I HAVE CiD Popups, SPYLOCKED , MALWARE
- Thread starter TALBERT
- Start date
- Status
momok
Posts: 2,127 +6
Hi,
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
WinBuildThatNoun
SpyHunter
road draw
user32.dll
Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
Image ActiveX Access
4SeekWinBuild / WinBuildThatNoun
SpyHunter
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Image ActiveX Access\iesplg.dll
O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Image ActiveX Access\iesbpl.dll
O4 - HKLM\..\Run: [WinBuildThatNoun] C:\Documents and Settings\All Users\Application Data\4SeekWinBuild\build dupe.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [road draw] C:\DOCUME~1\WILLIA~1\APPLIC~1\FORDER~1\DVD OPTION START.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Image ActiveX Access\imsmain.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Image ActiveX Access\iesmn.exe
O9 - Extra button: Golden Palace Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\GOLDEN~1\client.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://ps.itv.mop.com/dn/files/pCastCtl-1.0.0.94_signed.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2205CE7-9CCA-4668-8A0D-F285A7B0E69C}: NameServer = 205.188.146.145 < fix this if you do not recognise the domain to be from your ISP
O22 - SharedTaskScheduler: equiparant - {25b7d2fd-4f71-46d1-801a-7de323e4ec82} - C:\WINDOWS\system32\indwvm.dll
Close HJT.
Navigate in Windows Explorer and delete the following files and folders in bold.
C:\WINDOWS\system32\indwvm.dll
C:\Program Files\Image ActiveX Access\
C:\Documents and Settings\All Users\Application Data\4SeekWinBuild\
C:\Program Files\Enigma Software Group\
C:\DOCUME~1\WILLIA~1\APPLIC~1\Ford Error Hide
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. The utilities can be obtained from the links in my signature.
Also let me know the results of the AVG Antirootkit scan
Regards,
Your friendly Momok =)
This thread is for the use of TALBERT only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
WinBuildThatNoun
SpyHunter
road draw
user32.dll
Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
Image ActiveX Access
4SeekWinBuild / WinBuildThatNoun
SpyHunter
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Image ActiveX Access\iesplg.dll
O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Image ActiveX Access\iesbpl.dll
O4 - HKLM\..\Run: [WinBuildThatNoun] C:\Documents and Settings\All Users\Application Data\4SeekWinBuild\build dupe.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [road draw] C:\DOCUME~1\WILLIA~1\APPLIC~1\FORDER~1\DVD OPTION START.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Image ActiveX Access\imsmain.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Image ActiveX Access\iesmn.exe
O9 - Extra button: Golden Palace Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\GOLDEN~1\client.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://ps.itv.mop.com/dn/files/pCastCtl-1.0.0.94_signed.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2205CE7-9CCA-4668-8A0D-F285A7B0E69C}: NameServer = 205.188.146.145 < fix this if you do not recognise the domain to be from your ISP
O22 - SharedTaskScheduler: equiparant - {25b7d2fd-4f71-46d1-801a-7de323e4ec82} - C:\WINDOWS\system32\indwvm.dll
Close HJT.
Navigate in Windows Explorer and delete the following files and folders in bold.
C:\WINDOWS\system32\indwvm.dll
C:\Program Files\Image ActiveX Access\
C:\Documents and Settings\All Users\Application Data\4SeekWinBuild\
C:\Program Files\Enigma Software Group\
C:\DOCUME~1\WILLIA~1\APPLIC~1\Ford Error Hide
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. The utilities can be obtained from the links in my signature.
Also let me know the results of the AVG Antirootkit scan
Regards,
Your friendly Momok =)
This thread is for the use of TALBERT only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Some things aren't removed like the
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Image ActiveX Access\iesplg.dll
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Image ActiveX Access\imsmain.exe
and A few other things my new log is attached to this.
Thank You
As so far I think I have removed 4 out of 73 Zlob, Spylocked, Cid etc
It has also messed up my Internet Explorer there is now NO bar to type web address in!!!!!
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Image ActiveX Access\iesplg.dll
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Image ActiveX Access\imsmain.exe
and A few other things my new log is attached to this.
Thank You
As so far I think I have removed 4 out of 73 Zlob, Spylocked, Cid etc
It has also messed up my Internet Explorer there is now NO bar to type web address in!!!!!
momok
Posts: 2,127 +6
Hi,
I need to see all the requested logs please. Have you followed my instructions exactly? They must be carried out in safe mode, no less.
Regards,
Your friendly Momok =)
This thread is for the use of TALBERT only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I need to see all the requested logs please. Have you followed my instructions exactly? They must be carried out in safe mode, no less.
Regards,
Your friendly Momok =)
This thread is for the use of TALBERT only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Spylocked and other malware
I had the same problem and nothing worked including several highly regarded programs. I did find a review of a program called Spyhunter. I used the trial version and it found the Trojan horses used by Spylocked, as well as changes to my registry. I then purchased the commercial version for $29.95 and my system was cleaned up and is malware free. I'm not a geek and I know very little about operating systems, so this was a real blessing. Good luck. FYI: McAfee (which is updated) didn't detect the Trojan horse.
I had the same problem and nothing worked including several highly regarded programs. I did find a review of a program called Spyhunter. I used the trial version and it found the Trojan horses used by Spylocked, as well as changes to my registry. I then purchased the commercial version for $29.95 and my system was cleaned up and is malware free. I'm not a geek and I know very little about operating systems, so this was a real blessing. Good luck. FYI: McAfee (which is updated) didn't detect the Trojan horse.
momok
Posts: 2,127 +6
Hi,
I wouldn't recommend that program as it has a dubious repute. There are several other ways of removing spylocked, and you have the forums here to help you with that too.
Regards,
Your friendly momok =)
This thread is for the use of TALBERT only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I wouldn't recommend that program as it has a dubious repute. There are several other ways of removing spylocked, and you have the forums here to help you with that too.
Regards,
Your friendly momok =)
This thread is for the use of TALBERT only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
Similar threads
