Spyware back again

Hi, last time I wrote about 2 computers at the same residence that had problems. 1 of those computers is in good shape presently. The other isn't.



This computer is running Windows XP (SP 2) Home Edition. There are 5 user accounts setup as well as an admin account. All of these accounts are used, but 1 of them is used primarily. My main concern is whether I have to go through all the scans and removal tools on all user accounts, or will doing them on 1 user account clean everything?



If I don't have to go through every user then this is the situation:



1. I have followed all of the steps in READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal. All tools were the latest versions as were the detection definitions. BitDefender found 5 trojans and a win32 explorer hijack. 1 of the trojans could not be deleted. At this point I was not able to connect to the RAV website or any other site for that matter so I skipped it. Avert Stinger no problems. Adaware picked up Vx2, something called windows(TAC 3), and possible browser hijack. Spybot picked up ABetterInternet. And Microsoft AntiSpyware Beta picked up ABetterInternet as well, and ShopAtHome and DrSrch.



2. I have HijackThis 1.99.1 and it is located in C:\Program Files\HJT. I have read the tutorial.



3. So I have noticed popup's with Aurora in the blue title area. Taking a quick look at HJT, I noticed a line like this, O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe , and I can see the file as a running process as well. But if I delete the file or kill the process, a new file and new process imediately show up with another random name. Lastly, I have noticed the file Nail.exe in the system folder and I can't delete the sucker.

 

Hi again,

Just to be tie up any lose ends, I ran the RAV virus scan with nothing found. Also, I noticed 1 icon that the spyware removers didn't get rid of -- WinFixer 2005. Out of curiousity I checked the Add/Remove programs and it was there! I deleted it. I then noticed ABI was a listed program so I tried to delete it, but all that did was open a browser window saying "this program is NOT spyware blah blah go to this link to delete it." So, I went to that link and deleted it. There are other programs listed that I can't imagine belong:

@value, HotNow, OfferApp, Rich Editor, Select Cash Back, sysnet, and Web Savings from Ebate(get this I don't have the option to remove this 1. I see the Change/Remove but there is not button lol). D you think it is safe to remove those? Last of all, I see a program called Veiwpoint Media Player. I have noticed that viewpoint is normally something that you guys ask people to uninstall so what should I do with it?

thanks,
Scott

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks for the response. Here is the HJT log as requested. Also, and I apologize if this is out of line but I have a pandascan log as well that might be helpful. I am not longer getting aruora popus, and not the popups are from abcsearch and iccee.

Scott

 

Download Pocket KillBox
(Don't run it yet)


Please look in Add or Remove Programs for the following and Uninstall them if found:

Microsoft AntiSpyware
(Uninstall this because it will block parts of this fix)

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1057_XP.cabO16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\pcconfig.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\inf\biini.inf into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msplock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot into normal mode and procede with the next step:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post both logs as attachments.

 

Here are the logs. Now I am getting random popups. One of them couldn't find a server. Oh and I have a confession, I deleted all the files that you wanted me to delete with Pocket Kill Box before you replied. I hope that didn't mess things up too badly.

Scott

 

Run the Panda Online Scan. After the scan attach the log to your next post.

 

Here is the latest panda scan. I have run a trend micro spyware scan since and cleaned what it found. I am getting random popups now but usually only when I surf. Title bar example : http:/64.111.196.228/looksmart.php?uid=55596491087 - Microsoft Internet Explorer

 

Ok so I decided to go to the ip address in that title bar and I got a screen that said something like system adminstration login and there was a username and password field. Just for the fun of it I tried test, test for the 2 and I was granted access. Title bar is CAS. Under member information it says:
User ID - test
Access Type - advertiser
Internal ID - 4

I don't know exactly what I am looking at or if I should even have access but I thought it could be interesting to know

 

Download Spy Sweeper 4.0.3.363 and install it.

After you install make sure you get the updated spyware definitions. Then do a full sweep removing all infections. After you remove the infections with SpySweeper, reboot and attach a fresh HJT log!

 

Here is the new log. Spy Sweeper cleaned thousands of traces of these programs like CAS that I knew were there but didn't know how to get rid of them. One little thing remains that I see: there is a Sony P2P icon on the desktop but now it has no icon image. When I click properties, it says http://leadblitz.com/sw/824/CD230/. Should I just delete it and not worry about it or is there another step that I need to take.

Thanks,

Scott

 

Read my post carefully, after you complete the SpySweeper scan reboot and attach a fresh HJT log.

 

I can't believe I forgot the upload the log again. I will have it for you tomorrow.

sorry,

Scott

 

Here is the actual log this time....

 

Scan with HijackThis and Check the Boxes for the following:

O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1057_XP.cab

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


After you complete the above, your log will be clean. Are you having any further problems?

 

Everything seems to be working normally again!

Thanks for the help,

Scott

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

 

Hi, I am not noticing any problems but panda scan and trend micro's spyware scan both pick up 1 item.

Panda picks up spyware called betterinet. In the report it lists the problem as in the registry without more info. I have searched the registry with the find option using all the possible names it could take. The only thing that can up was Binet, but Binet was finding every cabinet entry in the registys.

Trend Micro finds effective.net which is in the registry HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1. When I look at that key in the registry I see 3 entries:
Default RG_SZ (no value set)
* RG_DWORD 0x00000004 (4)
:Range RG_SZ 64.40.16.198

I can't go to the site above because it is restriced by 1 of the programs I have running and I don't want to risk checking it out.

Since I am having no obvious problems, should I worry about these or just ignore them?

Scott

 

This computer also has an antispyware program that appears to be part of AOL 9.0 SE. It ficked up these items:

LycosSideSearch
CAS
BeginToSearch
Safesurfing

I used the block all option as well as the delete option on what if found. Unfortunately, the program doesn't show much information about the spyware.

Scott

 

Attach the panda scan log.