aNTI-SPYWARE(FREEDOM) (moved from XP)

[RETIREMENT]

I have an HP-pavilion7935 computer with Win/xp/Home-Ed that I am trying to clean the system up.I have the Anti-Spyware program Freedem provide by
my ISP that I am using to clear up spyware.

I have come to the situation that I have some administration spyware files that I select to delete but they come back when I rebot the system.

IGetNet c:\system volume information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP2|a0000151.dll
\RP6\A0000505.dll
\RP6\A0000506.dll

IGetNet c:\windows\system32\NLNP13.dll
IGetNet c:\windows\system32\NLNP131.dll

THe last two I can find with file search program & was wondering if I delete the two if it would cause problems?

others
VX2 c:\windows\help\nocontnt.GID

I also have the following in the registry;

5- KaZaa
1-wildtangent
16-hotbar
1-EUniverse.PerfectNav Located=hkey-local-machine\software\perfectnav
1-IntermixMedia>keenValue located-hkey-local-machine\software\perfectnav

Should the one's in the registry be removed with going into the registry file
or sekect in the freedom program to be removed?

Would appreciate your held in clearing up these files

Tks

Kendall dick
khdick AT nbnet.nb.ca

[Ried]

Hello RETIREMENT and welcome to TSF,

Please do not manually remove any of those just yet. Improper removal will just create a bigger mess and additional problems.

Please print out or copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

--------------------------

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\. Do not run it yet.

Please download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Do not run it yet.

Download Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

--------------------------

Open Ad-aware and do a full scan. Remove all it finds.

--------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

--------------------------

Reboot into Normal Mode.

--------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

Please post that log in your next reply.

--------------------------

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.

Post the HijackThis log in this thread along with the results of the Ewido Scan and the online Panda Scan.

[RETIREMENT]

Hi Ried:
I have been doing some read-ups on the program's you said to download.
Not that I don't trust your requests, I just like to have an understanding
of what the program's do.
I have used Ad-Aware SE in the past to help clear thing's up. The oter day when I tries to download the VX2 variant I rx a mesasge from my Freedom
Anti-Virus program that be harmfull, do I need to turn off my Anti-Virus & let
this program download.
Also on the Cean-Up program site it mentioned about doing a system back-up
Would this be needed or because that certain actions are to be cancelled in this program before running look after this problem.

Would appreciate your comment before I start on the process.

Tks
Kendall Dick
khdick AT nbnet.nb.ca

[Ried]

Hello Kendall,

You mentioned that Freedom reported VX2 c:\windows\help\nocontnt.GID and that you select 'delete' but it keeps returning. The VX2 PlugIn for AdAware SE is designed to detect and remove VX2 infections. Please allow the download and be sure to run that tool from within AdAware>Add-ons section.

As I mentioned above, this is the concern with CleanUp! and the backups the site is referring to:
CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

If you are leary of running that tool, you can use Windows Disc Cleanup:

Clear your Temp and Temporary Internet Files: Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove. Make sure Temporary Internet Files and Temporary Files are 'checked' and click OK.

[RETIREMENT]

Hello Ried:

I have finnaly made some progress in the scan's.I had some problems trying
to get to safe mode, & finally found the correct procedure.
I did an panda scan before getting to safe mode & had 2895 infected objects that cleared onthe scan clear run.
I had aproblem in trying to attach Hijackthislog so I copy & paste this to the message. the other's I attached as a file.
I was wondering if the file that are inthe Quaritine file of Ewido could be deleted?

Withn these scans an clearing I have the files with Freedom Anti-spyware down to 2-Igetnet(application),5-Kazaa&8-hotbar(registry), so things
are improving.

Looking forward to any further info youn could provide in clearing things up.
I can use my computer with no problem's for any activies.

I downloaded Ad-aware SE VX2 and run this & it said all was clear but I still have it when I scan again.I read where there some many variants to this program that the existing VX2 download could possibly not work. any suggestion's to what to do with this problem?


Tks
Kendall Dick








Logfile of HijackThis v1.99.1
Scan saved at 11:44:53 AM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MP3.com\MP3.com PLuS Express\Express.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zifr48v5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zifr48v5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\Hotbar\bin\450~1.0\SBInst.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MP3.com PLuS Express.lnk = C:\Program Files\MP3.com\MP3.com PLuS Express\Express.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/o...abs/cssweb.cab
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


Incident Status Location

Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\cards.ico
Adware:adware/netpals Not disinfected C:\WINDOWS\SYSTEM32\kernellos.dll
Potentially unwanted tool:application/myway Not disinfected C:\WINDOWS\SYSTEM32\Xcite.dll
Adware:adware/gator Not disinfected C:\GatorPatch.log
Adware:adware/adroar Not disinfected C:\WINDOWS\artmmp.ini
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32a.sys
Adware:adware/downloadware Not disinfected C:\PROGRAM FILES\MediaLoads
Adware:adware/wintools Not disinfected C:\PROGRAM FILES\COMMON FILES\BTLINK
Adware:adware/ncase Not disinfected C:\WINDOWS\SYSTEM32\FLEOK
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Owner\Application Data\Lycos
Spyware:spyware/altnet Not disinfected Windows Registry
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/HuntBar Not disinfected C:\Program Files\Common Files\BTLINK\btlink.dll
Adware:Adware/HuntBar Not disinfected C:\Program Files\Common Files\MSIETS\msielink.dll
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\WINDOWS\SYSTEM32\ClrSchP0121.dll
Adware:Adware/IGetNet Not disinfected C:\WINDOWS\SYSTEM32\NLNP13.dll
Adware:Adware/IGetNet Not disinfected C:\WINDOWS\SYSTEM32\NLNP131.dll
Adware:Adware/RCSync Not disinfected C:\WINDOWS\SYSTEM32\pr1ze5.dll
Adware:Adware/RCSync Not disinfected C:\WINDOWS\SYSTEM32\prizesurfer_setup.exe
Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\wb.dll
Potentially unwanted tool:Application/MyWay Not disinfected C:\WINDOWS\SYSTEM32\Xcite.dll

[Ried]

Hello Kendall,

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. (it's important that you get version v2.0.0.175)

----------------------------------

Reboot into Safe Mode.(tapping F8 or F5)

----------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

MediaLoads
MyWay

----------------------------------

Launch KillBox.exe & select the following options:

• delete on Reboot
• All files (if available)

Next, Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy:

C:\WINDOWS\SYSTEM32\kernellos.dll
C:\WINDOWS\SYSTEM32\Xcite.dll
C:\GatorPatch.log
C:\WINDOWS\artmmp.ini
C:\WINDOWS\smdat32a.sys
C:\Program Files\Common Files\MSIETS\msielink.dll
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL
C:\WINDOWS\SYSTEM32\ClrSchP0121.dll
C:\WINDOWS\SYSTEM32\NLNP13.dll
C:\WINDOWS\SYSTEM32\NLNP131.dll
C:\WINDOWS\SYSTEM32\pr1ze5.dll
C:\WINDOWS\SYSTEM32\prizesurfer_setup.exe
C:\WINDOWS\SYSTEM32\wb.dll
C:\WINDOWS\SYSTEM32\cards.ico

Go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.

Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click No at the Pending Operations prompt.

----------------------------------

Delete the following folders:

C:\PROGRAM FILES\ MediaLoads
C:\Program Files\ MySearch
C:\PROGRAM FILES\COMMON FILES\ BTLINK
C:\WINDOWS\SYSTEM32\ FLEOK
C:\Documents and Settings\Owner\Application Data\ Lycos

----------------------------------

Reboot into Normal Mode. Run another online scan with Panda and post the results here along with a new HijackThis log.

Quote:

I was wondering if the file that are inthe Quaritine file of Ewido could be deleted?

Not just yet, let's be sure no problems arise from that cleaning first.

What is Freedom scan showing?

[RETIREMENT]

Hello Ried:

I downloaded the KillBox program, rebooted to safe mode & launched KillBox.

The box called Pocket KillBox opened up, but in the box called
"Full Path of File Name to Delete" has no information. How do you get the file names you requested to select to appear for selection?
All of the other selections you requested to be selected are in place.
I am likely just a dummy not seeing the light at the end of the tunnel
to do the required action's
I am very appreciative of your help.

Tks
Kendall

[Ried]

No problem, Kendall. Perhaps these images will help.

Take a look at the list of files to be Killboxed I gave you earlier. This list should have been saved to Notepad.
Open the saved document & use your mouse to select all the filepaths listed.
Then 'Right-click' & select 'Copy'

1. Launch Killbox by double clicking Killbox.exe
2. Go to the File menu, and select 'Paste from Clipboard'
3. If done corrrectly, you should see filepaths appearing in the box:- 'Full Path of file to delete'
   Select these options -
   * Delete on Reboot
   * End Explorer Shell While Killing File
   * Unregister.dll Before Deleting" if it's not grayed out.
   
   
   
   
4. Click the arrow to the right of the box, to review the filepaths. Do not be alarmed if some of the files do not appear. This only means that they no longer exist. Take note of the missing files & inform me.
5. Click the RED X button.
   
   
   
   
6. Click Yes at the 'Delete on Reboot' prompt.
7. Click No at the '..Reboot Now' prompt.

[RETIREMENT]

Hello Ried:

Sorry to be such a dumb pest, but the first window you show in your reply
with the file names in blue don't come up ,when I klick in the Killbox icon then click on run I only get the Pocket Killbox window shown below that.

I sure appreciate your help.

Tks
Kendall dick

[Ried]

Ok, I think I understand where the confusion is coming in. The first image is taken from what you see in my instructions in this thread, not from within Killbox itself. What you need to do is use your mouse to highlight the entries I have in bold:(While holding down the left button on your mouse and move the mouse over these bolded entries. You should see them highlighted in blue if done correctly)

C:\WINDOWS\SYSTEM32\kernellos.dll
C:\WINDOWS\SYSTEM32\Xcite.dll
C:\GatorPatch.log
C:\WINDOWS\artmmp.ini
C:\WINDOWS\smdat32a.sys
C:\Program Files\Common Files\MSIETS\msielink.dll
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL
C:\WINDOWS\SYSTEM32\ClrSchP0121.dll
C:\WINDOWS\SYSTEM32\NLNP13.dll
C:\WINDOWS\SYSTEM32\NLNP131.dll
C:\WINDOWS\SYSTEM32\pr1ze5.dll
C:\WINDOWS\SYSTEM32\prizesurfer_setup.exe
C:\WINDOWS\SYSTEM32\wb.dll
C:\WINDOWS\SYSTEM32\cards.ico

Now, right click with your mouse and select 'Copy' These files will now be suspended in your Clipboard and unseen.

Next, in the Killbox window, click on the File menu and select 'Paste from Clipboard'.

You should now see the first file in the list showing in the 'Full Path to Delete' box within Killbox. If you click on that little arrow to the right, all the files you just copied should be there.

Make sure you 'tick' the following:

* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.

Now click the Red X

Any luck?

[RETIREMENT]

Hello Ried:

I was able to copy & paste these files in regular mode.When I copy in regular mode & go to Safe Mode as previously mentioned to run this program I get nothing when I paste .

I was wonderig if it would be ok to run Killbox in regilar mode?

Tks
Kendall

[Ried]

Hi Kendall,

Copy all of the instructions of the fix in Post #6, into Notepad first and save it to your desktop. Once you boot into Safe Mode, bring up these instructions that you saved into Notepad on your Desktop, and work your copy/paste off that. This way, everything can be done from Safe Mode, all at one time.

[RETIREMENT]

Hello Ried:
I at last hit pay dirt & went through the process. Thanks for your
help in getting me through the process

I have attached the two log's that you asked for.

I then run freedom Anti-Spyware & had the following files

2-Igetnet(type=application
1-VX2(type=application
1-Backdooe.Delf.is(been having all along)(type application
!-MidAddle(type=application
Approx100-Looxee(new I never had before)(type=application
5-KaZaA(type= registry)
1-wildtangent(type=registry)
5-hotbar(type registry)

I checked all of the application files to delete & then rebooted as directed.
& run the spyware scan again.
All of the application file were back but only 9 of the looxee type.the registry files were still their as I have never tryed to remove them as I felt is was
to dangerous to remove same.
Look forward to hear from you when you have the time.

Tks
Kendall


Incident Status Location

Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\fiz1
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32m.sys
Adware:adware/wintools Not disinfected C:\PROGRAM FILES\COMMON FILES\MSIETS
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Spyware:spyware/altnet Not disinfected Windows Registry
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@winfixer[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@winfixer[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[1].txt
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/HuntBar Not disinfected C:\RECYCLER\S-1-5-21-67682326-2541319435-2214429306-1003\Dc3\btlink.dll

Logfile of HijackThis v1.99.1
Scan saved at 8:11:36 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MP3.com\MP3.com PLuS Express\Express.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zifr48v5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zifr48v5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\Hotbar\bin\450~1.0\SBInst.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MP3.com PLuS Express.lnk = C:\Program Files\MP3.com\MP3.com PLuS Express\Express.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/o...abs/cssweb.cab
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

[Ried]

Nice job, Kendall.

Does Freedom AV give a location for these files:

2-Igetnet(type=application
1-VX2(type=application
1-Backdooe.Delf.is(been having all along)(type application0

Quote:

Approx100-Looxee(new, I never had before)

Please see this link regarding Looxee. If you did not install this yourself, I'll provide steps below to remove it.

----------------------

Once again, please copy these instructions to Notepad for reference while in Safe Mode.

----------------------

Reboot your into Safe Mode now.

----------------------

I have attached a file to this post - regdel.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

----------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if it exists:

Looxee

----------------------

Using Windows Explorer, navigate to and delete the following files and folder:

C:\WINDOWS\SYSTEM32\ fiz1
C:\WINDOWS\ smdat32m.sys
C:\Program Files\ Looxee
C:\PROGRAM FILES\COMMON FILES\ MSIETS

----------------------

Empty your Recycle Bin.

----------------------

Clear Internet Explorer Cookies: Launch Internet Explorer>Tools>Internet Options>Delete Cookies

----------------------

Quote:

the registry files were still their as I have never tryed to remove them as I felt is was
to dangerous to remove same.

Run your scan with Freedom while still in Safe Mode and allow Freedom to fix those registry entries.

----------------------

Reboot into Normal Mode. I'd like to run another online scanner and see if anything more is revealed.

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[RETIREMENT]

Hello Ried:

Details on location of files:

1st- IGetNet=C:\System Volume Information\_restore(593172EE-14D9-
4262-8426-24BF2115D284)\RP7|a0001422.dll

2nd- IGetNet=C:\System Volume Information\_restore(593172EE-14D9-
4262-8426-24BF2115D284)\RP7\A0001423.dll

1-VX2=C:\WINDOWS\HELP\nocontnt.GID

1-Backdoor.Delf.is=C:\Program Files\MusicMatch|MusicMatchJukebox\
ChanDir\MMJB\ikernel.exe

1-MidAddle=C:\Documents&Settings\owner\Local Settings\Temp\
~DFA354.tmp

Their was no LOOXEE file inthe add/remove list

I removed the "fz1,smdat32m.sys & MSIETS.

I did a file search & could not find any LOOXEE FILE

When I tryed to run Freedom in Safe MOde I rx a message that it
won't run in Safe Mode.

I still have the 5/KaZaA & 5/HotBar &1/WildTangent .Would it be dangerous to select hhese in Freedom to be deleted in regular mode of operation.

I will attach the Kaspersky file.

Tks for the support.

Kendall

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, February 23, 2006 4:36:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 23/02/2006
Kaspersky Anti-Virus database records: 178253
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 71690
Number of viruses found: 9
Number of infected objects: 24
Number of suspicious objects: 0
Duration of the scan process: 01:01:06

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1\A0000020.exe/data0002 Infected: Trojan.Win32.RCSync skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1\A0000020.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001416.dll Infected: not-a-virus:AdWare.Win32.BrowsePal.b skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001419.dll Infected: not-a-virus:AdWare.Win32.Wintol.ao skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001420.DLL Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001421.dll Infected: Backdoor.Win32.Ruledor.c skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001422.dll Infected: not-a-virus:AdWare.Win32.IGetNet skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001423.dll Infected: not-a-virus:AdWare.Win32.IGetNet skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001424.dll/data0002 Infected: Trojan.Win32.RCSync skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001424.dll NSIS: infected - 1 skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001424.dll Exe2Dll: infected - 1 skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001424.dll UPX: infected - 1 skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001425.exe/data0002 Infected: Trojan.Win32.RCSync skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001425.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001518.dll Infected: not-a-virus:AdWare.Win32.Wintol.ae skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP7\A0001520.EXE Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
C:\WINDOWS\SYSTEM32\ast_.dll/WISE0006.BIN Infected: Trojan-Downloader.Win32.VB.ah skipped
C:\WINDOWS\SYSTEM32\ast_.dll WiseSFX: infected - 1 skipped
C:\WINDOWS\SYSTEM32\ast_.dll Exe2Dll: infected - 1 skipped
C:\WINDOWS\SYSTEM32\ETB.dll/WISE0009.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped
C:\WINDOWS\SYSTEM32\ETB.dll/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped
C:\WINDOWS\SYSTEM32\ETB.dll WiseSFX: infected - 2 skipped
C:\WINDOWS\SYSTEM32\ETB.dll WiseSFX Dropper: infected - 2 skipped
C:\WINDOWS\SYSTEM32\ETB.dll Exe2Dll: infected - 2 skipped

Scan process completed.

[RETIREMENT]

Hi Ried:

Just thought that I would send you a Panda scan that I just did.
It sure is a lot less than in the past.

Tks
Kendall


Incident Status Location

Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\kyf.dat
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Spyware:spyware/altnet Not disinfected Windows Registry
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe

[Ried]

Hi Kendall,

Copy these instructions to Notepad for reference while in Safe Mode.

--------------------------

Reboot your system into Safe Mode.

--------------------------

Using Windows Explorer, navigate to and delete the following files:

C:\WINDOWS\HELP\ nocontnt.GID
C:\Program Files\MusicMatch|MusicMatchJukebox\ChanDir\MMJB\ ikernel.exe <--from this location only
C:\WINDOWS\SYSTEM32\ ast_.dll
C:\WINDOWS\SYSTEM32\ ETB.dll

--------------------------

Run CleanUp again:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

--------------------------

Reboot into Normal Mode.

--------------------------

Now go ahead and run Freedom and allow it to clean anything it detects.

If looxee is still detected, please post the location here.

When we're through cleaning your system, we'll take care of the entries in System Restore.

[Ried]

Hiya Kendall,

You posted the Panda Results while I was replying.

Add this file to your file deletions list:

C:\WINDOWS\SYSTEM32\ kyf.dat

Did you complete the instructions for the regdel.zip I gave you back in Post #14?

[RETIREMENT]

Hello Ried:

Yes I have downloaded (regdel.zip) to my desktop & run the file.
Should I do it again & then try running Freedom in Safe Mode?

Tks
Kendall

[Ried]

Run Freedom from Normal Mode since it doesn't want to run in Safe Mode and allow it to clean everything it finds.

Run the regdel.zip again. You do have to extract all files first, then double-click on the icon that looks like a pile of blue blocks and named redgel.txt. You should then get a prompt to merge with the registry. Click Yes.