Cws

If you went thru our tutorial you would not be using Ad-aware 6. Please run the full tutorial in the order specified making sure you use the programs and versions that are in the links provided.

 

Okay! I had understood differently because you said "when I tried to install the alternative spyware programs" that is a special section of the tutorial and does not contain Ad-aware. If you are not able to install application you need to tell us exactly which items in the tutorial were you able to complete? And if you do not have current versions of any other items, we need to know that too. Please list what items in the tutorial you were able to run and the result? Right now it appears you only ran:
Ad-aware 6
CWShredder

Is your problem, only during installation of the programs or during download?
Do you try the online scans?
What OS do you have?
Do you have a full virus protection application on your PC.
Do you have HijackThis and if so, what version? Does it run? If so, get a log and post it here as a .txt file attachment.

 

You need to rename your log files so they have .txt extensions instead of .log.

HijackThis does not require an install. It just needs to be unzipped (assuming you dowloaded it from us, from the link in the tutorial). If it will not run after unzipping, rename hijackthis.exe to myhjt.com
and then double click on myhjt.com. Post a log as a .txt file attachment. Make sure browsers are closed before scanning.

 

When you finish getting the present problems resolved, you need to goto Windows Update and get your PC updated. You are seriously out of date.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
First goto Control Panel, Add/Remove Programs and see if there is an uninstall for ISTbar, or MYWay, or MYBar. If so, uninstall them and some of the lines I ask you to fix below with HJT and files to delete may not be necessary if they already get removed.


Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\Program\SideFind\sidefind.dll
then click OK. If a dialog box confirming this action appears, click OK.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u C:\WINDOWS\System32\m2rglz9x1pc1.dll
then click OK. If a dialog box confirming this action appears, click OK.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it if found:
sgnlybi96rj7i9.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\m2rglz9x1pc1.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgnlybi96rj7i9.exe
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\cl2tl1a302t3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program\SideFind\sidefind.dll
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O20 - AppInit_DLLs: 3dg61otselarm.tlb 79gileo3w8v.tlb pibss3gwotls5w.tlb d68wjxlka5j83r.tlb


Did you add the below item to your trusted zone? If not, fix the O15 line too.
O15 - Trusted Zone: *.greg-search.com

The two Ip addresses ( 81.216.65.11 and 81.216.65.12 ) found in the below O17 lines belong to iggypop1.siwnet.net
Unless you recognize this as something valid for you to use, I would fix the below 3 lines too.
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD156F3-C706-4A46-B9D1-56DA45315434}: NameServer = 81.216.65.11,81.216.65.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DD156F3-C706-4A46-B9D1-56DA45315434}: NameServer = 81.216.65.11,81.216.65.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{0DD156F3-C706-4A46-B9D1-56DA45315434}: NameServer = 81.216.65.11,81.216.65.12
Boot into safe mode and use Windows Explorer to delete:
C:\Program\ISTbar <--- the whole directory if still present
C:\Program\MyWay <--- the whole directory if still present
C:\Program\SideFind <--- the whole directory if still present
C:\WINDOWS\System32\sgnlybi96rj7i9.exe
C:\WINDOWS\System32\cl2tl1a302t3.exe
C:\WINDOWS\System32\m2rglz9x1pc1.dll
C:\WINDOWS\System32\3dg61otselarm.tlb
C:\WINDOWS\System32\79gileo3w8v.tlb
C:\WINDOWS\System32\pibss3gwotls5w.tlb
C:\WINDOWS\System32\d68wjxlka5j83r.tlb

Look around and tell me if you see any other strangely named files in C:\Windows\System32.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Please try giving this 15 day trial version of GIANT Antispyware a run. (Download the GIANT AntiSpyware Free trail)

Save any logs you can from it and post them back here as an attachment. Also post a new HJT log after running.

 

Hit CTRL-ALT-DEL to bring up Task Manager and click Processes. Is the follow process actually running and running multiple times:
sgtat8cs8ir668.exe

If so try, end each of them with Task Manager and the run HJT this and fix the below lines. Make sure no browser (IE) windows are open when fixing:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\zgt3ji9glr.dll
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgtat8cs8ir668.exe
O20 - AppInit_DLLs: e92bj76sk4arm6.tlb ayv7yc5vph4o.tlb ll9csx9x29w15.tlb gt6a3wv1v6j.tlb 3dgofifwl2.tlb wm46g84x44w5.tlb 19bl77och8h4im.tlb js1lnyk9f2ey7.tlb c2vah0pkvlj.tlb omzxxt3yiw5zgi.tlb 4v8gc0yjhau3.tlb 51l1m18kp6imre.tlb r0o2mncav3m.tlb

Now run a Giant Software scan followed by Ad-aware SE. You should have the Ad-Aware VX2 Cleaner plug-in installed too, so run it

Who do those IP address belong to on the O17 lines: 81.216.65.11, 81.216.65.12

 

Is it always the same name process (sg6zd9rvmwt.exe) that keeps coming back?
Try killing it an immediately run CWShredder and select FIX.
Also try running Ad-aware SE VX2 cleaner plug-in.

Can you locate the file using Windows Explorer and delete it from safe mode?

 

If you use Search, you need to do the following:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter sg6zd9rvmwt.exe
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders

Then click the Search button.

Make sure when trying to remove these files and or trying to fix with anything (including scanners) that no browsers (IE, FireFox etc) are running. It may also be a good idea to have no access to the Internet available (disconnect cables).

 

If still having problems, please give the below 15 day trial a run.

http://www.giantcompany.com/download.aspx?prodID=70
GIANT Company Software - Download

We have been seeing some good results using this program. It would be good to see if it helps here.

 

Boot into safe mode and have no internet connection available again. Run Task Manager and kill any of those strange processes. Run all the scanning tools (accept the online scans). Make sure you run CCleaner and Stinger. Manually go into C:\windows, C:\Windows\system32, and C:\Documents and Settings\George\Lokala inställningar\Temp and look for any of the strangely names files. Don't just look for .EXE types. Look for anything like those weird names. Remove them. While in safe mode, run HJT again and fix any of those lines that we have been fixing (obviously the names may have changed). While in safe mode and with no physical ability to connect to the internet, open up one Internet Explorer session even though it cannot connect anywhere. See if any of the strange proesses came back in Task Manager or are list in a new HJT scan. Also check the directories again to see if any files respawned.

Now reboot in normal mode and post a new HJT log. Tell me what happened with all the above and where things stand right now.

 

Well none of those files you mentioned are valid. You can sometimes right click on the file and select Properties and then the Version tab and go thru the list of Item names to see who it belongs to. Many times there are no version tabs. That is an indication that it could be malware but not definitely. A suggestion I would make would be to either move all the suspected files to a different folder (like create one called c:\junk32). That way you could copy them back if you made a mistake. Also only move 10 or so at a time. I would expect that anything with extremely random names like 0huzybpsh5.exe are bad. You may also have other extension types like .dll and .dat that are bad too.

Another approach could be to leave the files in the system32 directory and rename all of them (do all of them). Rename them to something you no how to recover from. For example rename:
0huzybpsh5.exe to 0huzybpsh5.badexe (do not use 0huzybpsh5.bad.exe)
badfile.dll to badfile.baddll
123456.dat to 123456.baddat

 

Your log looks clean. Hopefully your trojan problems are now gone. You need to now get your system updated since you are seriously out of date. Please see: How to Protect yourself from malware!

 

They are all pretty good. Personal preference of mine and many others is Avast.

And you're welcome.