huge spyware problem. Zone labs too.

Hey guys, I'm having a huge problem. I have a bunch of spyware, and now I was on here trying to fix, going through the common instructions. Well, I downloaded ZoneLabs firewall, and since I have installed it, my internet browser doesn't work. I'm at work now using the internet. I have tried and tried to delete Zone Labs, but it doesn't allow me. I try to access it but can't figure out how. Can anyone tell me how to delete it or change it so it will let me go to sites on my browser. I know the internet it working though, cause I can use msn and stuff. What should I do? Thanks.

 

Try to follow as many steps as possible.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to your Program Files directory, right click on a blank spot in the window > choose New > Folder. Name this folder Spyware Tools. Now you can save the needed tools to this folder and if you prefer, create sub-folders named for each individual utility.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

To Repeat: Please be sure to reply in this thread if you need further assistance or have any questions. Someone WILL be along to help you as soon as they can. You can help us help you by following the above instructions and providing detailed information as to the difficulties you are having and/or continuing to have after you have completed the Basic Spyware, Trojan And Virus Removal tutorial. Just telling us you followed the tutorial does not give us enough information. You need to let us know the results...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

We all recognize that if you are here asking for help you are probably frustrated and maybe even angry that your computer has been taken over by some malicious program. Rest assured, we want to help you but that we get frustrated too when we are not given the requested information or when instructions are not followed. Don't be afraid to ask for additional help if you don't understand something! There is no such thing as a dumb question and we do not expect everyone who comes here to have vast computer knowledge, however you will be more educated and better prepared to prevent re-infestation when you leave here!

Good luck!

 

The thing is, Im not at my computer right now. I'm at my dad's restaraunt, so I can't download the programs. I think Zone Labs Firewall is keeping me from accesing sites, How do I fix this or delete it?

 

Was you able to access the internet before you installed the firewall?

 

Perhaps your machine was so infected that it broke connection when you installed the firewall. This could be caused from several things. You need to download the tools I mentioned and put them on a CD and run them on this machine.

 

Is there a way to delete the firewall. I can't do it. Or access it? Also, I could access the internet before installing the firewall. Still can Use MSN messenger and AOL.

 

Go into Add/Remove programs and uninstall it. Only other way is to use a program to uninstall it, which you would have to download.

First thing you need to do is get those programs on a disk and on that machine and get the scans started.

 

Okay, I messed around for a bit, and the internet, for now, seems to be working. So, I'll start to follow Hijack this.

 

Ok, so I ran Hijack this, and I get 4 "R" files, and then tons of "O" files. I deleted 1 "R" file, but am not sure what to do for the "O" files. What should I do?

 

Do NOT delete anything in HJT, please post your log here as I have requested. Not everything HJT finds is bad.

 

ok. here it is.
I also ran it through the analysis links, and they recomended me to check some files, but I haven't done anything yet

 

That is not accurate as I have tested it. It detects bad items that are really good and doesnt detect some bad things.

Please allow me a moment to check your log.


Are you familiar with MediaPass?

 

You have some major problems, allow me some time to post you a fix.

Also, are you familiar with MediaPass?

 

Ok, I really appreciate it man. Uh, MediaPass, I've seen it on the the thing before when Spy Sweeper runs things for startup, and when I remove that and ZoneLabs they come back in 5 seconds. But no, I'm not aware of what it is. Also when I press Control-Alt-Del, and go to processes there is allways something coming in and out really fast.

 

Ok, If you dont know of I will include it. Allow me a moment Im almost complete with your fix. Hang in there a few moments.

 

thanks for the work dude, I really appreciate it

 

First:


Disable the Spybot S&D TeaTimer as it will effect some of these steps.


Second:



Please look in Add or Remove Programs for the following and Uninstall them if found:


BullsEye Network

EliteSideBar

Ictids

Viewpoint

WeatherBug

MediaPass

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


open32.exe

bargains.exe

MediaPass.exe

MediaPassK.exe

tmp71.tmp

tmp8E.tmp


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O4 - HKLM\..\Run: [xqgtyckw] C:\WINDOWS\System32\qvkjvizb.exe
O4 - HKLM\..\Run: [srlogonu] C:\WINDOWS\System32\srlogonu.exe
O4 - HKLM\..\Run: [o7EX32j] C:\WINDOWS\System32\w32tres.exe
O4 - HKLM\..\Run: [MS_Critical_Update] c:\CriticalUpdate.exe
O4 - HKLM\..\Run: [RegistryMon] c:\registry.pif
O4 - HKLM\..\Run: [Microsoft Security Hot Fix] "%SystemRoot%\mshotfix.exe"
O4 - HKLM\..\Run: [Xpqhlfhq] C:\Program Files\Ictids\Naweot.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteezi32.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer]
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Phil Lindsey\Application Data\ttuh.exe
O4 - Startup: winupdate25698347[1].exe
O4 - Global Startup: Microsoft Windows.hta

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12b08babd72ac81a8e02/netzip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe


Again, make sure All Browser Windows are Closed when you Click FIX.


Third:


Please download DelDomains and unzip it to your desktop. Do not run it yet.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.


Fourth:

Please download: HSFix.zip
Do not run it yet!

Fifth:

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Extract the tool from the ZIP File to a folder you can easily find (preferably in its own folder - like C:\HSFix). It should have a ReadME included with instructions on how to run it and how to collect the log it produces.

Please run the tool as directed and attach the log it produces after you delete the files and reboot in the next step.


Sixth:

Navigate to and DELETE the following if they should remain:


C:\Program Files\Media Pass ←–– Delete this whole folder if it exist!

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\Program Files\Ictids ←–– Delete this whole folder if it exist!

C:\WINDOWS\EliteSideBar ←–– Delete this whole folder if it exist!

C:\Program Files\BullsEye Network ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\open32.exe

C:\WINDOWS\System32\snim.dll

C:\WINDOWS\System32\msbe.dll

C:\WINDOWS\System32\qvkjvizb.exe

C:\WINDOWS\System32\srlogonu.exe

C:\WINDOWS\System32\w32tres.exe

C:\WINDOWS\SYSTEM32\drct16.dll

C:\windows\system32\eliteezi32.exe

C:\WINDOWS\system32\mshotfix.exe
OR
C:\WINDOWS\system\mshotfix.exe

C:\WINDOWS\blank.htm

C:\WINDOWS\cerbmod.dll

C:\WINDOWS\zeta.exe

C:\CriticalUpdate.exe

C:\registry.pif

C:\Documents and Settings\Phil Lindsey\Application Data\ttuh.exe

winupdate25698347[1].exe ←–– Search for this file and delete if found!

Microsoft Windows.hta ←–– Search for this file and delete if found!


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and HSFix attach the new logs. Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Ok, just an update for now. I just got done with Hijack this, and am about to move onto del Damains part. Also: I couldn't delete The BullysEye Network. It seems to have frozen.

 

Are you deleting these files in Safe Mode?

 

no, I'm still in regular. I haven't restarted any yet.

 

I'm about to though, as I just finished with hsfix download, and it tells me to reboot in safemode before the 6th step.

 

Ok, procede and let me know

 

ok, I'm in safe mode. I'm at the step where I'm supposed to read the Read ME file for HsFix, but it just shows me the updates and stuff in the read me file. What should I Do?

 

For now, just run the hsfix.bat and let it do its job. After explorer loads back procede to the next set of steps.

After you have rebooted, run this again and attach that log.

 

ok, I'll do that. Do I reboot in normal mode? Also, when you say attach the log, do you mean attach it on here?

 

AFTER you have ran HSFix, deleted the files I requested and ran CCleaner, Spybot & cleanmgr.

Then reboot into normal mode, scan with HJT and HSFix and attach both new logs here!

 

OK, I fixed the stuff a while ago, and my computer has seemed to be running fine. My internet has been going on and off though, and now I can post the links. Here we go.

 

links? You mean logs?

When you get a chance please attach me a current HJT and HSFix log.

Thanks Bj

 

OK, sorry. My internet keeps messing up, and I know it has something to do with the ZoneLabs firewall. I don't know how to access it, and I've tried to delete the files, and it's denied because of it being used by another program. What can I do? Also, I don't know how to edit my startup at windows. When Spysweeper starts up it notifies me of a new startup file, and it's zonelabs. I remove it, and it comes back 5 seconds later. I don't know what to do. I'll post the logs in a few seconds. Thanks.

 

My internet keeps messing up, so I'm at my dad's restaraunt on the internet. Therefore I'm not able to post the logs. But does anyone know how I can get rid of ZoneLabs? I've allready been to Add Remove programs and it doesn't show up. Any help? Thanks.

 

Navigate to this directory below and look for the uninstaller thats included with the install. When found click the file zauninst.exe and uninstall.


C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

 

Ok, I found out a way with doing a clean install, and then I uninstalled, and my internet seems to work now. It seems ok for the moment, lets hope it stays that way. I'll post the logs in a second. But as I've run the hsfix a couple of times since I cleaned the spyware, It doesn't say much in the log. I'll show you next message.

 

The Logs:

 

Please allow me a moment to check your logs.

 

Ok, Thanks

 

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)


Again, make sure All Browser Windows are Closed when you Click FIX.



NOW:

Navigate to and delete the following file if it exist:

C:\WINDOWS\about.htm


NEXT:
Run CCleaner


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.



Are you currently experiencing any problems?

 

I'll run through the stuff. Right now though, my computer seems to be running fine.

 

Good Deal! Your HS problem seems gone as well as the others. Let me know!

Ill be waiting

 

OK, I've done all the steps. I really, really appreciate all the help you've done for me. I might go help my uncle with his computers too, he said he was having a tough time with spyware. Again, I really appreciate it. THanks a bunch.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!