Help Pls....

chas, PP, anyone... lol
I need some help due to something being downloaded that shouldn't have been my computer it is now infected with spyware. I have done the Read Me First, ran Microsoft AntiSpyware and they keep coming back.
There is a DelFin, IST.ISTbar, IST.XXXToolbar, and others I can't remember all the names.
How do I get rid of all these I know I am to wait for you to ask me to attach my HJT log but since I have already done the REad me First and didn't have any problems getting through all of it and some things were removed during Read Me First but they are still there when I boot back up I figured the next step was the log.
Thanks for all your help...
sw

I do not know why there are so many running processes especially messenger when I closed them all out prior to running HJT. The only 2 things in my system tray that were running at the time was my norton firewall and system works.

 

Paste your Hijackthis in box at this link ... then click analyze... scroll and view http://www.hijackthis.de/index.php

 

Here's a little info for you.

C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
http://www.processlibrary.com/directory/files/wsxsvc/index.php
C:\Program Files\ISTsvc\istsvc.exe
http://www.processlibrary.com/directory/files/istsvc/index.php

You have a lot of suspicious .exe's
C:\WINDOWS\koivo.exe
C:\WINDOWS\newpop62.exe
C:\WINDOWS\system32\??anregw.exe

Also
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Acilll.exe
O4 - HKLM\..\Run: [uxracd] c:\windows\system32\uxracd.exe
O4 - HKLM\..\Run: [popuppers] C:\WINDOWS\newpop62.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKCU\..\Run: [Ndbizrac] C:\WINDOWS\system32\??anregw.exe
O15 - Trusted Zone: *.popuppers.com

PP or Chas will help you I just thought I would point out the obvious. Wait for their advice on what to do.

 

Thanks for the reply Geeks Fan & TheOldThug

Thought I would let you both know that I am aware that I do have several nasties on my computer and I already put the log in the box at that link. HijackThis log file analysis

I thought I would see if chas or PP could help me get rid of these in the best possible way because several of those that show up in the log have been deleted in both modes (normal boot and safe) and yet they keep coming back. Some of them have been deleted while doing all the steps in the Read Me First but yet they are still in the log. Some of them have been deleted in normal boot mode with programs like AdAware SE, Spybot S&D, and Microsoft Antispyware and again they come back.

So, I thought I would see what needs to be done to get them gone from my system before I started deleting them with HJT.

Thanks again though and sorry I wasn't more clear in my first post.
sw

 

Chas

NO
My answer is that most of us do not know the symptoms of HSremove and about:Buster. We are not familiar with these problems until they all of a sudden slap us in the face. Maybe in the TUTORIAL you could put the symptoms by those files. I didn't run them because I asked what the symptoms were before doing the tutorial. Does that make sense?

 

No offense taken

Yes I did run both of those and why? well I guess I figure that if they are listed in the secondary scan and removal (step 4) then it couldn't hurt to run them. Even though it says need only to be run. Now to me if it was listed in a sub step of step 4 like 4a. and worded to run these two ONLY if you have the about:blank or HomeSearchAssisten hijacks then maybe ppl wouldn't just automatically run them.

As for if no one knows the difference between a hijack and other malware problems I have to honestly say I don't think people out there know the difference.

Well in my case I was having all my stuff go off like crazy. I had several of my programs popping up (Microsoft AntiSpyware, BHODemon,Spyguard) telling me that my home page was trying to be changed, that I had a toolbar that was trying to access the internet etc.. So to me that is telling me that one I am getting my home page hijacked by the malware that is in my computer. So I ran those 2 scans to be on the safe side.

Well that is my point of view and again no offense taken you can't improve upon a subject unless you ask questions to find out why something is being done or happening.

I won't be around over the weekend as I am going out of state I won't be able to get back to the forum and check out what you have listed for me to do until Monday.

Have a great weekend and thanks so much for your time and help I really do appreciate it.
sw

I will do that stuff right now and post a new HJT log for you and then after that I am gone and won't be back until Monday...

 

Many of us that come here have never had these problems before. We do not recognize the symptoms, even sometimes when it is explained it can still be confusing. Most people just use their computer - not understand their computer. A description of the symptoms in the TUTORIAL would alleviate alot of the unecessary scans.

 

Ok here is my new log
I removed everything that I could find..
What I couldn't find was..

C:\WINDOWS\koivo.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system32\??anregw.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [uxracd] c:\windows\system32\uxracd.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Acilll.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe


and then in the Windows Explorer in safe mode I couldnt' find


c:\windows\system32\uxracd.exe
C:\WINDOWS\system32\Acilll.exe
C:\Program Files\ISTsvc <--- the whole folder

So far I am not getting any popups and I ran my Microsoft AntiSpyware and it did not find anything..
I have to go will be back on Monday will check back in on Monday and let you know how things are.
Have a great weekend.
sw

 

Just curious, a few questions. You couldn't find the 04 lines in the HJT (to fix)after stopping the processes?

Chas
If you stop the .exe process will it still show in the HJT so u can fix it in a 04 line?
When she fixed the 04 lines does that make those .exe files disappear?
I'm trying to understand what happens with the files when processes are stopped and lines are fixed in HJT. Will they need to be deleted in safe mode or are they deleted by HJT.

 

The list of things in my last post were of things that I could not find. I was able to kill one of the running processes and remove other things that chas instructed me to but I was just not able to find everything so I listed what I could not find.

What I don't understand is that they were on my first HJT log but between the time when I posted that and when I did what chas instructed me to do some of the things he wanted me to delete I could not find. It is like they disappeared from my computer.

Hope this helps you to understand what I could and couldn't find as I just listed things I couldnt' find instead of re listing everything then marking the ones that I couldnt' find.

sw

ps just so you know that chas wanted me to kill 5 processes but when I looked at the processes I could only find 1 out of the 5 and that one was C:\WINDOWS\newpop62.exe

also.. I need to make sure that I am doing the Windows Explorer part correctly how do you find everything for that what is the proper way? I just opened up my Windows Explorer clicked on my C drive and then typed in the string. As an example one of the ones you wanted me to delete that I could not find I typed this in c:\windows\system32\uxracd.exe in the address bar and it did not find anything.

 

I will try your new set of directions and see what I can find.
What about the running processes that wasn't running before and the ones that were not listed in the HJT scan?

My Norton Antivirus Scan is still picking up Adware stuff on scans do you want me to list those in here as well? Its 22 items that it is finding..

Thanks for all your time and help..
sw

 

I can not print my USB hub will not work it lights up when the computer is powered on but then the lights go out. So, I moved my USB cable for my printer to directly be plugged into my USB port on my tower and my printer still will not work (the green light flashes and will not go online- steady).
Does this all have something to do with whatever is still in my computer or did I remove something with the cleanup stuff I did on Friday?
Thanks,
sw

 

I don't know what is going on but I still have a replacement plan available to me for my printer so I am going to use that and get a new printer. My USB hub works fine its just my printer that is not turning on the way it should even when it isn't connected to the computer.

Well as for my spyware problems my AV scan still detects adware on my computer but I am unable to find anything else on my computer that chas wanted me to delete/kill/remove.

So, what do I do now??

But the strange thing is that I never opened or installed the program. All I did was save something to a folder so I could run my Norton AV to check it for viruses and it came up that spyware was found in the program. So I was in the process of deleting the item when my alerts went off like crazy popping up all over telling me that things were trying to start up on my computer, my browser was being changed, etc etc etc..
What I don't understand is how it put bad things on my computer when I only saved it so I can check it for bad things. What is the use of taking this step to protect your computer by saving the program/file so you can check it for bad things if its going to put bad things on your computer even if you don't open it or install it???

Also, I have a suggestion for the read me first guide..
It should be listed in the guide to turn your System Restore back on after you reboot back to normal mode. If anyone else is like me they forget to do that step and that should be listed as a reminder. Just a thought...

Thanks again for all your help I greatly appreciate it and maybe one of these days I will learn to leave well enough alone.
sw

 

My printer was on the fritz I do have a new printer and that works fine that problem is now solved..

Back to my adware problem when doing my AV scan I was looking at the AV scan log and here is an example of one of the items that the scan found and continues to find with each scan
Source: C:\WINDOWS\system32\prutnct.exe
Description: The file C:\WINDOWS\system32\prutnct.exe is a Spyware threat.
Click for more information about this threat : Packed.Spyware
Now when I click on Packed.Spyware for more information it takes me to a blank page and in the address bar on that page it says about:blank this is where I do get confused does this mean that I have an about:blank problem? When I click on the clickable part to view more information about the threats from the 22 Threats detected they all take me to the about:blank page.

Just thought I would let you know so you can help me to determine what to do next.
Thanks again for all your time and help..
sw

 

chas
Thanks for your help I am slowly learning how to fix these things and I was also wondering what should I do about the IP Insight? I do know that has to do with my DSL but I didn't know if I should remove it from my computer or leave it alone? It doesn't bother me that my DSL "Phones Home" I just wanted to be sure that I wasn't leaving myself wide open to be hijacked or such.

Thanks again for your time and help I really do appreciate it.

sw

I will run all that first thing in the morning as I have to attend to the kids tonight and I will post a new log after I do all the clean up and see what happens..

 

IP Insight the HJT log when I go to http://hijackthis.de/index.php says that it is nasty. C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
running process. (IPClient.exe)
Installed with Verizon DSL accounts. IP Insight is a Quality of Service monitor and diagnostic tool that isnt required - see here for more information. This one constantly "phones home" and wastes resource - hence the "X" status

I do not want to delete this and cause any conflicts with my DSL service but if I can delete it without a problem I will. I was just wondering what I should do about it.

Here is my latest HJT log and I believe everything is gone now..

Thanks again..

sw

 

Do you mean uninstall the whole Antispyware program or just the gcasServ.exe portion of it? Just wanted to be clear so I didn't goof anything up..

When I was in my Add/Remove Programs I found 3 things that are very questionable and I have no clue what they are and when I do a google on them it tells me that they are spyware related so I thought I would find out from you if they are actually spyware related or not and if so then the best way to delete/remove them. Also I searched for them on my computer by using the search feature and it did not bring anything up.
DMVlite (what my search brought up on this one talked about it being a very long drawn out complicated process of removing it as by simply uninstalling it will keep the backdoor open for future installs and problems)
HpyerLinker
Win-dh (couldnt' find anything on this one in my google search)

Thanks again for all of your time and help..

sw

 

sorry I had a typo yes it is HyperLinker
I tried clicking on the link you provided for that but it just sits there and says waiting for doxdesk.com then I get that pop up error with Firefox about how it can't connect or something like that and I tried with IE and it comes up and says that the page can not be displayed.

As for the Win-dh I honestly don't know if that is it or not. I just installed a new printer and it did come with something for photos so its possible that the Win-dh could be linked to that. I will search more for it on my computer then just by entering it in the search field.

well that is all I have for tonight gotta go thanks again for all your time and help I really do appreciate it.
sw

 

Ok here is my new log..

I had to completely "dump" my computer and start fresh as my Antivirus was acting up and did not want to do any scans and wasn't working properly even after uninstalling and reinstalling I would still get an error message telling me to uninstall and reinstall Norton Antivirus as it has encountered a problem.
I now have a new problem with my Norton Antivirus when I click on View Quarantined Items it tells me "Error Creating Quarantine Object. Please re-install Norton Antivirus" Any clue as to what this could be from I will post it in another part of the forum if you want me to but my install of it after completely "dumping" my computer went great no problems.

In my log I did notice a couple things that I have a question on and was wondering if they should be deleted or left alone..

O16 - DPF: {6AE4CC6E-999C-11D4-A3F0-009027427750} (NSAuto Class) - http://us.i1.yimg.com/us.yimg.com/i/msgr/yauto_remove.cab

O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

Thanks again for all your time and help..

Also so far all my spyware scans are good and nothing has been found.

sw

 

I will post it in the software forum and I was mistaken it did show up prior to me completely "dumping" my computer sorry about that lapse in memory. Anyhow, I went to view the activity log and clicked on the View Quarantined Items by accident and that is when I discovered the error message of "Error Creating Quarantine Object. Please re-install Norton Antivirus". Other then the "Error Creating Quarantine Object. Please re-install Norton Antivirus" message that I get now when I click on the View Quarantined Items my NAV is running fine. As I said I will post this in the software forum and see what they have to say.

Thanks so much for all your time and help I greatly appreciate it.

sw