Spyware Problem

Hello, I am new to this forum and seeking some help and guidance. I have been infected with spyware and have followed all of the instructions indicated in the tutorial on removing spyware,adware etc... I am still having some problems and I have downloaded Hijack This and saved the log file. I am a bit aprehensive to delete any files. I would greatly appraciate any help in reviewing my log file and providing me with some guidance.

Thanks.

Patrick

 

Hi Patrick,

If you have exhausted all of the options in the Cleanup Tutorial, then send us a log. Please make sure to follow the instructions below.

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there I'll check back when I get a chance.

Best,
PP

 

you need to say what is happening.
( like. can not open internet explorer. )
are you sure you did everything in this sticky?
did you update everything?
you also need to run the tests

double check this
http://forums.majorgeeks.com/showthread.php?t=35407


i am just telling you this because i see that chaslang is not on-line, and he would ask you this...

 

Thanks for the prompt replies. I have attached the Hijack This log file per your instructions. I have run all of the programs in the Basic Spyware tutorial and am still experiencing some problems - About Blank automatically starts in IE. Also I receive messages that my firewall detects - such as -www.clickspring.org,www.hackerwatch.org,www.download.aol.com and ??chost.exe are trying to access the internet. I also always receive a "Service Agent Initialization Failure" at start up.

Thanks so much.

 

Hi Sully,

Please Extract HijackThis from the ZIP File to C:\Program Files\HijackThis.

Also, please download the following tool: LSP-Fix

Please do the above and then attach a fresh log - I'll check back when I can.

Best,
PP

 

Hi PP,

I have extracted HijackThis from the ZIP File to C:\Program Files\HijackThis and I also downloaded the LSP-Fix tool and attached a fresh Hijack This Log. Thanks for taking the time to help me with this problem.

Regards,

Sully

 

Hi Patrick,

Please run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the calsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move calsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Now, Reboot and then scan with HijackThis and attach that log and we’ll deal with all of the other crap. I'll try to check back later tonight.

PP

 

Hi PP,

I ran the LSP-Fix as instructed then I rebooted and scanned with HI Jack This and attached the log. Thanks again for your time.

Patrick

 

Hi Patrick,

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and END them if found:
ASYCFILT.exe
??chost.exe

Now scan with HijackThis and check the boxes for the following:
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"

O4 - HKLM\..\Run: C:\documents and settings\patrick\local settings\temp\s.exe

O4 - HKLM\..\Run: [q] C:\documents and settings\patrick\local settings\temp\q.exe

O4 - HKLM\..\Run: [iw0N9VCpb] C:\documents and settings\patrick\local settings\temp\iw0N9VCpb.exe

O4 - HKLM\..\Run: [e57093d641a7] C:\WINDOWS\System32\ASYCFILT.exe

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

O4 - HKCU\..\Run: [Trapb] C:\WINDOWS\system32\??chost.exe

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)

O9 - Extra button: Help - {0326E8AA-FCFA-4E10-B16E-368EE33BF9C1} - http://www.comcast.net/memberservices/ (file missing) (HKCU)

O9 - Extra button: Support - {9DD14D6E-B15A-4954-8E83-8306D3BFFEB6} - http://www.comcastsupport.com (file missing) (HKCU)

O9 - Extra button: ComcastHSI - {EC643FAD-1B83-452C-91CD-A933C60ECF9F} - http://www.comcast.net (file missing) (HKCU)

O15 - Trusted Zone: *.windupdates.com

O16 - DPF: {0B36EE94-1331-3C9D-2572-49E66935747B} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {0F4C1726-6C84-7770-CB1E-1CD85FC5BEDE} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {13B19794-C4FB-554C-00E0-3C4953A36B9E} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {1D8527F3-AD95-2E89-ABAF-63C71A4305DC} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {29539EF8-7776-55EA-DF11-1FE37AA05CB4} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {3E81C322-8C07-63B5-52EC-7E940EA0C9CD} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {4041BE6A-327B-6ABB-A00F-2B49135B7B29} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {4AC03806-D2C3-003F-6E4C-144F2226B1AA} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {4D0201A7-62D4-7EE6-D305-01DD778DE716} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/080f5da1c69a9841a803/netzip/RdxIE601.cab

O16 - DPF: {57862E0D-B220-07C5-90CB-191752AA8654} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {59C5AA56-759E-1679-9740-514059A36BD6} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {676C9757-EBA1-36CD-F31B-766B57A1E23D} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {6C7D1491-8822-2C87-FE80-539B78D29D22} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {70382DAD-636D-2F3C-A3FA-0B5B3EB44600} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {704EE52C-5E60-2278-5770-5A6942A8B2B4} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {7960EE91-8D56-3F41-4F7C-48A21C13E401} - http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {7D25419A-173A-5CA7-299A-73235AE2387A} – http://69.50.188.54/1/gdnUS208.exe

O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin_US.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and DELETE the following, if found:

C:\WINDOWS\System32\twink64.exe
C:\WINDOWS\System32\ASYCFILT.exe
C:\WINDOWS\system32\??chost.exe
EGCOMLIB_1035.dll <- - - Use Windows Explorer to run a search of your computer for this one!

Now, run CCleaner. Then, Navigate to C:\documents and settings\patrick\local settings\temp and DELETE ALL remaining files and sub-folders.

Reboot to Normal Windows and Scan with HijackThis and attach a fresh log. Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

NOTE: If you have trouble with your internet connection after deleting EGCOMLIB_1035.dll, run LSP-Fix again and just click “Finish.” I doubt this will come up.
Again, let me know if you run into any problems.

Best luck
PP

 

Hi PP,

I followed all of your instructions and have rebooted and run a new HiJack This Log and I have attached the log. My system seems to be running ok. I noticed that the start up menu was very slow. I had only one message at the start up menu - "Service Agent Initialization Failure - General Informtion could not be retrived from the server. Please try again or click help for more information". I was able to connect to the internet ok.

Thank you very much for all your help.

 

Hi Patrick,

Happy to help!

Your HijackThis Log is clean. Things should be running much better.
Are you still getting the Service Agent Initialization Failure message?

Let me know - I'll try to check back tonight.

Best,
PP

 

Hi PP,

I am still getting the Service Agent Initialization Failure message. But other than that everthing appears to be running smoothly. Thanks again for all your help. I greatly appreciate your time and expertise.

Best Regards,

Patrick

 

Hi Patrick,

I do not know what is responsible for this message and I do not want to start a trial & error process of random fixes. I'll try to see if I can come up with some info.

Did you try clicking help to see what additional information could be found?
I'm going to try to get another opinion.

Best,
PP

 

Hi Patrick,

I couldn't come up with any useful info on this issue. I thought it might have to do with removing calsp.dll (which needed to go) with LSP-Fix.

I asked one of our more knowledgable forum members for his opinion and he suggested that you should look for something in Add or Remove Programs called Service Agent - This could be an AT&T or Comcast program.

If you find that entry, try Removing it from Add/Remove and see if that does the trick.

Best
PP