Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
cannot install any spyware removing software cannot install any spyware removing software
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 05-05-2007, 04:26 AM   #1 (permalink)
Registered User
 
Join Date: May 2007
Posts: 27
OS: win XP


cannot install any spyware removing software
Hello,

Whenever I try to install spybot search and destroy, the exe file is automatically deleted. I cannot turn on windows firewall. A process named hidr.exe is running, but even if I kill the process,I cannot intall the software. Now I see another process running as hidrrr.exe. There is another process running gain_trickler_3202.exe, but I cannot remove it. I have installed regClean, and when I try to run it, the screen goes blue, and begins dumping of physical memory. If my pc crashes now, I'll be in big big trouble. Need help badly. This is my hijackthis log file (but I think I ran hijackthis after killing the processes just mentioned. Will it make any difference?):

Logfile of HijackThis v1.99.1
Scan saved at 4:07:02 PM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\DAP\DAP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TC PowerPack\totalcmd.exe
E:\CD\software\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.20:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Trickler] "c:\program files\divx\divx pro codec\gain_trickler_3202.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'prxernsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

This here is the startuplist

NameSpace #4: PrxerNsp.dll (file MISSING)
Protocol #1: PrxerDrv.dll (file MISSING)
Protocol #15: PrxerDrv.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 4,645 bytes
Report generated in 0.687 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


By the way, my operating system is windows XP

Thanks
j1477 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 04:40 AM   #2 (permalink)
Registered User
 
Join Date: May 2007
Posts: 27
OS: win XP


cannot install any spyware removing software
ok, just in case, here is the logfile with all those processes (hldrrr.exe and gain_trickler_3202 running). Also, my pc restarts whenever I try to open it in the safe mode

Logfile of HijackThis v1.99.1
Scan saved at 4:36:45 PM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\program files\divx\divx pro codec\gain_trickler_3202.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hldrrr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TC PowerPack\totalcmd.exe
E:\CD\software\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.20:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Trickler] "c:\program files\divx\divx pro codec\gain_trickler_3202.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'prxernsp.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
j1477 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 07:07 PM   #3 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: cannot install any spyware removing software
Hi j1477,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what we do first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Trickler] "c:\program files\divx\divx pro codec\gain_trickler_3202.exe"


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\program files\divx\divx pro codec\gain_trickler_3202.exe
    C:\WINDOWS\system32\hldrrr.exe
    C:\WINDOWS\system32\hidr.exe
    C:\WINDOWS\system32\svchost
    C:\program files\divx

  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:

    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Please download WinSock XP Fix by Option^Explicit:
  • Place it on your desktop.
  • Run WinsockxpFix.exe and click "Reg backup".
  • Your current registry will be saved in the folder "ERDNT".
  • Then click FIX.
  • Your system will reboot.


NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the Windows tab.
  4. Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  5. Then, click the Applications tab:
    • UNCHECK everything there.
  6. Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  7. Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

I notice that your system doesn’t have an anti-virus program running. This can be suicidal in today’s digital age. :)

So, let’s set you up with a FREE and excellent anti-virus program called Active Virus Shield (Powered by Kaspersky). This is a highly ranked and highly regarded anti-virus program by our experts. It’s ranked #2 in the latest anti-virus test here:
http://www.virus.gr/english/fullxml/default.asp?id=82

Please download Active Virus Shield (Powered by Kaspersky) and save it to your desktop.
  • Please remember to register for your Activation Code using a legitimate email address.
  • Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:





  • Then please update the program and run a scan on My Computer. Allow it to neutralize all that it finds.
  • When done, launch Active Virus Shield's main window.





  • Click the Scan button on the left, and then click Detected.





  • In the ensuing window, click the Save As button to save a copy of the log.
  • Copy and paste that log in your next reply.

Note: You must use only 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from OTMoveIt.
  2. The log from the Active Virus Shield scan.
  3. The log from the ComboFix scan.
  4. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 07:57 AM   #4 (permalink)
Registered User
 
Join Date: May 2007
Posts: 27
OS: win XP


Re: cannot install any spyware removing software
Thanx for your reply. But b4 I got your suggestion, I had done the following (I got the instructions from the following URL where somebody else seemed to be having similar problems:

http://forums.techguy.org/security/5...stroy-exe.html

Download the HostsXpert 3.7 - Hosts File Manager.
Unzip HostsXpert - Hosts File Manager to a convenient folder such as C:\HostsXpert - Hosts File Manager
Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft’s Host File and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

=================
Download Superantispyware (SAS)

http://www.superantispyware.com/supe...freevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

I think I could successfully remove the the malware/spyware, but now I am having other kinds of problems. My browser is behaving weird. One of them is, when I click on a button on any site, it does nothing. Which is why I could not download the Active Virus Shield Scan. Also, when I type into yahoo messenger and press Enter, the stuff I written dissapears.

This is the log from OTMoveIt

File/Folder C:\program files\divx\divx pro codec\gain_trickler_3202.exe not found.
File/Folder C:\WINDOWS\system32\hldrrr.exe not found.
File/Folder C:\WINDOWS\system32\hidr.exe not found.
C:\WINDOWS\system32\svchost moved successfully.
File/Folder C:\program files\divx not found.

Created on 05/09/2007 20:53:38
j1477 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 08:00 AM   #5 (permalink)
Registered User
 
Join Date: May 2007
Posts: 27
OS: win XP


Re: cannot install any spyware removing software
This is the log from ComboFix scan:

"Laura" - 2007-05-09 20:55:58 Service Pack 2
ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Laura\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-09 to 2007-05-09 ))))))))))))))))))))))))))))))))))


2007-05-09 01:50 <DIR> d-------- C:\Program Files\CCleaner
2007-05-07 20:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-05-05 23:28 <DIR> d--hs---- C:\FOUND.000
2007-05-05 22:56 <DIR> d-------- C:\WINDOWS\Prefetch
2007-05-05 22:18 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-05-05 22:16 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-05-05 22:16 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-05-05 19:07 <DIR> d-------- C:\DOCUME~1\Asraf\APPLIC~1\SUPERAntiSpyware.com
2007-05-05 16:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-05 16:58 <DIR> d-------- C:\DOCUME~1\Laura\APPLIC~1\SUPERAntiSpyware.com
2007-05-05 16:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-05 15:57 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-05-05 15:34 <DIR> d-------- C:\Program Files\Greatis
2007-04-30 09:46 414,272 --a------ C:\WINDOWS\system32\DivXc32f.dll
2007-04-30 09:46 414,272 --a------ C:\WINDOWS\system32\DivXc32.dll
2007-04-30 09:46 <DIR> d-------- C:\temp\DivX_311alpha
2007-04-29 01:20 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-04-28 20:11 <DIR> d--h----- C:\DOCUME~1\Laura\APPLIC~1\hidires
2007-04-28 20:11 <DIR> d-------- C:\WINDOWS\exefld
2007-04-19 21:57 <DIR> d-------- C:\download
2007-04-19 21:57 <DIR> d-------- C:\DOCUME~1\Laura\APPLIC~1\Offline Explorer
2007-04-19 21:55 <DIR> d-------- C:\Program Files\Offline Explorer Pro
2007-04-16 02:21 <DIR> d-------- C:\mysqldriver
2007-04-15 19:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-04-13 19:49 8,704 --a------ C:\WINDOWS\system32\Sf_scsi.dll
2007-04-13 19:49 16,896 --a------ C:\WINDOWS\system32\Sf_utl.dll
2007-04-13 19:49 114,688 --a------ C:\WINDOWS\system32\Sf_osu.dll
2007-04-13 19:49 <DIR> d-------- C:\WINDOWS\system32\COLOR
2007-04-13 19:49 <DIR> d-------- C:\temp\Disk2
2007-04-13 19:49 <DIR> d-------- C:\temp\Disk1
2007-04-13 19:49 <DIR> d-------- C:\Program Files\Canon
2007-04-13 19:48 <DIR> d-------- C:\temp\Disk3
2007-04-13 12:53 <DIR> d-------- C:\Program Files\MSECache


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-05 15:23:04 22,748 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-08 11:16:52 -------- d-----w C:\Program Files\Norton AntiVirus
2007-04-08 11:15:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-04-08 10:41:30 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-04-06 17:43:32 -------- d-----w C:\Program Files\NimoCodec Pack
2007-04-06 07:16:46 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-06 06:39:08 -------- d-----w C:\Program Files\Cheetah Burner
2007-04-05 16:18:02 -------- d-----w C:\Program Files\Hero3000
2007-04-05 16:09:34 -------- d-----w C:\Program Files\OrionStudiosX
2007-04-05 13:01:32 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Help
2007-04-05 06:15:04 -------- d-----w C:\Program Files\BanglaSoftwareGroup
2007-04-03 13:09:14 -------- d-----w C:\Program Files\Emule Speed Booster
2007-04-03 06:08:54 -------- d-----w C:\Program Files\Webshots
2007-04-03 06:08:54 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Webshots
2007-04-03 03:16:52 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\vlc
2007-04-03 03:09:58 -------- d-----w C:\Program Files\VideoLAN
2007-04-02 19:59:28 -------- d-----w C:\Program Files\TuneUp Utilities 2006
2007-04-02 19:59:28 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\TuneUp Software
2007-04-02 19:58:30 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-01 10:25:46 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\BitDownload
2007-04-01 10:25:34 -------- d-----w C:\Program Files\BitDownload
2007-03-30 17:12:46 0 ----a-w C:\CONFIG.SYS
2007-03-30 17:12:46 0 ----a-w C:\AUTOEXEC.BAT
2007-03-29 20:11:04 -------- d-----w C:\Program Files\iMesh
2007-03-29 19:52:54 -------- d-----w C:\Program Files\WinMX Music
2007-03-29 19:30:40 -------- d-----w C:\Program Files\Proxifier
2007-03-29 15:41:22 -------- d-----w C:\Program Files\eMule
2007-03-29 11:12:20 -------- d-----w C:\Program Files\eMule.de
2007-03-29 11:08:44 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\Google
2007-03-28 14:00:54 -------- d-----w C:\Program Files\WordWeb
2007-03-27 16:48:56 -------- d-----w C:\Program Files\Google
2007-03-27 06:16:52 -------- d-----w C:\Program Files\Alwil Software
2007-03-26 16:28:08 -------- d--h--r C:\DOCUME~1\Laura\APPLIC~1\yahoo!
2007-03-25 20:53:56 -------- d-----w C:\Program Files\Yahoo!
2007-03-25 19:45:04 -------- d-----w C:\Program Files\DAP
2007-03-24 20:46:26 -------- d-----w C:\Program Files\directx
2007-03-24 20:45:22 -------- d-----w C:\Program Files\Multimedia V3.08
2007-03-24 18:43:24 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-24 18:43:00 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-23 09:34:12 65,536 --sh--w C:\VIDEOROM.BIN
2007-03-23 09:23:46 1,663 --sh--r C:\MSDOS.SYS
2007-03-23 09:15:38 9,148 --sh--w C:\SUHDLOG.DAT
2007-03-19 04:20:08 -------- d-----w C:\DOCUME~1\Laura\APPLIC~1\AdobeUM
2007-03-19 04:02:38 -------- d-----w C:\Program Files\Winamp
2007-03-19 04:00:36 -------- d-----w C:\Program Files\Creative
2007-03-19 03:56:58 -------- d-----w C:\Program Files\TC PowerPack
2007-03-18 0520 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-18 05:03:10 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-18 05:01:54 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-18 05:01:40 -------- d-----w C:\Program Files\Movie Maker
2007-03-18 04:59:46 -------- d-----w C:\Program Files\Online Services
2007-03-18 04:59:34 -------- d-----w C:\Program Files\Messenger
2007-03-18 04:59:30 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-18 04:58:42 -------- d-----w C:\Program Files\Windows NT
2007-03-18 04:49:16 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-18 04:49:12 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-06 08:50:54 1,101,824 ----a-w C:\WINDOWS\system32\NMSDVDXU.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}"="C:\Program Files\DAP\DAPIEBar.dll"
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiS Tray"="C:\\WINDOWS\\system32\\sistray.exe"
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"D066UUtility"="C:\\WINDOWS\\TWAIN_32\\D66U\\D066UUTY.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"drvsyskit"="C:\\Documents and Settings\\Laura\\Application Data\\hidires\\hidr.exe"
"hldrrr"="C:\\WINDOWS\\system32\\hldrrr.exe"
"Regrun2"="C:\\PROGRA~1\\Greatis\\REGRUN~1\\WatchDog.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
Shell\AutoRun\command RavMon.exe
Shell\explore\Command RavMon.exe -e
Shell\open\Command RavMon.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command RavMon.exe
Shell\explore\Command RavMon.exe -e
Shell\open\Command RavMon.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command RavMon.exe
Shell\explore\Command RavMon.exe -e
Shell\open\Command RavMon.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command RavMon.exe
Shell\explore\Command RavMon.exe -e
Shell\open\Command RavMon.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20941b4c-de19-11db-8e3e-4c0010523213}]
Shell\AutoRun\command RavMon.exe
Shell\explore\Command RavMon.exe -e
Shell\open\Command RavMon.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48e3a2b4-dc63-11db-8e2d-4c0010523213}]
Shell\Auto\command NTDETECT.EXE e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NTDETECT.EXE e

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5bd69b7e-d51a-11db-8e11-9a96f8d92f88}]
Shell\AutoRun\command H:\RavMon.exe
Shell\explore\Command H:\RavMon.exe -e
Shell\open\Command H:\RavMon.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a97bc178-e1a5-11db-8e52-4c0010523213}]
Shell\Auto\command H:\AdobeR.exe e
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c75d3d6c-eab9-11db-8e77-4c0010523213}]
Shell\AutoRun\command RavMon.exe
Shell\explore\Command RavMon.exe -e
Shell\open\Command RavMon.exe



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070509-010043-385
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
backup-20050703-185029-183
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-09 20:58:48
Windows 5.1.2600 Service Pack 2 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-09 20:58:55
j1477 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 08:18 AM   #6 (permalink)
Registered User
 
Join Date: May 2007
Posts: 27
OS: win XP


Re: cannot install any spyware removing software
Here is HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:13:57 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TC PowerPack\totalcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mspaint.exe
E:\CD\software\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.20:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Laura\Application Data\hidires\hidr.exe
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Also, when I try to search for something on my browser, the "next" buttom remains disabled. I dont know if this browsers behavior have anything to do with malware. And right clicking on my C, E, and F drives show strange fonts in place of "open" and "explore"
j1477 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 08:22 AM   #7 (permalink)
Registered User
 
Join Date: May 2007
Posts: 27
OS: win XP


Re: cannot install any spyware removing software
By the way, thank you very much for taking your time out to attend to my problems :)
j1477 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-09-2007, 08:57 AM   #8 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: cannot install any spyware removing software
Hi j1477,

You’re most welcome, j1477.

Let’s take care of the malware first, and then see about the other problems, OK?

OK, let’s do this next.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.
  • Double-click Flash_Disinfector.exe to run it.
  • Follow any prompts that may appear.
  • Wait until the program has finished scanning, then please exit the program.


NEXT:

Let’s use another internet browser so that you can at least download stuff and perhaps run some other online scanners.

Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you do decide to install Firefox, please take a moment to read Switching from IE to Firefox.

Use the Firefox browser until we can solve the Internet Explorer problem.


NEXT:

Please download Dr.Web CureIt and save it to your desktop.

NOTE: In the event you already have Dr.Web CureIt, this is a new version that I need you to download.

Now scan with Dr.Web CureIt:
  • Double-click the drweb-cureit.exe file. It will then suggest to run an "Express Scan" -- this you should allow.
  • After this (Dr.Web writes "Done" at the bottom left), you click "Options" menu -> "Change settings".
  • Choose the "Scan" tab, uncheck the mark at "Heuristic analysis".
  • Choose the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK".
  • Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen).
  • Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found.
  • After the scan, go to the "View" menu -> "Report list".
  • Then go to the "File" menu -> "Save report list".
  • Save the report to your desktop. The report will be called DrWeb.csv. Copy and paste the contents of the report in your next reply.
  • Close Dr.Web CureIt.
  • REBOOT your computer!! Because it could be possible that files in use will be moved/deleted during reboot.


NEXT:

Please go to Start -> Control Panel -> Software -> Add or Remove Programs and remove any of the following that are listed:

Bitdownload
Bitgrabber
Bitroll
CiD Manager
CiD Help
Download Plugin for Internet Explorer
Messenger Plus!
Messenger Plus! 2
Messenger Plus! 3
Messenger Plus! 3 & Sponsor
Messenger Plus! Live
Messenger Plus! Live & Sponsor
Netpumper
Search Plugin
WinZix
Zone Media

This is because they are usually bundled with the malware. Don't worry if you can't find them all.

If during uninstall, you are asked for uninstall Verification, please enter the numbers that will appear in the window.

Then reboot. <-- Important!


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Laura\Application Data\hidires\hidr.exe
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please launch OTMoveIt:
  • Double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\unvise32.exe
    C:\WINDOWS\system32\hldrrr.exe
    C:\SUHDLOG.DAT
    C:\DOCUME~1\Laura\APPLIC~1\BitDownload
    C:\Program Files\BitDownload
    C:\Documents and Settings\Laura\Application Data\hidires

  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:

    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

Code:
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20941b4c-de19-11db-8e3e-4c0010523213}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48e3a2b4-dc63-11db-8e2d-4c0010523213}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5bd69b7e-d51a-11db-8e11-9a96f8d92f88}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a97bc178-e1a5-11db-8e52-4c0010523213}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c75d3d6c-eab9-11db-8e77-4c0010523213}]
Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from the Dr.Web CureIt scan.
  2. The log from OTMoveIt.
  3. A new ComboFix log.
  4. A new HijackThis log.

How are things running now? Please let me know of any problems that still persist.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by Sempurna : 05-09-2007 at 09:00 AM.
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-12-2007, 12:22 PM   #9 (permalink)
Registered User
 
Join Date: May 2007
Posts: 27
OS: win XP


Re: cannot install any spyware removing software
Thanx, but the probs with IE and yahoo messenger are still there :'(

Here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:17:29 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TC PowerPack\totalcmd.exe
E:\CD\software\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.20:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

OTmoveIT log:

C:\WINDOWS\unvise32.exe moved successfully.
File/Folder C:\WINDOWS\system32\hldrrr.exe not found.
C:\SUHDLOG.DAT moved successfully.
C:\DOCUME~1\Laura\APPLIC~1\BitDownload\Data\BackUp\LgDir moved successfully.
C:\DOCUME~1\Laura\APPLIC~1\BitDownload\Data\BackUp\DataDir moved successfully.
C:\DOCUME~1\Laura\APPLIC~1\BitDownload\Data\BackUp moved successfully.
C:\DOCUME~1\Laura\APPLIC~1\BitDownload\Data\LgDir moved successfully.
C:\DOCUME~1\Laura\APPLIC~1\BitDownload\Data\TmpDir moved successfully.
C:\DOCUME~1\Laura\APPLIC~1\BitDownload\Data\DataDir moved successfully.
C:\DOCUME~1\Laura\APPLIC~1\BitDownload\Data moved successfully.
C:\DOCUME~1\Laura\APPLIC~1\BitDownload moved successfully.
C:\Program Files\BitDownload\ZM moved successfully.
C:\Program Files\BitDownload moved successfully.
C:\Documents and Settings\Laura\Application Data\hidires moved successfully.

Created on 05/13/2007 01:09:34
j1477 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-12-2007, 12:26 PM   #10 (