[madkemikaldeath]

a prog i do not know the name of has hijacked my pc......my desktop, task manager, sysstem restore have all been disabled.......pop ups are constantly warning me i have been infected by spyware.......and direct me to a website called worldantispy.com to buy thir product.......i am unable to remove it , have tried all recommended removal tools and progs and more.....even disabling it in msconfig startup and deleting all registry items does not remove it , when i restart my pc it is back........any help would be much appreciated

[Advertisements]

Hi madkemikaldeath and welcome to GeeksToGo!


If you are having malware issues, please got to the following site and follow all the instructions carefully.


You Must Read This Before Posting A Hijackthis Log

this will help you clean up to 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THIS thread.

Thanks,



Excal

[Excal]

Hi madkemikaldeath and welcome to GeeksToGo!


If you are having malware issues, please got to the following site and follow all the instructions carefully.


You Must Read This Before Posting A Hijackthis Log

this will help you clean up to 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THIS thread.

Thanks,



Excal

[madkemikaldeath]

thank you
i ahave already tried all that....and more
where do i get the solution to the missing 30% of problems?

[Excal]

Hi,

well the other part of the directions is to post your hijackthis log in this thread so i can help you with the 30%


thanks,



Excal

[madkemikaldeath]

gracias

here it is

Logfile of HijackThis v1.99.1
Scan saved at 17:54:32, on 17/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bentley\ProjectWise\bin\pwc.exe
C:\Program Files\Bentley\Program\MicroStation\ustation.exe
C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
C:\WINDOWS\TEMP\was_pi.exe
C:\WINDOWS\TEMP\is-U7O9O.tmp\is-Q4UHV.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\maldonado_p\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Llewelyn-Davies
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKLM\..\RunServices: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\explorer6s4.exe
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37240.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://demos.webex....bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ldavies.com
O17 - HKLM\Software\..\Telephony: DomainName = ldavies.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ldavies.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ldavies.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

[Excal]

Before we get started, what can you tell me about this program.

WorldAntiSpy = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe

Thanks,



Excal

[Excal]

DOWNLOAD PROGRAMS

Download and install CleanUp! Here
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKLM\..\RunServices: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\explorer6s4.exe
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb001

7. click the Fix Checked box

8. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

WorldAntiSpy

9. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\WorldAntiSpy

10. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\explorer6s4.exe
C:\WINDOWS\System32\desktop.exe

11. Run the program CleanUp!

12. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

13. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.

[madkemikaldeath]

not much im afraid.....it has installed and displays in my taskbar.....i can only get rid of it by disabling it in msconfig....but it is still in my c/programme files....
thanks

[Excal]

Have you done the fix that i prescribed?



Excal

[madkemikaldeath]

hello there
i followed your instructions but no luck the prog is still there
do u think you can help me?
im on the verge of formating my pc.....which i a desperately dont want to do
please help

[Excal]

Please post me a fresh HiJackthis log.


Thanks,


Excal

[Excal]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.