM32\wycdd.bak2
C:\WINDOWS\SYSTEM32\wycdd.tmp
C:\WINDOWS\SYSTEM32\wycdd.ini
C:\WINDOWS\SYSTEM32\wycdd.ini2
C:\WINDOWS\SYSTEM32\ddcyw.dll
Attempting to delete C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\ddcyw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wycdd.ini
C:\WINDOWS\system32\wycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wycdd.bak1
C:\WINDOWS\system32\wycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wycdd.bak2
C:\WINDOWS\system32\wycdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wycdd.ini2
C:\WINDOWS\system32\wycdd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wycdd.tmp
C:\WINDOWS\system32\wycdd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:53:59 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\camera\HP Share-to-Web\hpgs2wnd.exe
C:\camera\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\camera\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\verclsid.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\camera\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\camera\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NI.UWFX6_0001_N69M1503] "C:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\05KNSB0N\WinFixer2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#2 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 13 April 2006 - 08:41 PM

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NI.UWFX6_0001_N69M1503"=-

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\Program Files\iWon\iWonSlot\1.bin\IWONSLOT.DLL
C:\Program Files\WinFixer\prcheck.dll
C:\Program Files\WinFixer\wfxcwr.exe
C:\WINDOWS\smdat32a.sys
C:\Program Files\WinFixer\
C:\Documents and Settings\Jeffrey\Local Settings\Temporary Internet Files\Content.IE5\05KNSB0N\WinFixer2006FreeInstall[1].exe

If you get a PendingOperations message, just close it and restart your computer manually.

Restart and run a new Panda scan. Post that log here along with a new HijackThis log.

#3 Rybo

Group: Member
Posts: 24
Joined: 13-April 06

Posted 13 April 2006 - 11:02 PM

Thanks for the help. I ran the killbox, but I really need to get to bed now, so I'll post the new pandascan and HJT log tomorrow morning or afternoon.

#4 Rybo

Group: Member
Posts: 24
Joined: 13-April 06

Posted 14 April 2006 - 05:39 AM

Panda scan:

Incident Status Location

Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:36:02 AM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\camera\HP Share-to-Web\hpgs2wnd.exe
C:\camera\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\camera\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\system32\verclsid.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\camera\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\camera\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#5 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 14 April 2006 - 08:10 AM

Delete this file:

C:\WINDOWS\smdat32m.sys

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

#6 Rybo

Group: Member
Posts: 24
Joined: 13-April 06

Posted 14 April 2006 - 12:26 PM

The computer seems to be clean. Thanks for the help. There's one more question though. For whatever reason the IE web browser hasn't been responding to internet addresses being entered into the address bar. You can select an address already in the drop down menu, and everything works fine, but when you try to type a web address in and hit enter, nothing happens. Do you have any idea what the problem could be?

#7 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 14 April 2006 - 01:34 PM

Was this happening before also?

Not sure what could have caused not problem. Do the below:

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

Make sure you turn off any antivirus programs you have running while performing the online scan below. Using Internet Explorer, run a virus scan at http://www.kaspersky.com/virusscanner Click on 'Launch Kaspersky Anti-Virus Web Scanner' and install the ActiveX component from Kaspersky. Click Yes and it will begin downloading the latest definition files. Once that's done, click on 'Scan Settings' and make sure the following are selected:

Scan using the following Anti-Virus database:
- Extended

Scan Options:
- Scan Archives
- Scan Mail Bases

Click OK. Now under select a target to scan, select 'My Computer'. It will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the 'Save as Text' button. Save the file to your desktop. Copy and paste that information in your next post.

#8 Rybo

Group: Member
Posts: 24
Joined: 13-April 06

Posted 14 April 2006 - 03:28 PM

Kaspersky Scan results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, April 14, 2006 5:19:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 14/04/2006
Kaspersky Anti-Virus database records: 188150
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51861
Number of viruses found: 13
Number of infected objects: 16
Number of suspicious objects: 2
Duration of the scan process: 00:30:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet2.zip/asmend.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet2.zip ZIP: suspicious - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP509\A0053918.EXE Infected: not-a-virus:AdWare.Win32.MyWay.b skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP509\A0053919.DLL Infected: not-a-virus:AdWare.Win32.IWon skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP509\A0053956.DLL Infected: not-a-virus:AdWare.Win32.IWon.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054364.exe Infected: not-a-virus:AdWare.Win32.Altnet.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054366.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054367.dll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054368.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054369.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054370.exe Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054372.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054373.dll Infected: not-a-virus:AdWare.Win32.Altnet.j skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054374.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054375.exe Infected: not-a-virus:AdWare.Win32.Altnet.g skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054377.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0054528.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.av skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP523\A0055248.DLL Infected: not-a-virus:AdWare.Win32.IWon skipped

Scan process completed.

#9 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 14 April 2006 - 05:48 PM

Go to Spybot->Recovery and check everything listed there. Click Purge button...

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Was this problem with the address bar not working happening before? Did SFC find anything?

#10 Rybo

Group: Member
Posts: 24
Joined: 13-April 06

Posted 14 April 2006 - 05:58 PM

greyknight17, on Apr 14 2006, 07:48 PM, said:

Was this problem with the address bar not working happening before? Did SFC find anything?

Apparently my mom was experiencing the same problem before I even took over trying to clean the computer. We can't do anything with spybot, because we've already uninstalled it. In regards to the SFC, it did the scan, finished, and then closed itself, so I guess it found nothing wrong. Right now, we're clearing system restore, and we're thinking about uninstalling and reinstalling Internet Explorer. Do you think that would fix it?

#11 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 14 April 2006 - 06:12 PM

There is no "real" way to uninstall Internet Explorer. SFC should have seen something wrong with it (if there was something wrong - like a critical missing or corrupted file). You can try repairing Internet Explorer via the Add/Remove panel (if it's listed there).

We can check to make sure it's not spyware or a virus doing this...

Did you run Ad-aware SE yet? If not, please do so now. Then after you are done, run the Panda scan also:

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

#12 Rybo

Group: Member
Posts: 24
Joined: 13-April 06

Posted 15 April 2006 - 09:27 AM

We fixed the problem by reinstalling windows xp, so everything is fine now. Thanks for all the help.

#13 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 15 April 2006 - 10:43 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

Need help removing spyware/adware [RESOLVED] - Geeks to Go Forums