TechSpot

Xoftspy - same problem as B Smithers

By duracell
Apr 17, 2007
  1. I ran the usual Xoftspy scan on 12th April and it showed up that I had murlo trojan in the following files. They return on each reboot despite my having removed them. I've downloaded and ran all the suggestions given in an earlier post and none of the programs find the murlo trojan. Hubby even linked me to his laptop and checked with Norton - but the full scan took 6 hours to run and then found nothing.

    system\ip6fw\enum0
    system\ip6fw\count
    system\ip6fw\nextinst

    Is there a default value for these registry entries or have you discovered how to remove them?

    REALLY struggling with this one.
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Never mind this post; Howard seems to know what he's doing more than I do. ;)

    Regards :)
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    As you`re no doubt aware, I`ve been searching for a solution to this problem for several days, without success. the latest idea I have is to try the following and post the results. Maybe if I can find the source of the infection, I`ll be able to suggest a way to get rid of it.

    Please run the Kaspersky online scanner and post the logfile.

    Regards Howard :)

    This thread is for the use of duracell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. duracell

    duracell TS Rookie Topic Starter

    Log file Kapersky

    Hi again,

    I ran the scan on the critical areas (hope that was right) and here is the log file.

    Good luck in your search for a fix.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please run the scanner again and have it scan your entire system, not just the critical areas. Post a fresh scan log.

    Regards Howard :)

    This thread is for the use of duracell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. duracell

    duracell TS Rookie Topic Starter

    Kapersky Full Scan

    Hi Howard,

    Here's the full scan of my computer. I've had to stop using Outlook as an email coming in is closing Outlood even before I get a chance to delete it. I logged onto my mail account online and there is no sign of this email on their server. It says from "none" and has nothing in the subject line. I don't know if it's significant, but it might be. Fingers crossed.

    Thanks lots

    Lorna
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Uninstall Windows defender from add remove programmes(if there)

    Empty your recycle bin.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of duracell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. duracell

    duracell TS Rookie Topic Starter

    What's the hjt log?

    Hi Howard,

    I've printed out the instructions and will start the process asap, but what is a hjt log? Told you I was a dumb mum didn't I.

    Rgds,

    Lorna
     
  9. duracell

    duracell TS Rookie Topic Starter

    Avenger

    Hi again Howard,

    I've attached the Avenger text file and the hjt log.

    I finally got a reply from Xoftspy (see below). I'm not convinced as why would I get the trojan warnings and then immediately have problems with Outlook? Could it be a coincidence that the version of Xoftspy I'm using is now discontinued and the newer XoftspySE claims to fix everything? Or am I just a suspicious old sod?

    Thanks again

    Lorna:)


    Xoftspy response

    Posted On: 18 Apr 2007 01:44 PM

    --------------------------------------------------------------------------------
    Hello Lorna,

    Thank you for your email and the information you have provided.

    We have identified this item as a false positive and this item will be removed from out definitions database in the near future.

    In the meantime, please add it to your XoftSpy ignore list to prevent further detection. Should we make the decision to leave it in our database, it is your choice to leave it on your XoftSpy ignore list to prevent further detection or to have it detected.

    **Please note that XoftSpy is now discontinued. We recommend copying the product to CD should you wish to continue using as the below link will only be available for a small period of time.

    http://support.paretologic.com/xoftspy_setup.exe

    However, updates and support for our legacy package will continue until May 1, 2007.

    ParetoLogic is pleased to announce the next generation of XoftSpy, XoftSpySE. Built on the platform of our popular legacy product, XoftSpy, XoftSpySE features the effectiveness and ease of use that characterizes ParetoLogic products, while employing the latest advances in technology and innovation.
    Powered by our groundbreaking Zheng Research Technology, XoftSpySE provides you with unparalleled anti-spyware protection at the fastest scan and remove speeds available.

    XoftSpySE is an advanced anti-spyware program designed to scan the user's complete computer system including running processes, registry entries, files and folders. Fast, powerful and easy to use, XoftSpySE detects and removes adware, spyware, trojans, browser hijackers, spyware pop-ups, malware, and keyloggers. Subscribers receive automatic spyware definition updates, program feature updates and comprehensive customer support.

    As our valued XoftSpy customer, we wish to offer a complementary one-year subscription to our new XoftSpySE anti-spyware application. After your first year has expired, you may renew your subscription for the low price of $14.95 USD.

    In order to take advantage of this time-limited offer, please respond to this email, ensuring that you include:
    First name:
    Last name:
    Valid email address:
    State/Province:
    Country of Residence:

    We look forward to serving you as a new XoftSpySE subscriber!

    We appreciate your business and the opportunity to be of assistance to you. Should you require further assistance or information, please don't hesitate to contact us.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Thankyou for the info on Xoftspy, it really is very much appreciated.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    WSBar

    Close control panel.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

    O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\PROGRA~1\Wanadoo\WSBar<Delete the entire folder.

    Reboot your system.

    Other than the above, your HJT log is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of duracell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. duracell

    duracell TS Rookie Topic Starter

    Thank you lots and lots

    Hi Howard,

    I've completed all the instructions and have a nice clean computer. :giddy: I don't use Windows restore as it contributed to a viral reinfection last year, but I do back up all my files at least once a week and have backups of any software installed. So a dumb mum - but smart enough to back up.

    I am so glad I found this site and have learned quite a bit through both the advice given and reading some of the forum entries.

    I've now installed Spyware Detector and dumped Xoftspy and have installed ZoneAlarm and disabled Windows Firewall to try and improve my protection.

    Give yourself a big pat on the back:wave:

    Thank you lots and lots and lots ......................

    Best regards,

    Lorna
    xx
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem, I`m glad I could help.

    I hope you don`t mind, but I quoted your reply from the makers of Xoftspy in this thread HERE, see my last reply and update in that thread.

    Once again, thanks for the invaluable info.

    Regards Howard :)

    This thread is for the use of duracell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...