Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page w32.spybot.worm- I can't get rid of it.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 04-28-2007, 11:30 PM   #1 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 9
OS: Vista home premium 32-bit


w32.spybot.worm- I can't get rid of it.
I got this Virus about two days ago, and can't seem to get rid of it. I looked on the symantec website, but got confused when they started talking about registrys and stuff. ( I'm an intermediate Computer user.) The exe called tfpl.exe
I thought I got rid of it, but every time I restart my computer, a symantec auto-protect came up. I am also having problems with my internet connection. For instance when I play a game counter-strike source, when I search for servers it loses internet connection and all I have is Local connection. This is that hijackthis dss log. Attached is the extra.txt log thing




Deckard's System Scanner v20070426.43
Run by Tadd on 2007-04-28 at 21:57:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Performed disk cleanup.


-- HijackThis (run as Tadd.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:00:08 PM, on 4/28/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\tfpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\mobsync.exe
C:\hp\kbd\kbd.exe
C:\Users\Tadd\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\HIJACK~1\Tadd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [googletalk] C:\Users\Tadd\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] TFPL.EXE
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S3 SRTSPL - c:\windows\system32\drivers\srtspl.sys <Not Verified; Symantec Corporation; AutoProtect>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Files created between 2007-03-28 and 2007-04-28 -----------------------------

2007-04-28 21:46:37 0 d-------- C:\Program Files\SpywareBlaster
2007-04-27 17:00:44 0 d-------- C:\Program Files\ATI Technologies
2007-04-27 17:00:41 0 d-------- C:\Program Files\ATI
2007-04-27 16:59:33 0 d-------- C:\ATI
2007-04-27 16:12:17 0 d-------- C:\Program Files\CCleaner
2007-04-26 18:08:14 121856 ---h----- C:\Windows\system32\tfpl.exe
2007-04-26 18:08:12 121856 ---h----- C:\Windows\system32\llvk.exe
2007-04-25 15:21:05 0 d-------- C:\Program Files\Microsoft Works
2007-04-25 15:10:07 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-04-25 15:09:01 0 d-------- C:\Users\All Users\Microsoft Help
2007-04-25 14:47:37 92160 --a------ C:\Windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2007-04-25 14:47:36 0 d-------- C:\Program Files\MagicDisc
2007-04-24 18:53:30 0 d-------- C:\Program Files\DVDFab HD Decrypter 3
2007-04-22 16:18:05 0 d-------- C:\Windows\Sun
2007-04-22 12:23:16 0 d-------- C:\Program Files\Stardock
2007-04-20 19:09:05 0 d-------- C:\Program Files\Yamicsoft
2007-04-19 17:59:13 0 d-------- C:\Program Files\Common Files\L&H
2007-04-18 19:24:01 0 d-------- C:\Program Files\Steam
2007-04-18 16:04:52 0 d-------- C:\Program Files\SystemRequirementsLab
2007-04-10 1229 0 d-------- C:\Program Files\MagicISO
2007-04-10 01:47:18 0 d-------- C:\Program Files\Common Files\Stardock
2007-04-07 20:10:25 0 d-------- C:\Program Files\Bethesda Softworks
2007-04-07 20:05:19 0 d-------- C:\Program Files\Alcohol Soft
2007-04-07 19:56:59 0 d-------- C:\Program Files\RCrawler
2007-04-03 22:09:42 0 d-------- C:\Program Files\CONEXANT
2007-04-01 13:08:35 0 d-------- C:\Users\Tadd\Shared
2007-04-01 13:08:34 0 d-------- C:\Users\Tadd\Incomplete
2007-03-31 16:11:58 0 d-------- C:\Windows\pss
2007-03-29 15:26:12 36864 --a------ C:\Windows\system32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2007-03-29 15:04:31 2560 --a------ C:\Windows\_MSRSTRT.EXE


-- Find3M Report ---------------------------------------------------------------

2007-04-28 20:59:35 0 d-------- C:\Users\Tadd\AppData\Roaming\uTorrent
2007-04-28 10:12:20 0 d-------- C:\Users\Tadd\AppData\Roaming\Vso
2007-04-27 17:08:08 0 d-------- C:\Users\Tadd\AppData\Roaming\ATI
2007-04-27 16:15:26 0 d-------- C:\Users\Tadd\AppData\Roaming\SystemRequirementsLab
2007-04-25 15:20:28 0 d-------- C:\Program Files\MSBuild
2007-04-22 10:15:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-18 17:24:05 0 d-------- C:\Program Files\Microsoft Games
2007-04-16 22:32:15 0 d-------- C:\Users\Tadd\AppData\Roaming\Skype
2007-04-15 16:11:01 0 d-------- C:\Program Files\Windows Defender
2007-04-15 16:09:28 0 d-------- C:\Program Files\Java
2007-04-15 16:08:48 0 d-------- C:\Program Files\Windows Mail
2007-04-08 02:18:11 0 d-------- C:\Program Files\Lavasoft
2007-04-07 20:09:38 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-03 15:27:46 0 d-------- C:\Program Files\DVDFab Platinum 3
2007-04-03 07:17:34 0 d-------- C:\Users\Tadd\AppData\Roaming\Lavasoft
2007-04-01 13:26:06 0 d-------- C:\Users\Tadd\AppData\Roaming\LimeWire
2007-03-27 16:08:15 0 d-------- C:\Program Files\Opera
2007-03-27 15:48:36 0 --a------ C:\Windows\nsreg.dat
2007-03-27 15:48:25 0 d-------- C:\Users\Tadd\AppData\Roaming\Mozilla
2007-03-27 15:10:38 0 d-------- C:\Program Files\Frameworkx
2007-03-25 19:10:42 0 d-------- C:\Program Files\Boilsoft MOV Converter
2007-03-23 17:25:58 0 d-------- C:\Program Files\ffdshow
2007-03-22 21:38:22 0 d-------- C:\Program Files\WhatPulse
2007-03-20 22:02:44 0 d-------- C:\Program Files\DAMN NFO Viewer
2007-03-20 19:02:32 0 d-------- C:\Users\Tadd\AppData\Roaming\Azureus
2007-03-20 07:21:30 0 d-------- C:\Program Files\iTunes
2007-03-20 07:21:25 0 d-------- C:\Program Files\iPod
2007-03-19 16:12:02 0 d-------- C:\Users\Tadd\AppData\Roaming\Apple Computer
2007-03-19 07:11:30 0 d-------- C:\Program Files\SlySoft
2007-03-18 14:47:28 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-03-18 14:47:01 0 d-------- C:\Program Files\Symantec
2007-03-18 14:43:37 0 d-------- C:\Program Files\Symantec AntiVirus
2007-03-18 13:09:38 0 d-------- C:\Program Files\mIRC
2007-03-16 18:04:58 512000 --a------ C:\Windows\system32\AWESOM-O Movie Generator.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2007-03-16 17:31:41 0 d-------- C:\Program Files\Common Files\Java
2007-03-16 17:27:17 0 d-------- C:\Program Files\uTorrent
2007-03-16 10:09:44 0 d-------- C:\Program Files\MAPILab Ltd
2007-03-16 09:33:45 34 --a------ C:\Users\Tadd\AppData\Roaming\pcouffin.log
2007-03-16 09:33:42 7824 --a------ C:\Users\Tadd\AppData\Roaming\pcouffin.cat
2007-03-15 23:10:19 0 d-------- C:\Program Files\AC3Filter
2007-03-15 23:02:16 0 d-------- C:\Program Files\Google
2007-03-15 22:31:25 0 d-------- C:\Users\Tadd\AppData\Roaming\Google
2007-03-15 21:10:09 0 d-------- C:\Program Files\RadarSync
2007-03-15 19:15:58 0 d-------- C:\Program Files\Xvid
2007-03-15 15:30:08 0 d-------- C:\Users\Tadd\AppData\Roaming\Elaborate Bytes
2007-03-15 15:30:04 43 --ahs---- C:\Users\Tadd\AppData\Roaming\.zreglib
2007-03-15 07:18:12 0 d-------- C:\Program Files\Apple Software Update
2007-03-14 21:44:01 0 d-------- C:\Program Files\DVD Decrypter
2007-03-14 21:42:39 0 d-------- C:\Program Files\DVD Shrink
2007-03-14 17:26:47 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-03-14 17:24:55 0 d-------- C:\Program Files\Microsoft.NET
2007-03-14 17:16:56 0 d-------- C:\Program Files\Lexmark X6100 Series
2007-03-14 07:39:03 0 d-------- C:\Users\Tadd\AppData\Roaming\SlySoft
2007-03-14 07:25:30 0 d-------- C:\Program Files\Elaborate Bytes
2007-03-13 21:22:47 0 d-------- C:\Users\Tadd\AppData\Roaming\Macromedia
2007-03-13 20:30:31 0 d-------- C:\Program Files\QuickTime
2007-03-13 20:18:18 0 d-------- C:\Users\Tadd\AppData\Roaming\WinRAR
2007-03-13 19:48:59 0 d-------- C:\Users\Tadd\AppData\Roaming\Opera
2007-03-13 19:36:58 0 d-------- C:\Users\Tadd\AppData\Roaming\Identities
2007-02-28 16:05:26 86016 --a------ C:\Windows\system32\ElbyCDIO.dll <Not Verified; Elaborate Bytes AG; Elaborate Bytes CDRTools>
2007-02-21 21:00:28 10752 --a------ C:\Windows\system32\ff_vfw.dll


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Defender"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,57,69,\
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"KBD"="C:\\HP\\KBD\\KbdStub.EXE"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"RtHDVCpl"="RtHDVCpl.exe"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
@="C:\\Program Files\\WhatPulse\\WhatPulse.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"googletalk"="C:\\Users\\Tadd\\AppData\\Roaming\\Google\\Google Talk\\googletalk.exe /autostart"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"WhatPulse"="C:\\Program Files\\WhatPulse\\WhatPulse.exe"
"ehTray.exe"="C:\\Windows\\ehome\\ehTray.exe"
"µTorrent"="\"C:\\Program Files\\uTorrent\\utorrent.exe\""
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
@=""
"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Winsock2 driver"="TFPL.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"scforceoption"=dword:00000000
"FilterAdministratorToken"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="credssp.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Notification Packages REG_MULTI_SZ scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AppInfo
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\KeyIso
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NTDS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ProfSvc
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sacsvr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SWPRV
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TabletInputService
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TBS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgr.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgrx.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\WindowBlinds]
"WindowBlinds"=dword:00000002
"YEAR"=dword:000007d7
"MONTH"=dword:00000004
"DAY"=dword:00000014
"HOUR"=dword:00000013
"MINUTE"=dword:00000016
"SECOND"=dword:0000002d

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ nsi\0lltdsvc\0SSDPSRV\0upnphost\0SCardSvr\0w32time\0EventSystem\0RemoteRegistry\0WinHttpAutoProxySvc\0lanmanworkstation\0TBS\0SLUINotify\0THREADORDER\0fdrespub\0netprofm\0fdphost\0wcncsvc\0QWAVE\0Mcx2Svc\0WebClient\0\0
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv\0UxSms\0WdiSystemHost\0Netman\0trkwks\0AudioEndpointBuilder\0WUDFSvc\0irmon\0sysmain\0IPBusEnum\0dot3svc\0PcaSvc\0EMDMgmt\0TabletInputService\0wlansvc\0WPDBusEnum\0\0
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent\0\0
LocalServiceNoNetwork REG_MULTI_SZ PLA\0DPS\0BFE\0mpssvc\0ehstart\0\0
NetworkService REG_MULTI_SZ CryptSvc\0DHCP\0TermService\0KtmRm\0DNSCache\0NapAgent\0nlasvc\0WinRM\0WECSVC\0Tapisrv\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WerSvcGroup REG_MULTI_SZ wersvc\0\0
swprv REG_MULTI_SZ swprv\0\0
LocalServiceNetworkRestricted REG_MULTI_SZ DHCP\0eventlog\0AudioSrv\0LmHosts\0wscsvc\0p2pimsvc\0PNRPSvc\0p2psvc\0WPCSvc\0PnrpAutoReg\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
wcssvc REG_MULTI_SZ WcsPlugInService\0\0
DcomLaunch REG_MULTI_SZ PlugPlay\0DcomLaunch\0\0
wdisvc REG_MULTI_SZ WdiServiceHost\0\0
sdrsvc REG_MULTI_SZ sdrsvc\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
secsvcs REG_MULTI_SZ WinDefend\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
AeLookupSvc
wercplsupport
CertPropSvc
SCPolicySvc
gpsvc
IKEEXT
LogonHours
PCAudit
iphlpsvc
AppInfo
msiscsi
MMCSS
ProfSvc
EapHost
SessionEnv
hkmsvc


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6851e82d-e579-11db-ab4b-0018f3315d35}]
shell\AutoRun\command J:\OblivionLauncher.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{72cd4f7f-f2b2-11db-96e5-0018f3315d35}]
shell\AutoRun\command L:\SETUP.EXE
shell\configure\command L:\SETUP.EXE
shell\install\command L:\SETUP.EXE


-- End of Deckard's System Scanner: finished at 2007-04-28 at 22:00:36 ---------
Attached Files
File Type: txt extra.txt (9.4 KB, 7 views)
Immune is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-29-2007, 12:40 AM   #2 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,068
OS: WinXP Pro SP3

My System

Send a message via Yahoo to src2206
Re: w32.spybot.worm- I can't get rid of it.
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.
__________________
Registered Linux user #426065
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-29-2007, 10:02 PM   #3 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,068
OS: WinXP Pro SP3

My System

Send a message via Yahoo to src2206
Post Re: w32.spybot.worm- I can't get rid of it.
Hello and welcome to TSF .

You may like to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools located near the top of this page, then click Subscribe to this Thread. Make sure it is set to Instant email Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

_________________________________________________________________


Unfortunately we are quite limited in terms of our resources while disinfecting and cleaning Vista PC. As the OS is too new, most of the weapons in our arsenal are not compatible with Vista. Still I suggest that you follow the next steps to clean the main infection you have on board.

________________________________________________________________


P2P

I see you have P2P softwares your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine ( µTorrent and Azureus) installed on will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

_________________________________________________________________


Disable Security Softwares

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
__________________________________________________________________


Show Hidden Files and Folders

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

___________________________________________________________________


Fix

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

__________________________________________________________________


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKCU\..\RunOnce: [Winsock2 driver] TFPL.EXE

Please remember to close all other windows, including browsers then click Fix checked.

__________________________________________________________________


Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Windows\system32\ llvk.exe
C:\Windows\system32\ tfpl.exe

_________________________________________________________________


Reboot your system in Normal Mode.

__________________________________________________________________


Deckard System Scanner
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, a text file will open - ComboScan.txt
  4. Copy and paste the contents of main.txt in your thread in the HijackThis Log Help forum.

_________________________________________________________________


Please provide the following logs with your next post:

C:\SDFix\Report.txt
Panda Scan
Latest DSS Scan Report

Please let me know about your systems overall behaviour and whether the internet connection has improved. .
__________________
Registered Linux user #426065
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-29-2007, 11:25 PM   #4 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 9
OS: Vista home premium 32-bit


Smile Re: w32.spybot.worm- I can't get rid of it.
Hey, thanks for the help. I tried to ran the Panda and the SD but neither one of them is compatible with Vista. Your instructions seemed to work as I don't think any of the w32.spybot.worm or tfpl.exe is on my system. I'm running a Symantec Full Scan now. It's late where I live so I'll try the Internet access thing tomorrow. Although there is another problem. When I tried getting rid of the W32.spybot.worm virus I updated Ad-aware and thought it was time to get a new add-on to help me out. My theory is that it infected my system. To make a long story short when I booted Windows out of safe mode into normal mode. A symantec auto-protect box came up saying a virus called Bloodhound.overpacked. On the Symantec website it said it was easy to remove but I just wanted to let you know. Oh I also changed my firewall to Zonealarm from the windows firewall.


Deckard's System Scanner v20070426.43
Run by Tadd on 2007-04-29 at 22:07:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Tadd.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:07:58 PM, on 4/29/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Users\Tadd\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\hp\kbd\kbd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\Tadd\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\HIJACK~1\Tadd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [googletalk] C:\Users\Tadd\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe


-- Files created between 2007-03-29 and 2007-04-29 -----------------------------

2007-04-29 12:53:55 636960 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2007-04-29 12:47:11 11264 --a------ C:\Windows\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-04-29 12:47:01 107336 --a------ C:\Windows\system32\drivers\kl1.sys <Not Verified; Kaspersky Lab; Kaspersky Anti-Virus>
2007-04-29 12:46:37 0 d-------- C:\Windows\system32\ZoneLabs
2007-04-29 12:46:20 0 d-------- C:\Users\All Users\CheckPoint
2007-04-29 12:45:51 0 d-------- C:\Windows\Internet Logs
2007-04-29 10:03:03 38229 -----n--- C:\Windows\system32\drivers\StMp3Rec.sys <Not Verified; Generic; Generic MP3 Player>
2007-04-29 10:00:41 0 d-------- C:\Windows\Downloaded Installations
2007-04-28 21:46:37 0 d-------- C:\Program Files\SpywareBlaster
2007-04-27 17:00:44 0 d-------- C:\Program Files\ATI Technologies
2007-04-27 17:00:41 0 d-------- C:\Program Files\ATI
2007-04-27 16:59:33 0 d-------- C:\ATI
2007-04-27 16:12:17 0 d-------- C:\Program Files\CCleaner
2007-04-25 15:21:05 0 d-------- C:\Program Files\Microsoft Works
2007-04-25 15:10:07 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-04-25 15:09:01 0 d-------- C:\Users\All Users\Microsoft Help
2007-04-25 14:47:37 92160 --a------ C:\Windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2007-04-25 14:47:36 0 d-------- C:\Program Files\MagicDisc
2007-04-24 18:53:30 0 d-------- C:\Program Files\DVDFab HD Decrypter 3
2007-04-22 16:18:05 0 d-------- C:\Windows\Sun
2007-04-22 12:23:16 0 d-------- C:\Program Files\Stardock
2007-04-20 19:09:05 0 d-------- C:\Program Files\Yamicsoft
2007-04-19 17:59:13 0 d-------- C:\Program Files\Common Files\L&H
2007-04-18 19:24:01 0 d-------- C:\Program Files\Steam
2007-04-18 16:04:52 0 d-------- C:\Program Files\SystemRequirementsLab
2007-04-10 1229 0 d-------- C:\Program Files\MagicISO
2007-04-10 01:47:18 0 d-------- C:\Program Files\Common Files\Stardock
2007-04-07 20:10:25 0 d-------- C:\Program Files\Bethesda Softworks
2007-04-07 20:05:19 0 d-------- C:\Program Files\Alcohol Soft
2007-04-07 19:56:59 0 d-------- C:\Program Files\RCrawler
2007-04-03 22:09:42 0 d-------- C:\Program Files\CONEXANT
2007-04-01 13:08:35 0 d-------- C:\Users\Tadd\Shared
2007-04-01 13:08:34 0 d-------- C:\Users\Tadd\Incomplete
2007-03-31 16:11:58 0 d-------- C:\Windows\pss
2007-03-29 15:26:12 36864 --a------ C:\Windows\system32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2007-03-29 15:04:31 2560 --a------ C:\Windows\_MSRSTRT.EXE


-- Find3M Report ---------------------------------------------------------------

2007-04-29 15:51:43 0 d-------- C:\Users\Tadd\AppData\Roaming\uTorrent
2007-04-29 10:03:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-29 10:01:59 0 d-------- C:\Program Files\iPod
2007-04-29 09:28:38 0 d-------- C:\Users\Tadd\AppData\Roaming\WinRAR
2007-04-28 10:12:20 0 d-------- C:\Users\Tadd\AppData\Roaming\Vso
2007-04-27 17:08:08 0 d-------- C:\Users\Tadd\AppData\Roaming\ATI
2007-04-27 16:15:26 0 d-------- C:\Users\Tadd\AppData\Roaming\SystemRequirementsLab
2007-04-25 15:20:28 0 d-------- C:\Program Files\MSBuild
2007-04-18 17:24:05 0 d-------- C:\Program Files\Microsoft Games
2007-04-16 22:32:15 0 d-------- C:\Users\Tadd\AppData\Roaming\Skype
2007-04-15 16:11:01 0 d-------- C:\Program Files\Windows Defender
2007-04-15 16:09:28 0 d-------- C:\Program Files\Java
2007-04-15 16:08:48 0 d-------- C:\Program Files\Windows Mail
2007-04-08 02:18:11 0 d-------- C:\Program Files\Lavasoft
2007-04-07 20:09:38 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-03 15:27:46 0 d-------- C:\Program Files\DVDFab Platinum 3
2007-04-03 07:17:34 0 d-------- C:\Users\Tadd\AppData\Roaming\Lavasoft
2007-04-01 13:26:06 0 d-------- C:\Users\Tadd\AppData\Roaming\LimeWire
2007-03-27 16:08:15 0 d-------- C:\Program Files\Opera
2007-03-27 15:48:36 0 --a------ C:\Windows\nsreg.dat
2007-03-27 15:48:25 0 d-------- C:\Users\Tadd\AppData\Roaming\Mozilla
2007-03-27 15:10:38 0 d-------- C:\Program Files\Frameworkx
2007-03-25 19:10:42 0 d-------- C:\Program Files\Boilsoft MOV Converter
2007-03-23 17:25:58 0 d-------- C:\Program Files\ffdshow
2007-03-22 21:38:22 0 d-------- C:\Program Files\WhatPulse
2007-03-20 22:02:44 0 d-------- C:\Program Files\DAMN NFO Viewer
2007-03-20 19:02:32 0 d-------- C:\Users\Tadd\AppData\Roaming\Azureus
2007-03-20 07:21:30 0 d-------- C:\Program Files\iTunes
2007-03-19 16:12:02 0 d-------- C:\Users\Tadd\AppData\Roaming\Apple Computer
2007-03-19 07:11:30 0 d-------- C:\Program Files\SlySoft
2007-03-18 14:47:28 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-03-18 14:47:01 0 d-------- C:\Program Files\Symantec
2007-03-18 14:43:37 0 d-------- C:\Program Files\Symantec AntiVirus
2007-03-18 13:09:38 0 d-------- C:\Program Files\mIRC
2007-03-16 18:04:58 512000 --a------ C:\Windows\system32\AWESOM-O Movie Generator.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2007-03-16 17:31:41 0 d-------- C:\Program Files\Common Files\Java
2007-03-16 17:27:17 0 d-------- C:\Program Files\uTorrent
2007-03-16 10:09:44 0 d-------- C:\Program Files\MAPILab Ltd
2007-03-16 09:33:45 34 --a------ C:\Users\Tadd\AppData\Roaming\pcouffin.log
2007-03-16 09:33:42 7824 --a------ C:\Users\Tadd\AppData\Roaming\pcouffin.cat
2007-03-15 23:10:19 0 d-------- C:\Program Files\AC3Filter
2007-03-15 23:02:16 0 d-------- C:\Program Files\Google
2007-03-15 22:31:25 0 d-------- C:\Users\Tadd\AppData\Roaming\Google
2007-03-15 21:10:09 0 d-------- C:\Program Files\RadarSync
2007-03-15 19:15:58 0 d-------- C:\Program Files\Xvid
2007-03-15 15:30:08 0 d-------- C:\Users\Tadd\AppData\Roaming\Elaborate Bytes
2007-03-15 15:30:04 43 --ahs---- C:\Users\Tadd\AppData\Roaming\.zreglib
2007-03-15 07:18:12 0 d-------- C:\Program Files\Apple Software Update
2007-03-14 21:44:01 0 d-------- C:\Program Files\DVD Decrypter
2007-03-14 21:42:39 0 d-------- C:\Program Files\DVD Shrink
2007-03-14 17:26:47 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-03-14 17:24:55 0 d-------- C:\Program Files\Microsoft.NET
2007-03-14 17:16:56 0 d-------- C:\Program Files\Lexmark X6100 Series
2007-03-14 07:39:03 0 d-------- C:\Users\Tadd\AppData\Roaming\SlySoft
2007-03-14 07:25:30 0 d-------- C:\Program Files\Elaborate Bytes
2007-03-13 21:22:47 0 d-------- C:\Users\Tadd\AppData\Roaming\Macromedia
2007-03-13 20:30:31 0 d-------- C:\Program Files\QuickTime
2007-03-13 19:48:59 0 d-------- C:\Users\Tadd\AppData\Roaming\Opera
2007-03-13 19:36:58 0 d-------- C:\Users\Tadd\AppData\Roaming\Identities
2007-02-28 16:05:26 86016 --a------ C:\Windows\system32\ElbyCDIO.dll <Not Verified; Elaborate Bytes AG; Elaborate Bytes CDRTools>
2007-02-21 21:00:28 10752 --a------ C:\Windows\system32\ff_vfw.dll


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Defender"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,57,69,\
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"KBD"="C:\\HP\\KBD\\KbdStub.EXE"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"RtHDVCpl"="RtHDVCpl.exe"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
@="C:\\Program Files\\WhatPulse\\WhatPulse.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"googletalk"="C:\\Users\\Tadd\\AppData\\Roaming\\Google\\Google Talk\\googletalk.exe /autostart"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"WhatPulse"="C:\\Program Files\\WhatPulse\\WhatPulse.exe"
"ehTray.exe"="C:\\Windows\\ehome\\ehTray.exe"
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
@=""
"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"scforceoption"=dword:00000000
"FilterAdministratorToken"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="credssp.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Notification Packages REG_MULTI_SZ scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AppInfo
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\KeyIso
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\NTDS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ProfSvc
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sacsvr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SWPRV
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TabletInputService
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TBS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgr.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgrx.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\WindowBlinds]
"WindowBlinds"=dword:00000002
"YEAR"=dword:000007d7
"MONTH"=dword:00000004
"DAY"=dword:00000014
"HOUR"=dword:00000013
"MINUTE"=dword:00000016
"SECOND"=dword:0000002d

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ nsi\0lltdsvc\0SSDPSRV\0upnphost\0SCardSvr\0w32time\0EventSystem\0RemoteRegistry\0WinHttpAutoProxySvc\0lanmanworkstation\0TBS\0SLUINotify\0THREADORDER\0fdrespub\0netprofm\0fdphost\0wcncsvc\0QWAVE\0Mcx2Svc\0WebClient\0\0
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv\0UxSms\0WdiSystemHost\0Netman\0trkwks\0AudioEndpointBuilder\0WUDFSvc\0irmon\0sysmain\0IPBusEnum\0dot3svc\0PcaSvc\0EMDMgmt\0TabletInputService\0wlansvc\0WPDBusEnum\0\0
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent\0\0
LocalServiceNoNetwork REG_MULTI_SZ PLA\0DPS\0BFE\0mpssvc\0ehstart\0\0
NetworkService REG_MULTI_SZ CryptSvc\0DHCP\0TermService\0KtmRm\0DNSCache\0NapAgent\0nlasvc\0WinRM\0WECSVC\0Tapisrv\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WerSvcGroup REG_MULTI_SZ wersvc\0\0
swprv REG_MULTI_SZ swprv\0\0
LocalServiceNetworkRestricted REG_MULTI_SZ DHCP\0eventlog\0AudioSrv\0LmHosts\0wscsvc\0p2pimsvc\0PNRPSvc\0p2psvc\0WPCSvc\0PnrpAutoReg\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
wcssvc REG_MULTI_SZ WcsPlugInService\0\0
DcomLaunch REG_MULTI_SZ PlugPlay\0DcomLaunch\0\0
wdisvc REG_MULTI_SZ WdiServiceHost\0\0
sdrsvc REG_MULTI_SZ sdrsvc\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
secsvcs REG_MULTI_SZ WinDefend\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
AeLookupSvc
wercplsupport
CertPropSvc
SCPolicySvc
gpsvc
IKEEXT
LogonHours
PCAudit
iphlpsvc
AppInfo
msiscsi
MMCSS
ProfSvc
EapHost
SessionEnv
hkmsvc


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6851e82d-e579-11db-ab4b-0018f3315d35}]
shell\AutoRun\command J:\OblivionLauncher.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{72cd4f7f-f2b2-11db-96e5-0018f3315d35}]
shell\AutoRun\command L:\SETUP.EXE
shell\configure\command L:\SETUP.EXE
shell\install\command L:\SETUP.EXE


-- End of Deckard's System Scanner: finished at 2007-04-29 at 22:08:29 ---------
Last edited by Immune; 04-29-2007 at 11:30 PM.
Immune is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-30-2007, 11:50 PM   #5 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 9
OS: Vista home premium 32-bit


Re: w32.spybot.worm- I can't get rid of it.
Hey, when I tried connecting to the internet last night it seemed to work, although I think I may have had local connection when I turned my computer off. The reason I think that; is this morning I turned on my computer and I only had local.
Immune is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-01-2007, 07:02 AM   #6 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,068
OS: WinXP Pro SP3

My System

Send a message via Yahoo to src2206
Post Re: w32.spybot.worm- I can't get rid of it.
Hello Immune

Please follow the next set of instructions to continue the cleaning process.

Downloads

1. Please download CCleaner (freeware) from here:
http://www.ccleaner.com/download/
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".

2. 1.) Download and install SUPERAntiSpyware HERE. Save the installer on your desktop.

2.) During the installation process, the program will prompt you to download any updates, click Yes.

3.) After the update process has completed, a dialog box will state: Database definitions have been updated, click OK.

4.) At the SUPERAntiSpyware Main Menu, click the Preferences button.

5.) Click the General and Startup tab.
Under Start-Up Options, uncheck these boxes:
* Start SUPERAntiSpyware when Windows starts
* Show SUPERAntiSpyware icon in system tray

6.) Click the Scanning Control tab.
Under Scanner Options, place a check in these boxes:
* Ignore files larger than 4MB (recommended)
* Ignore non-executable files (recommended)
* Scan for tracking cookies
* Resolve Links/Shortcuts during scan (.lnk)
* Terminate memory threats before quarantining
* Scan Alternate Data Streams
* Use Kernel Direct File Access (recommended)
* Use Kernel Direct Registry Access (recommended)

Under Scanner Options, uncheck these boxes:
* Ignore System Restore/Volume Information on ME/XP
* Scan only known file types (.exe, .com, .dll, etc.)
* Close browsers before scanning

7.) Click the Hi-Jack Protection tab.
Under Home Page Protection, uncheck these boxes:
* Display notification when home page changed
* Protect home page from being changed. Changes can be made only here.

8.) Click Close at the bottom of the page.
Don't run SUPERAntiSpyware yet, we will use it later.

________________________________________________________________


Fix

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

____________________________________________________________


CCleaner
  • Run CCleaner and click the Windows tab.
  • Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  • Next, click the Options icon, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours", click OK.
  • Next, click the Cleaner icon, then click the Run Cleaner button (bottom right), then Exit.

NOTE : Please do NOT use the Applications tab or the Issues icon. Keep to the Cleaner icon and the Windows tab.

----------------------------------------------------

SUPER Anti-Spyware

Open the SUPERAntiSpyware program.
1.) At the SUPERAntiSpyware Main Menu, under Scan for Harmful Software, click the Scan your Computer button, the SUPERAntiSpyware Scanner menu will appear.

2.) Make sure under Scan Location that your correct hard drive letter is checked.
(Example: C:\ - Fixed Drive (NTFS))
The correct hard drive letter should automatically be checked by default.

3.) Under Complete Scan, click Perform Complete Scan.

4.) At the bottom, click Next, to start the scan.
NOTE: This scan is very thorough, it will take a while to complete depending on the number of files and folders on the hard drive so please be patient. In future scans with SUPERAntiSpyware, selecting Perform Quick Scan should be sufficient.

5.) After the scan it will produce a report. Post back the content of the report here.

______________________________________________________________


Reboot your system in Normal Mode.

______________________________________________


With your next post please "Copy-Paste" the content of the SUPER AntiSpyware Scan report.
__________________
Registered Linux user #426065
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-01-2007, 11:24 PM   #7 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 9
OS: Vista home premium 32-bit


Re: w32.spybot.worm- I can't get rid of it.
Hey, here's my log for the super anti-spyware thing.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/01/2007 at 10:15 PM

Application Version : 3.7.1018

Core Rules Database Version : 3228
Trace Rules Database Version: 1239

Scan type : Complete Scan
Total Scan Time : 01:01:35

Memory items scanned : 215
Memory threats detected : 0
Registry items scanned : 7365
Registry threats detected : 0
File items scanned : 81414
File threats detected : 0
Immune is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-03-2007, 12:14 PM   #8 (permalink)
TSF Enthusiast
 
src2206's Avatar
 
Join Date: Apr 2006
Location: Kolkata, India
Posts: 2,068
OS: WinXP Pro SP3

My System

Send a message via Yahoo to src2206
Post Re: w32.spybot.worm- I can't get rid of it.
Well done, your logs are clean!

Please follow the set of instructions to complete the cleaning procedure and to immune your system against the unwanted guests .


Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

-----------------------------------------------------

Enable Security Software

Please enable your Windows Defender Real-time Protection.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and check Turn on real-time protection (recommended).
  • After you check this, click on the Save button and close Windows Defender.

------------------------------------------------

System Restore

To turn off Windows Vista System Restore:
  • Click Start.
  • Right-click the Computer icon, and then click Properties.
  • Click on System Protection under the Tasks column on the left side
  • Click on Continue on the "User Account Control" window that pops up
  • Under the System Protection tab, find Available Disks
  • Uncheck the box for any drive you wish to disable system restore on
  • When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
  • Click OK
  • When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:
  • Click Start.
  • Right-click the Computer icon, and then click Properties.
  • Click on System Protection under the Tasks column on the left side
  • Click on Continue on the "User Account Control" window that pops up
  • Under the System Protection tab, find Available Disks
  • Place a checkmark in the box for any drive you wish to enable System Restore on
  • Click OK


MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

You can also automate this process to save yourself from visiting Microsoft Update Site at regular intervals. To do that Enable Windows Auto Update in the following way
*Go to Start>Run - type wuaucpl.cpl
*Tick on the check box - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

SPYWARE PREVENTION SPEECH

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
PC Safety and Security--What Do I Need?
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.
  • You can refer to Windows Vista Software Compatibility List for various Vista compatible security softwares and you can decide yourself which softwares to try.
  • Run scans with your Anti Virus and other protective programs that you may use, at regular intervals and neutralize the threats that these softwares list.

Follow this list and your potential for being infected again will reduce dramatically.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing .
__________________
Registered Linux user #426065
src2206 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-09-2007, 09:54 PM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,254
OS: 2000 Pro; XP Pro; XP Home


Re: w32.spybot.worm- I can't get rid of it.
Since this issue appears resolved ... this Topic is now archived.

If you need this topic reopened, please PM me or the Senior Trainee Analyst handling this issue with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:35 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85