TechSpot

I HAVE CiD Popups, SPYLOCKED , MALWARE

By TALBERT
May 25, 2007
Topic Status:
Not open for further replies.
  1. WARNING I know NOTHING about computers!

    I have done the log thing and attached it to this Thread if thats ok

    Please HELP!!!!!!


    I have ZLOB I








    I ONLY HATE COMPUTERS COZ THEY HATE ME LOL!
  2. momok

    momok TS Rookie Posts: 2,272

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    WinBuildThatNoun
    SpyHunter
    road draw
    user32.dll


    Go to start > Control Panel > Add and Remove Programs.
    Remove anything related to the following:

    Image ActiveX Access
    4SeekWinBuild / WinBuildThatNoun
    SpyHunter


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Image ActiveX Access\iesplg.dll
    O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Image ActiveX Access\iesbpl.dll

    O4 - HKLM\..\Run: [WinBuildThatNoun] C:\Documents and Settings\All Users\Application Data\4SeekWinBuild\build dupe.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [road draw] C:\DOCUME~1\WILLIA~1\APPLIC~1\FORDER~1\DVD OPTION START.exe
    O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Image ActiveX Access\imsmain.exe
    O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Image ActiveX Access\iesmn.exe

    O9 - Extra button: Golden Palace Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\GOLDEN~1\client.exe
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx
    O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://ps.itv.mop.com/dn/files/pCastCtl-1.0.0.94_signed.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E2205CE7-9CCA-4668-8A0D-F285A7B0E69C}: NameServer = 205.188.146.145 < fix this if you do not recognise the domain to be from your ISP
    O22 - SharedTaskScheduler: equiparant - {25b7d2fd-4f71-46d1-801a-7de323e4ec82} - C:\WINDOWS\system32\indwvm.dll

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\WINDOWS\system32\indwvm.dll

    C:\Program Files\Image ActiveX Access\
    C:\Documents and Settings\All Users\Application Data\4SeekWinBuild\
    C:\Program Files\Enigma Software Group\
    C:\DOCUME~1\WILLIA~1\APPLIC~1\Ford Error Hide

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. The utilities can be obtained from the links in my signature.

    Also let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly Momok =)

    This thread is for the use of TALBERT only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. TALBERT

    TALBERT TS Rookie Topic Starter

    Some things aren't removed like the

    O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Image ActiveX Access\iesplg.dll

    O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Image ActiveX Access\imsmain.exe



    and A few other things my new log is attached to this.


    Thank You

    As so far I think I have removed 4 out of 73 Zlob, Spylocked, Cid etc

    It has also messed up my Internet Explorer there is now NO bar to type web address in!!!!!
  4. momok

    momok TS Rookie Posts: 2,272

    Hi,

    I need to see all the requested logs please. Have you followed my instructions exactly? They must be carried out in safe mode, no less.


    Regards,
    Your friendly Momok =)

    This thread is for the use of TALBERT only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. mdappr

    mdappr TS Rookie

    Spylocked and other malware

    I had the same problem and nothing worked including several highly regarded programs. I did find a review of a program called Spyhunter. I used the trial version and it found the Trojan horses used by Spylocked, as well as changes to my registry. I then purchased the commercial version for $29.95 and my system was cleaned up and is malware free. I'm not a geek and I know very little about operating systems, so this was a real blessing. Good luck. FYI: McAfee (which is updated) didn't detect the Trojan horse.
  6. momok

    momok TS Rookie Posts: 2,272

    Hi,

    I wouldn't recommend that program as it has a dubious repute. There are several other ways of removing spylocked, and you have the forums here to help you with that too.


    Regards,
    Your friendly momok =)

    This thread is for the use of TALBERT only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.