Spyware and Trojan HELP please

Discussion in 'Malware Help (A Specialist Will Reply)' started by nascar_fans_rock, Feb 5, 2005.

  1. nascar_fans_rock

    nascar_fans_rock Private E-2

    YEAH! I figured out how to post a new thread.. Maybe my day is getting better.. Thanks for the help Major Attitude...

    Now on with my problems and I will try to keep this short as possible!
    I ran norton.. if found Trojan.ByteVerify.. was unable to remove so I click on quarantine it... so its in quaratine.. But I can not seem to get rid of it for good. I have loaded the Trojan Horse removal 6.3.4 which I found in something here at Major Geeks.. ran it .. but it didnt find it... Am I safe to email people with attachments with out infecting them? I would die if I gave something to someone.... if not HOW do I kill that dang TROJAN?? :rolleyes:

    Next Problem I am having is ABOUT:BLANK... I found the about:blank remover here at the site and ran that.. it says its gone but I am still having problems with webpages.. ie: when I load yahoo or even google search pages I get those litte white boxes with the RED X in them... the Google logo will not show up... while I am at this site and I am looking through the pages everything that should be showing an icon is that same little red X... What would cause that? :rolleyes:


    Last problem: (sick of me yet? you can say yes I will not get my feelings hurt)
    After running the Norton again.. the Trojan Remover, spybot S&D, spy sweeper... and everything came back good so I thought i rebooted and BAM there it was... RED TINT SCREENS! Everything that is to be black is red! I think I am looking through rose colored glasses... ANY CLUES there? :rolleyes:

    Ok I am done bending everyones ear I shall sit back and wait... to see if I need to take this thing and chunk it in the trash or if it can be saved!!!!

    Thanks for you time
    Hugs & Kisses,

    Paula
    "NASCAR Fans Rock" :p
     
    nascar_fans_rock, Feb 5, 2005
    #1
  2. nascar_fans_rock

    nascar_fans_rock Private E-2

    Ohh yeah forgot this one... I have a Hijack on here too.. I ran the HIJACK THIS but it was WAYYYYYYYYYYYYYYYYYY over my head.. it looked Greek to me. OK NOW I am done :p

    Paula
     
    nascar_fans_rock, Feb 5, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Paula, Please follow the below steps!

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Feb 5, 2005
    #3
  4. nascar_fans_rock

    nascar_fans_rock Private E-2

    Thank you sweetie... I will get started on your suggestions... Thanks for your time!

    Hugs,

    Paula
    "nascar"
     
    nascar_fans_rock, Feb 5, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ok! If you have any problems running anything, drop me a message. And if the READ ME procedure does not fix you up, then post your HijackThis log as an attachment. Make sure you install it to the directory indicated.
     
    chaslang, Feb 6, 2005
    #5
  6. nascar_fans_rock

    nascar_fans_rock Private E-2

    OK! I have completed the tasks that I was given.. I have screen shots of each of them if you need to see that. The only thing I could not do is run CCLEANER in safe mode. Didnt know if I should run it in NORMAL or not... so I didn't. I still have all thoe little red X's where graphics should me. Then after I restarted in NORMAL MODE... my screen now has a red tint to it... I know its valentines... but red is just not my favorite color ! ha ha ha any ideas what would make that happen... Attached is my HIJackThis Log... if I need to try anything else please just let me know:

    Done:
    Trend ~ House Call
    Symantec Security Check

    Done in SAFE MODE:
    Ad~Aware with plug in
    Spybot S&D with DSO Exploit
    CWShredder
    Kill2ME
    About:Buster

    Done as last resort: HiJackThis ~ Log is attached (lord I hope i attached it right)


    Did not run:

    CCleaner ~ Could not get it to run in safe mode
    HSRemover ~ I have WIN 98


    Thanks again for all the help your giving!

    Hugs & Kisses,

    Paula
    "Nascar Fans Rock"
     

    Attached Files:

    nascar_fans_rock, Feb 6, 2005
    #6
  7. nascar_fans_rock

    nascar_fans_rock Private E-2

    I went ahead and the the HIJACKTHIS Analaysis at the site given... and it gave me back report.. pretty much what I could tell all those 015 Trusted site needed to "FIXED" so I did... they dont go away.. they keep coming back.. any idea what I am doing wrong?
     
    nascar_fans_rock, Feb 6, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Damn!!! You have a ton of bad stuff in you Trusted Zone. We have to fix these. Let's try the "Easy approach first and see if it helps at all to reduce the sheer number. Experience says many of them will return.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F1 - win.ini: run=lxbuppls.exe
    O2 - BHO: (no name) - {D337CF3A-4A39-86E1-B3F2-5AA0D97926D3} - (no file)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL (file missing)
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: awmdabest.com
    O15 - Trusted IP range: searchbarcash.com
    O15 - Trusted IP range: scoobidoo.com
    O15 - Trusted IP range: my-internet.info
    O15 - Trusted IP range: xxxtoolbar.com
    O15 - Trusted IP range: slotch.com
    O15 - Trusted IP range: flingstone.com
    O15 - Trusted IP range: mt-download.com
    O15 - Trusted IP range: blazefind.com
    O15 - Trusted IP range: clickspring.net
    O15 - Trusted IP range: searchmiracle.com
    O15 - Trusted IP range: 05p.com
    O15 - Trusted IP range: xxxtoolbar.com
    O15 - Trusted IP range: awmdabest.com
    O15 - Trusted IP range: searchbarcash.com
    O15 - Trusted IP range: scoobidoo.com
    O15 - Trusted IP range: my-internet.info
    O15 - Trusted IP range: slotch.com
    O15 - Trusted IP range: flingstone.com
    O15 - Trusted IP range: mt-download.com
    O15 - Trusted IP range: blazefind.com
    O15 - Trusted IP range: clickspring.net
    O15 - Trusted IP range: searchmiracle.com
    O15 - Trusted IP range: 05p.com
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: 05p.com
    O15 - Trusted IP range: searchmiracle.com
    O15 - Trusted IP range: clickspring.net
    O15 - Trusted IP range: blazefind.com
    O15 - Trusted IP range: mt-download.com
    O15 - Trusted IP range: flingstone.com
    O15 - Trusted IP range: slotch.com
    O15 - Trusted IP range: xxxtoolbar.com
    O15 - Trusted IP range: my-internet.info
    O15 - Trusted IP range: scoobidoo.com
    O15 - Trusted IP range: searchbarcash.com
    O15 - Trusted IP range: awmdabest.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 05p.com
    O15 - Trusted IP range: searchmiracle.com
    O15 - Trusted IP range: clickspring.net
    O15 - Trusted IP range: blazefind.com
    O15 - Trusted IP range: mt-download.com
    O15 - Trusted IP range: flingstone.com
    O15 - Trusted IP range: slotch.com
    O15 - Trusted IP range: xxxtoolbar.com
    O15 - Trusted IP range: my-internet.info
    O15 - Trusted IP range: scoobidoo.com
    O15 - Trusted IP range: searchbarcash.com
    O15 - Trusted IP range: awmdabest.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: static.topconverting.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: 05p.com
    O15 - Trusted IP range: searchmiracle.com
    O15 - Trusted IP range: clickspring.net
    O15 - Trusted IP range: blazefind.com
    O15 - Trusted IP range: mt-download.com
    O15 - Trusted IP range: flingstone.com
    O15 - Trusted IP range: slotch.com
    O15 - Trusted IP range: xxxtoolbar.com
    O15 - Trusted IP range: my-internet.info
    O15 - Trusted IP range: scoobidoo.com
    O15 - Trusted IP range: searchbarcash.com
    O15 - Trusted IP range: awmdabest.com
    O15 - Trusted IP range: frame.crazywinnings.com
    O15 - Trusted IP range: (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: awmdabest.com (HKLM)
    O15 - Trusted IP range: searchbarcash.com (HKLM)
    O15 - Trusted IP range: scoobidoo.com (HKLM)
    O15 - Trusted IP range: my-internet.info (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: xxxtoolbar.com (HKLM)
    O15 - Trusted IP range: slotch.com (HKLM)
    O15 - Trusted IP range: flingstone.com (HKLM)
    O15 - Trusted IP range: mt-download.com (HKLM)
    O15 - Trusted IP range: blazefind.com (HKLM)
    O15 - Trusted IP range: clickspring.net (HKLM)
    O15 - Trusted IP range: searchmiracle.com (HKLM)
    O15 - Trusted IP range: 05p.com (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: my-internet.info (HKLM)
    O15 - Trusted IP range: scoobidoo.com (HKLM)
    O15 - Trusted IP range: searchbarcash.com (HKLM)
    O15 - Trusted IP range: awmdabest.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: 206.161.124.130 (HKLM)
    O15 - Trusted IP range: awmdabest.com (HKLM)
    O15 - Trusted IP range: searchbarcash.com (HKLM)
    O15 - Trusted IP range: scoobidoo.com (HKLM)
    O15 - Trusted IP range: my-internet.info (HKLM)
    O15 - Trusted IP range: my-internet.info (HKLM)
    O15 - Trusted IP range: scoobidoo.com (HKLM)
    O15 - Trusted IP range: searchbarcash.com (HKLM)
    O15 - Trusted IP range: awmdabest.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: 206.161.124.130 (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: my-internet.info (HKLM)
    O15 - Trusted IP range: scoobidoo.com (HKLM)
    O15 - Trusted IP range: searchbarcash.com (HKLM)
    O15 - Trusted IP range: awmdabest.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: static.topconverting.com (HKLM)
    O15 - Trusted IP range: 206.161.124.130 (HKLM)
    After clicking Fix, exit HJT.

    Now reboot in normal mode and post a new HJT log. And tell me how things are working.
     
    chaslang, Feb 6, 2005
    #8
  9. nascar_fans_rock

    nascar_fans_rock Private E-2

    OK hon.. on my way!

    Bye the way this this sorta kinda off topic in a way.. but I was wondering if I could post the link to Major Geeks in the two Yahoo Groups that I (they are Paint Shop Pro Groups) own.. we share a LOT of attachments and so own.. someone is ALWAYS have problems and asking for help! As you can plainly see I am PUTER STUPID and cant help. So I wanted to put a link up in our LINKS sections so that ALL would know about ya'll!

    OK off to do my chores in HIJACK!

    See ya in a bit!

    Paula
     
    nascar_fans_rock, Feb 6, 2005
    #9
  10. nascar_fans_rock

    nascar_fans_rock Private E-2

    My new log is attached... IT DIDNT GO AWAY~ lol its all still there! So I will wait on my next set of orders .. lol

    BTW I love your name.. my son's is the same but it is spelled Chazz! ;)
     
    nascar_fans_rock, Feb 6, 2005
    #10
  11. nascar_fans_rock

    nascar_fans_rock Private E-2

    OK fine I didnt attach it! Shoot me! give me toilet cleaning duty lmao

    Here it is

    Paula
     

    Attached Files:

    nascar_fans_rock, Feb 6, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm attaching a ZIP file that has a registry patch file inside name tzone.reg. Download the ZIP file and then exract the registry file to a folder or to your Desktop and then double click on it. And when it prompts to Add the file to the registry say yes.

    After that reboot in normal mode and post a new HJT log.

    Note this is just start at getting some of those items remove you have a load more then I have in that patch file (but I'm trying to watch the Super Bowl right now).
     

    Attached Files:

    chaslang, Feb 6, 2005
    #12
  13. nascar_fans_rock

    nascar_fans_rock Private E-2

    Not a problem! I am watching it too so I understand! I will do the one that you have already sent.. dont worry about this until the game is over ..... I completely understand!

    Paula
     
    nascar_fans_rock, Feb 6, 2005
    #13
  14. nascar_fans_rock

    nascar_fans_rock Private E-2

    Here is the latest after I did the registery zip you sent to me! I dont think it changed...


    You tired of me yet?
     

    Attached Files:

    nascar_fans_rock, Feb 6, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I think it changed! I think it added more lines. We need to take different approach here. I think you are missing some protection that you need to have to help us stop these.

    How do you connect to the internet (dial-up, cable, or DSL modem)? Do you have a router?

    You need to go to this thread: How to Protect yourself from malware!
    And follow the steps for get a firewall installed. Try one of the free ones like Sygate or ZoneAlarm. After installing it do not give permission for anything to go out of your PC towards the Internet or allow things to come in from the Internet unless you are absolute sure what they are and that they need access. Ask if you don't know? Obviously Internet Explorer (iexplore.exe) requires Internet Access. And so will Spybot an Spywaster (see below) to update.

    Do you have Spybot S&D installed? If not, install it and use the SDhelper function but not the Teatimer. And make sure you update it and use the Immunize feature.

    Do you have SpywareBlaster installed? If not, install it an enable all protections?

    Let me know when you complete those steps. In the meantime I have a load of entries to add to the registy patch.

    Also can you please locate this file with Windows Explorer:
    C:\WINDOWS\SYSTEM\LXBUPPLS.EXE

    Right click on it and select Properties and then the Version tab. Get company info. Is this for you Lexmark printer?
     
    chaslang, Feb 6, 2005
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Another Question: Do you have multiple user logins on this PC?
     
    chaslang, Feb 6, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After doing the above steps I posted. Follow these steps.

    I'm attaching a ZIP file that has a registry patch file inside name tzone.reg. Download the ZIP file and then exract the registry file to a folder or to your Desktop and then double click on it. And when it prompts to Add the file to the registry say yes.
     

    Attached Files:

    chaslang, Feb 7, 2005
    #17
  18. nascar_fans_rock

    nascar_fans_rock Private E-2

    I Just got home from work so I am about to get started....

    Let me see if I can answer some of your questions:

    I think it changed! I think it added more lines. We need to take different approach here. I think you are missing some protection that you need to have to help us stop these.

    How do you connect to the internet (dial-up, cable, or DSL modem)? Do you have a router? ~ cable / with either net through router


    Do you have Spybot S&D installed? Yes, Did this yesterday do I do it again

    Do you have SpywareBlaster installed? If not, install it an enable all protections? Yes I have it from yesterday.. I will have to open it up

    Let me know when you complete those steps. In the meantime I have a load of entries to add to the registy patch.

    Also can you please locate this file with Windows Explorer:
    C:\WINDOWS\SYSTEM\LXBUPPLS.EXE ~~ I don't see this one... But I am 99.9% sure it is my Printer.. but I will keep looking just to make 100% sure

    Right click on it and select Properties and then the Version tab. Get company info. Is this for you Lexmark printer
     
    nascar_fans_rock, Feb 7, 2005
    #18
  19. nascar_fans_rock

    nascar_fans_rock Private E-2

    No not multi users... but another computer in my house is networked to this one.. Mine is the main
     
    nascar_fans_rock, Feb 7, 2005
    #19
  20. nascar_fans_rock

    nascar_fans_rock Private E-2

    I am thinking that I have a firewall! Isnt that horrible that I dont really KNOW for sure.. My cousin refromatted me and did a lot of stuff during christmas holidays... see if you know what I am talking about and if this is a firewall...

    My router that I am using... datalink is the name.. I have what looks like a IP address that I type in the Address line it takes me to a settings page where I have to make some changes in order to download music.. yes I know I have to stop that at once.... but I am thinking it was a fire wall or am I confused?

    I just didnt want to install another one if I had one... didnt know if I had one and tried to put another one on here it is would cause a conflict between the two and give me more issues...

    Have I thanked you for all your time and help? If not THANK YOU!!! and when I get as smart as you are... I will help you ;)
     
    nascar_fans_rock, Feb 7, 2005
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may have a firewall in your router. That is a hardware firewall. It would be better to also add a software firewall.

    But be aware we are working problems with these O15 lines in many threads. They are a nightmare thus far. They keep returning because there are many hidden processes reloading them.
     
    chaslang, Feb 7, 2005
    #21
  22. nascar_fans_rock

    nascar_fans_rock Private E-2

    I know have the fire wall! I got sygate.
     
    nascar_fans_rock, Feb 8, 2005
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's good Paula. Now be careful what you allow to come in or go out.
     
    chaslang, Feb 8, 2005
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds