Attack of the Killer Spyware - send re-inforcements

Here I am with another tale of woe looking for one of you kind people to help out.

I've run the various scans as described in the tutorial (Trend -Micro came up with Troj_istbar.dk, Troj_dldr.dll, Troj_swizzor.da and troj_dloader.bb) I've run all the other scans done the CCleaner then Adaware and Spybot.

When I boot back up to normal mode first time I connect and open IE I get the lop toolbar back and I suspect it won't be long until all the other nasties return. I've run Hijack this and have two logs. Two logs because I noticed while I was in safe mode and doing the scanning one of the user accounts (which is password protected) was not being included in the search, so I've followed all the procedures while logged on in each user account including Admin.

 

First:
Download the following removal tool:

• IstBar Removal Tool

Second:

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

• Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks for your response I'll follow the instuctions and post the log as soon as possible.

 

Okay! Will be awaiting for results & log.

 

OK, I've run FxIstBar.exe (again logged on in all users) and I've re-run TrendMicro none of them found anything. Here are the logs from HijackThis (I've run it in a couple of different user accounts, as I said when I run a scan it does not seem to see one particular user who is password protected)

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

MessengerPlus! 3

Ares ←–– Its up to you, but I would get rid of this one!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

MsgPlus.exe

Ares.exe

rmsbo.exe

iexplore.exe ←–– End this process because you were instructed to close ALL browsers!

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O4 - HKLM\..\Run: [RplfcwVr8] C:\WINDOWS\rmsbo.exe
O4 - HKLM\..\Run: [-
] C:\WINDOWS\rmsbo.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Bias Third Cast Test] C:\Documents and Settings\All Users\Application Data\This pure bias third\Beep Load.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\svchst.exe /i
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\MessengerPlus! 3 ←–– Delete this whole folder if it exist!

C:\Program Files\Ares ←–– Delete this whole folder if it exist!

C:\WINDOWS\rmsbo.exe

C:\WINDOWS\svchst.exe

C:\Documents and Settings\All Users\Application Data\This pure bias third\Beep Load.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

We're looking pretty good so far BJ. Followed all your instructions the only slight problems were; couldn't close iexplorer.exe it kept re-running itself,there were no rmsbo.exe or svchst.exe in the windows folder, Spybot found errrorguard and fixed it. Everything else was OK. I've re-run HJT and attached 2 logs again. Thanks for your help.

 

This is for hijackthisneil.log so login to this account to run this fix.

Have HJT fix the below entry:

O4 - HKCU\..\Run: [long1] C:\DOCUME~1\Neil\APPLIC~1\GLOBAL~1\forkjoylies.exe

After fixing the below entry, search for the file forkjoylies.exe and delete when found.

Also, Run CCleaner

Other than this your logs look clean! Are you having any further problems?

 

When I re-ran Avast it came up with a couple of trojans but it cleaned them and they have not re-appreared so far. I'll do the HJT thing as suggested and keep a look out. Thanks again.

 

Okay! If you found some Trojans lets do the following:

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

Let me know the results!

 

Ran thr HJT fix as suggested and then did the Trojanhunter thing all seems to be clean now. Thanks very much for your help. I've learned a lot and will hopefully keep a better look out in the future.

 

So your not having any further problems?

 

seems to be ok at the moment. I know where to find you though.

 

Okay!

You should see this article on How to Protect yourself from malware!