TechSpot

Warning spyware threat has been detected on your pc

By shadowstalker
Apr 7, 2008
  1. Hi, I am having problems with "warning spyware threat has been detected on your pc", it is annoying! I can't use ctrl+alt+del, there are a lot of pop-ups and a trojandownloader.XS threat. Last night I was looking at another board with someone who was having the same problem, I tried doing what they told him and it didn't work. I have AVG4 and spyware terminator. Last night I downloaded SDFix, Hijackthis and Deckards system scan. I just searched for the deckards scan and the only thing that showed up was the report. I think I'm just making things worse....
     
  2. raybay

    raybay TS Evangelist Posts: 7,241   +9

    You are likely getting a marketing ploy, rather than a notice of an infestation.
    Check your pop-up software that should be blocking it, or the firewall... If you are using Windows Firewall, change to Comodo, Kerio, Zone Alarm or one of the others that blocks both incoming and outgoing intrusions. Kerio does not work with VISTA, and they charge for WXP, but is very good. Comodo and Zone Alarm both have free versions.
     
  3. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    Do I need Comodo, SDFix, Hijackthis and an antivirus? Should I remove anything?
     
  4. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    and spyware terminator..
     
  5. raybay

    raybay TS Evangelist Posts: 7,241   +9

    If I am right, what you have is an irritant that will be removed by the Internet Explorer pop up blocker, the Firefox pop up blocker, or Zone Alarm Free Version, or Comodo Free version.
    You should not have to remove anything. Internet Explorer 7.0 has a setting to block pop ups.
    You will also remove the cause by AVG AntiSpyware free version,but should also knock it out with Adaware 2.0.0.7, SpyBot 1.2.5, and Windows Defender scans.
    HiJackThis only reports infestations. SDFix and Spyware Terminator are not very familiar.
    If you use SDFix or Spyware Terminator, immediately shut down after scan, and reboot in Safe Mode to immediately run them again.
    If you use the ones I mentioned, you should be able to get rid of the lurking spyware that is causing the problem, but also rerun them in SafeMode if they find anything... sometimes the infestation escapes to memory so it can come back when you reboot.
     
  6. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    I installed zone alert and AVG 7.5 and went into safe mode. It didn't fix it. I can't use ctrl+alt+del (administrator error), my wallpaper is frozen with a spyware add, and there are TONS of pop-ups. Could it be an infection? I am a beginner to this. I would like to fix it myself without having to pay a lot of $$$. Thanks!
     
  7. raybay

    raybay TS Evangelist Posts: 7,241   +9

    You should not be having pop ups if you are using Firefox or the appropriate setup of Internet Explorer with PopUp removal...so if that is the case, go to step C below

    Your AVG 7.5 was the Anti-Spyware version and didn't fix it? Unusual.
    Have you tried Windows Defender? Download from Microsoft, then run the updates, then the scan.

    Do you know, or can you figger out what software is posting the spyware message? That is a key clue to fixing this problem.

    What about the pop up stoppers from Firefox or Internet Explorer?

    Now may be the time to download the very latest version of HiJack This, and post the results on this forum. Follow the advice of experts on this forum. They are usually as good as you will get.

    If nothing is found, It may be that you have the SmitFraud infestation... though what you report is not quite right. Lets take a closer look at the Smitfraud and the SmitfraudFix

    Gurgle search for and download the SmitFraudFix

    Please cold boot your computer in Safe Mode by pressing the <F8> key repeatedly once per second as soon as you press the <ON> button.

    - Choose the first option, to run Windows in Safe Mode, then press <enter> and select your usual account.
    - Once in Safe Mode, double-click on the SmitfraudFix you have downloaded. and choose option #2
    - Clean by selecting <2> and press "Enter" to delete infected files.

    SmitFraudFix will now check do discover if "wininet.dll" is infected. If you get a prompt to replace the infected file, if discovered,; select "Yes" and <enter>.

    Then reboot, and run the free scans from Symantec, McAfee, Panda, and Computer Associates... They will not remove it, but will tell you if there is an infestation

    Now download and run CCleaner. Clean out everything. Close and reboot.

    Now run AVG Antispyware, Adaware 2007, Windows Defender, and SpyBot... not perfect but they are all free, and will give you some clues as to the problem

    At this point you should know if it is worse or better.


    Alternately, I would remove all spyware and antivirus software, then install AVG Antivirus, and the paid version of Sypware Doctor.
     
  8. kritius

    kritius TS Guru Posts: 2,084

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  9. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:01:59 PM, on 4/7/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wmsdkns.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    C:\Program Files\Sony\giga pocket\GPVSvr.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\WINDOWS\system32\regsvr32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\tazyvuvs.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Sony\giga pocket\ReserveModule.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\sony\giga pocket\gps.exe
    C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
     
  10. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
    O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
    O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
    O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
    O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
    O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
    O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
    O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
    O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
    O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
    O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
    O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\mdwtsbwf.dll
    O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
    O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [hivkhgja] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hivkhgja.dll"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [fctrwmre] C:\WINDOWS\system32\tazyvuvs.exe
    O4 - HKCU\..\Run: [XMLmedia 10.0] "C:\WINDOWS\System32\wmsdkns.exe"
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
    O16 - DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} (CPlayFirstDinerDashControl Object) - http://download.playfirst.com/play/game/spongebobdash/SpongeBobDinerDashWeb.1.0.0.17.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
    O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/bingame/dash/default/DinerDash.1.0.0.98.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\giga pocket\GPVSvr.exe
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 12179 bytes
     
  11. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    how do you post an attatchment?
     
  12. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    Nevermind, I got it...
     
  13. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    As for the combofix, It will not let me download. One of the links has an error, the other looks like it will install, then disappears.. Also I'm getting kinda nervous downloading everything, I've downloaded a lot of different things the past two days that my memory is down to 4.25 GB..
     
  14. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    I'm trying to post the malwarebytes attatchment.. Keep having problems..
     
  15. kritius

    kritius TS Guru Posts: 2,084

    hmmm, both links work for me,

    try this,

    : Download and Run DSS

    Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
    • Close all applications and windows.
    • Double-click on dss.exe to run it, and follow the prompts.
    • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
    • Attach the main.txt and the extra.txt in your reply.
     
  16. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    Here's the main deckard's scan.. Still working on the extra.txt.... For some reason it's not giving it to me..
     
  17. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    OK, so I tried to get the extra.txt five times and nothing. It just let me have the main.txt that is attatched on the previous post.
     
  18. kritius

    kritius TS Guru Posts: 2,084

    It was because you were running DSS from a temp folder.

    Remove Bad Programs

    • Click Start
    • Go to Control Panel
    • Go to Add/Remove Programs
    • Find and click Remove for the following (if present):

    ZTgServerSwitch


    Optional Fix

    You have ZoneAlarm Spy Blocker toolbar installed on your computer. It comes bundled with Zonealarm. Here is some information about why it is not regarded as very usefull toolbar: LINK. More information here: LINK. Decision is yours.

    If you want uninstall ZoneAlarm Spy Blocker, this is how you can do it:

    • Click Start
    • Go to Control Panel
    • Go to Add/Remove Programs
    • Find and click Remove for the following (if present):
      • ZoneAlarm Spy Blocker

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe
    O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
    O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
    O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
    O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
    O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
    O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
    O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
    O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
    O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
    O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
    O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
    O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
    O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\mdwtsbwf.dll
    O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
    O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [hivkhgja] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hivkhgja.dll"
    O4 - HKCU\..\Run: [fctrwmre] C:\WINDOWS\system32\tazyvuvs.exe
    O16 - DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} (CPlayFirstDinerDashControl Object) - http://download.playfirst.com/play/game/spongebobdash/SpongeBobDinerDashWeb.1.0. 0.17.cab

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Delete Files and Folders
    • Right Click on the start button and chose explore
    • Show all hidden files and folders, see how HERE
    • Navigate to the following files and folders and delete them(if still present)
    C:\WINDOWS\System32\wmsdkns.exe<---------This File
    C:\WINDOWS\mdwtsbwf.dll<---------This File
    C:\Documents and Settings\All Users\Application Data\hivkhgja.dll<---------This File
    C:\WINDOWS\system32\tazyvuvs.exe<---------This File
    c:\program files\support.com<---------This Folder

    • Empty the recycle bin.
    If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
    ***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\WINDOWS\stcloader.exe
      C:\Program Files\stc
      C:\WINDOWS\voiceip.dll
      C:\WINDOWS\swin32.dll
      C:\WINDOWS\mssvr.exe
      C:\WINDOWS\cdsm32.dll
      C:\WINDOWS\bokja.exe
      C:\WINDOWS\mspphe.dll
      C:\WINDOWS\2020search2.dll
      C:\WINDOWS\2020search.dll
      C:\WINDOWS\system32\WER8274.DLL
      C:\WINDOWS\system32\MSIXU.DLL
      C:\Program Files\zango
      C:\Program Files\seekmo
      C:\Program Files\180search assistant
      C:\WINDOWS\updatetc.exe
      C:\WINDOWS\salm.exe
      C:\WINDOWS\180ax.exe
      C:\Program Files\180solutions
      C:\Program Files\180searchassistant
      C:\WINDOWS\saiemod.dll
      C:\WINDOWS\FLEOK
      C:\WINDOWS\system32\SIPSPI32.dll
      C:\WINDOWS\msapasrc.dll
      C:\WINDOWS\msa64chk.dll
      C:\WINDOWS\system32\shdocpe.dll
      C:\WINDOWS\system32\ntnut32.exe
      C:\WINDOWS\shdocpl.dll
      C:\WINDOWS\ntnut.exe
      C:\WINDOWS\winsb.dll
      C:\WINDOWS\shdocpe.dll
      C:\WINDOWS\browserad.dll
      C:\WINDOWS\aviwrap32.dll
      C:\WINDOWS\avisynthex32.dll
      C:\Program Files\Sysmnt
      C:\WINDOWS\avifile32.dll
      C:\WINDOWS\autodisc32.dll
      C:\WINDOWS\audiosrv32.dll
      C:\WINDOWS\ati2dvag32.dll
      C:\WINDOWS\ati2dvaa32.dll
      C:\WINDOWS\athprxy32.dll
      C:\WINDOWS\asycfilt32.dll
      C:\WINDOWS\changeurl_30.dll
      C:\WINDOWS\asferror32.dll
      C:\WINDOWS\apphelp32.dll
      C:\WINDOWS\peernet
      C:\WINDOWS\provisioning
      C:\Documents and Settings\All Users\Application Data\hivkhgja.dll
      C:\Documents and Settings\All Users\Application Data\gbirslar
      C:\WINDOWS\uprjiefj
      C:\WINDOWS\mdwtsbwf.dll
      C:\WINDOWS\rifcnixy.dll
      C:\WINDOWS\mdwtsbwf.dll
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\hivkhgja
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\fctrwmre
      
      
      
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


    Run HijackThis again and post a fresh HijackThis log back with the results of OTMoveIt2
     
  19. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    I deleted the remaining files and folders. Do I need to undo the "show all hidden files and folders"?
     
  20. kritius

    kritius TS Guru Posts: 2,084

    Yes rehide them.
     
  21. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    [*] Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.

    [*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



    What are the "file paths below"?
     
  22. kritius

    kritius TS Guru Posts: 2,084

    Apologies, the program recently updated and they took one of the features out, all you need to do is paste it into the left hand window and hit moveit!
     
  23. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    hijack and moveit logs.
     
  24. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    kritius,
    Thank You for all your help! My computer is running smoothly.
    Warm Regards,
    shadow
     
  25. shadowstalker

    shadowstalker TS Rookie Topic Starter Posts: 36

    OK.. Here's the deal.. I had a problem with spyware back in April, Kritius helped me out, and my computer was running great until about two weeks ago, it started running slow, and now it is freezing up and there are TONS of popups even though my blocker is on.
    Attatched is a malwarebytes' report, and a hijackthis report.
    Also should I start a new thread, if so what should I name the thread??
    Thanks!!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...