Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

A little spyware I'm having trouble with.

This is a discussion on A little spyware I'm having trouble with. within the Resolved HJT Threads forums, part of the Tech Support Forum category. I have a Dell Optiplex GX110 with windows 98 SE. I like to keep my computer pretty clean and lately


 
 
Thread Tools Search this Thread
Old 04-23-2006, 12:02 PM   #1
Guest
 
Join Date: Apr 2006
Posts: 23
OS:



I have a Dell Optiplex GX110 with windows 98 SE.

I like to keep my computer pretty clean and lately I've been getting a lot of junk mail in my inbox along with pop-ups for no reason. I would appreciate it if someone could help me out a little. I ran a Panda scan a couple days ago and it came up with a few things such as, funweb, zango, mywebsearch and a few cookies. I manually deleted what I could and ran the scan again after restarting my computer. Of course, everything was back in place where it was before. I regularily run Spybot, Ad-Aware SE Personal and Xoftspyse. Today I ran across this site in my quest to fix these issues and I'm wondering if someone could give me a little advice as to how to get rid of this stuff for good. I never visit those sites that were found in the panda scan.

I've read this post:

https://www.techsupportforum.com//sec...ijackthis.html
"Sticky: Please, Read this before posting a hijackthis log."

After reading through that post I deleted all cookies and temp. internet files through internet options, restarted my computer in normal mode. I then ran spybot, ad-aware and xoftspy in safe mode and proceeded to the following sites for scanning:

Bit defender come up clean
Housecall from trendmicro come up clean
McAfee free scan come up clean
while Panda scan came up with the normal stuff it did before and more (will gladly share the log)

I went on to spyware warrior and looked through that site as well.

I tend to keep up on the latest microsoft updates.

Found in xoftspyse:
aornum X2 (I couldn't find or delete in normal mode)
funwebproducts X3 (I couldn't find or delete in normal mode)

found in ad-aware se:
avenue A inc (deleted)

I then ran hijackthis after enabling everything in my "msconfig" and restarting my computer. I saved the log and will also gladly share as my understanding is that I am to be asked for it by someone.

I get pop-ups entitled "casalamedia" all the time. Even getting rid of them would make my day.

Lately, (as I keep my msconfig pretty clean) Win Zip Quick Pick is checked every time I restart my computer whether I unchecked it or not.

I keep some sensitive date on my computer and would really appreciate not having it leaked.
bloodhound114 is offline  
Sponsored Links
Advertisement
 
Old 04-23-2006, 01:53 PM   #2
Guest
 
Join Date: Apr 2006
Posts: 23
OS:


Here's the Hijack log.

Hijack scan:

Logfile of HijackThis v1.99.1
Scan saved at 2:50:55 PM, on 4/23/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ARES\ARES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\PROGRAM FILES\ARES\ARES.EXE" -h
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WINZIP\WZQKPICK.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - https://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - https://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - https://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - https://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - https://www.shockwave.com/content/tumblebugs/axhost.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - https://messenger.zone.msn.com/binary...n.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - https://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - https://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - https://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - https://download.mcafee.com/molbin/is...44/mcfscan.cab

I hope someone can help me with this.
bloodhound114 is offline  
Old 04-24-2006, 10:07 AM   #3
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hello bloodhound114 and welcome,

Quote:
Panda scan a couple days ago and it came up with a few things such as, funweb, zango, mywebsearch and a few cookies.
We do need to see that log. As it's been a couple days since you ran the Panda scan, please run another online scan there, save the log and post it here. Additional entries may have shown up over these last couple days and it's more effective to get them all at the same time.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Sponsored Links
Advertisement
 
Old 04-24-2006, 02:33 PM   #4
Guest
 
Join Date: Apr 2006
Posts: 23
OS:



I might seems like I'm responding slow from time to time but I'm gone all day at work. I'll run the scan now for you and post it when it's done.
bloodhound114 is offline  
Old 04-24-2006, 02:37 PM   #5
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


That's fine, bloodhound. There may be times you have to wait for me to reply as well. I am subscribed to this thread so I will be notified when you do reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 04-24-2006, 03:18 PM   #6
Guest
 
Join Date: Apr 2006
Posts: 23
OS:



Here's the new panda scan. It seems to have more in it than it did two days ago.

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:application/zango Not disinfected c:\program files\Zango Programs
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Findwhat Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Hitbox Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Last night I downloaded the trial version of the new Stop Zilla. In it's Quarantine it has 146 files and programs. I can copy and paste those too if you'ld like. Or have I made a mistake by downloading Stop Zilla.

I also ran CCleanup but what it cleans I usually do anyway.
bloodhound114 is offline  
Old 04-24-2006, 04:30 PM   #7
Guest
 
Join Date: Apr 2006
Posts: 23
OS:



I uninstalled Stopzilla after getting a whole bunch of Iexplore error messages. I then did a search and find for "stop" and deleted everything pertaining to stopzilla. Then I ran Cleanup.
bloodhound114 is offline  
Old 04-24-2006, 04:33 PM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi,

Please copy these instructions to Notepad and save to your desktop for reference.

Download and unzip BFUzip from https://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:


Use this URL to copy into the address bar of the Download script window:

https://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
https://metallica.geekstogo.com/BFUinstructions.html



Please ensure this box is ‘checked’ “Show log after script ends"

When it finishes running, click the Save button for a copy of the log.
Post the log created by the script when you have completed the fix.

-------------------------------

Click Start>Run and copy/paste regsvr32 /u occache.dll and click OK.

Delete the following file:

c:\windows\downloaded program files\ f3initialsetup1.0.0.15.inf

Click Start>Run and copy/paste regsvr32 occache.dll and click OK.

*If the above resists deletion, boot into Safe Mode and delete from there.

-------------------------------

Regarding StopZilla, we recommend uninstalling it. Please see this link.


How is your system behaving now?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 04-24-2006, 04:35 PM   #9
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


I was preparing my reply as you replied.

Good, I'm glad you uninstalled StopZilla, please refer to the link I gave you in my previous post.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 04-24-2006, 04:37 PM   #10
Guest
 
Join Date: Apr 2006
Posts: 23
OS:



I'll go through the rest of your instructions and post back after work tomorrow. It's been a long day.
bloodhound114 is offline  
Old 04-24-2006, 05:01 PM   #11
Guest
 
Join Date: Apr 2006
Posts: 23
OS:



I did everything as you requested but could not find f3initialsetup1.0.0.15.inf anywhere, system is running good.

BFU v1.00.9
Windows 98 SE (WinNT 4.10.2222 A)
Script started at 8:01:09 PM, on 4/24/06

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\WINDOWS\TEMP\~DFD6EC.TMP (operation failed)
Failed: FolderDelete C:\WINDOWS\Temporary Internet Files\Content.IE5\O9Q3KPA3 (operation failed)
Failed: FolderDelete C:\WINDOWS\Temporary Internet Files\Content.IE5\Z9J23D5F (operation failed)
Failed: FolderDelete C:\WINDOWS\Temporary Internet Files\Content.IE5\GW6JZRMQ (operation failed)
Failed: FolderDelete C:\WINDOWS\Temporary Internet Files\Content.IE5\IJ891N52 (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\temp (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

I know I said I'd do everything tomorrow but I'm eager to get rid of this garbage. I'd like to say thanks for taking me on. Now, I'll leave for the night and thanks again.
bloodhound114 is offline  
Old 04-24-2006, 08:16 PM   #12
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi bloodhound114,

We're almost there.

Please run another online scan at Panda and post the results here once again for my review.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 04-25-2006, 03:11 PM   #13
Guest
 
Join Date: Apr 2006
Posts: 23
OS:


Laugh

I'll let you see what you think of this. If you're around of course. Be back in about an hour. It's time I got some supper.

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:application/zango Not disinfected c:\program files\Zango Programs
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Cookies\[email protected][2].txt

I liked that "close" word. This is the first time that Panda hasn't disinfected a virus. I got three junk emails today. One was in my inbox and the other two in junk. Two for porn sites and one for free drugs. Just what I don't need.
bloodhound114 is offline  
Old 04-25-2006, 06:48 PM   #14
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit




Let's continue, we're almost there.

Download KillBox https://www.greyknight17.com/spy/KillBox.exe. (it's important that you get version v2.0.0.175)

Reboot into Safe Mode.(tapping F8 or F5)

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

Zango Programs

-------------------------------

Delete the folder if it exists:

c:\program files\ Zango Programs

-------------------------------

Launch KillBox.exe & select the following options:
  • delete on Reboot
  • All files (if available)

Copy/paste the following entry into the open box:

c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File

Click Yes at the 'Delete on Reboot' prompt. Click No at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

-------------------------------

Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following key and delete the file/folder/entry I highlighted in RED

hkey_classes_root\clsid\ {9AFB8248-617F-460d-9366-D71CDEDA3179}

If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

-------------------------------

Clear Internet Explorer Cookies:
Launch Internet Explorer>Tools>Internet Options>Delete Cookies

-------------------------------

Reboot into Normal Mode.

-------------------------------

Run another scan at Panda and post the results here.

How is your system behaving now?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 04-26-2006, 04:03 PM   #15
Guest
 
Join Date: Apr 2006
Posts: 23
OS:



Here's your Panda scan.


Incident Status Location

Potentially unwanted tool:application/zango Not disinfected hkey_local_machine\software\Zango Programs
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Dialer:dialer.gzt Not disinfected hkey_users\.default\software\netscape\netscape navigator\viewers\TYPE35
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Cookies\[email protected][1].txt


It seems as though I now have a dialer on my computer. I deleted the Zango folder but there wasn't a program to be found. It came up in the log though. Looks like a tricky one. Spybot took out the doubleclick cookie last night and here it is back again. At least I got rid of the "f3initialsetup....".

Thanks again for sticking around.
bloodhound114 is offline  
Old 04-26-2006, 07:18 PM   #16
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi bloodhound14,

No worries, we'll get them all.

The 'dialer' is legit, it belongs to Netscape.

Every time we remove an entry for mywebsearch, another shows up. Let's use this tool to see how many more there may be and get them all at once. While we're at it, we'll check for additional Zango entries as well.

Right click on this link https://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately):

mywebsearch
Zango Programs


Save the file/files and post the results here.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 04-27-2006, 03:32 PM   #17
Guest
 
Join Date: Apr 2006
Posts: 23
OS:


Red Faced

The good news is that RegSearch.vbs found Mywebsearch, Zango, Stopzilla and Szserver. The bad news is that it found way more than one instance of each. I decided to type Stopzilla and Szserver into the program because I remember those two running on my computer along with another one (can't remember the other). I also decided on Stopzilla because when windows is starting up now, another screen comes up before the "Windows 98" page as if Stopzilla has it's program running. From what I seen (it's pretty quick) the link is C:/windows/???????/Ulead??????/Stopzilla I'm kicking myself a little for downloading that program. Never again will I download something like that because one site says it was good. So much for their spyware protection idea on that one.


Here are the logs for the four searches:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "mywebsearch" 4/27/06 6:11:43 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.HTMLPanel.1]

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.HTMLPanel.1]
@="MyWebSearch HTML Panel"

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.HTMLPanel]

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.HTMLPanel]
@="MyWebSearch HTML Panel"

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.HTMLPanel\CurVer]

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.HTMLPanel\CurVer]
@="MyWebSearch.HTMLPanel.1"

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.PseudoTransparentPlugin.1]

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.PseudoTransparentPlugin.1]
@="MyWebSearch Pseudo Transparent Plugin"

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.PseudoTransparentPlugin]

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.PseudoTransparentPlugin]
@="MyWebSearch Pseudo Transparent Plugin"

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.PseudoTransparentPlugin\CurVer]

[HKEY_LOCAL_MACHINE\Software\CLASSES\MyWebSearch.PseudoTransparentPlugin\CurVer]
@="MyWebSearch.PseudoTransparentPlugin.1"


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Zango Programs" 4/27/06 6:13:52 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\Zango Programs]

[HKEY_LOCAL_MACHINE\Software\Zango Programs\Zango Toolbar]

[HKEY_LOCAL_MACHINE\Software\Zango Programs\Zango Toolbar\History]

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Stopzilla" 4/27/06 6:20:30 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\Common Files\\STOPzilla!\\"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\WINDOWS\\All Users\\Application Data\\STOPzilla!\\"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\WINDOWS\\All Users\\Application Data\\STOPzilla!\\Quarantine\\"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\STOPzilla!\\"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Components\EC04E27D555934942BD165800E497317]
"00000000000000000000000000000000"="C:\\Program Files\\STOPzilla!\\swin32z.sys"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-]
"STOPzilla"="C:\\PROGRAM FILES\\STOPZILLA!\\STOPZILLA.EXE /autostart"

[HKEY_LOCAL_MACHINE\Software\ISSS\STOPzilla]

[HKEY_LOCAL_MACHINE\Software\ISSS\STOPzilla]
"Home"="stopzilla.net"

[HKEY_LOCAL_MACHINE\Software\ISSS\STOPzilla\Setup]

[HKEY_LOCAL_MACHINE\Software\ISSS\STOPzilla\AutoUpdate]

[HKEY_LOCAL_MACHINE\Software\ISSS\System\9XPipe\stopzilla]

[HKEY_LOCAL_MACHINE\Software\ISSS\System\9XPipe\0.stopzilla]

[HKEY_LOCAL_MACHINE\Software\ISSS\System\Hooks\9XLoad]
"FFFE4D87"="1263023864;C:\\PROGRAM FILES\\COMMON FILES\\STOPZILLA!\\SZPAHost.dll"

[HKEY_LOCAL_MACHINE\Software\ISSS\STOPzillaSoftware]

[HKEY_LOCAL_MACHINE\Software\ISSS\STOPzillaSoftware\ISSS]

[HKEY_LOCAL_MACHINE\Software\ISSS\STOPzillaSoftware\ISSS\STOPzilla]

[HKEY_LOCAL_MACHINE\Software\ISSS\STOPzillaSoftware\ISSS\STOPzilla\Setup]

[HKEY_LOCAL_MACHINE\Software\ISSS\STOPzillaSoftware\ISSS\STOPzilla\Setup\Wizard]

[HKEY_USERS\.DEFAULT\Software\ISSS\Stopzilla]

[HKEY_USERS\.DEFAULT\Software\ISSS\Stopzilla\MagicKey]

[HKEY_USERS\.DEFAULT\Software\ISSS\Stopzilla\Options]

[HKEY_USERS\.DEFAULT\Software\ISSS\Stopzilla\Options\OptionsDialog]

[HKEY_USERS\.DEFAULT\Software\ISSS\Stopzilla\BlackList]

[HKEY_USERS\.DEFAULT\Software\ISSS\Stopzilla\BlackList\BlackList]

[HKEY_USERS\.DEFAULT\Software\ISSS\Stopzilla\EventLog]

[HKEY_USERS\.DEFAULT\Software\ISSS\Stopzilla\EventLog\HistoryDialog]


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Szserver" 4/27/06 6:23:38 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\ISSS\System\9XService\szserver]

Sorry to add to your work.
bloodhound114 is offline  
Old 04-30-2006, 11:12 AM   #18
Guest
 
Join Date: Apr 2006
Posts: 23
OS:



Bump for lack of response. Anybody interested in helping me with this?
bloodhound114 is offline  
Old 04-30-2006, 05:21 PM   #19
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi bloodhound,

My apologies, I did lose you in the shuffle.

We're not going to root around the registry manually removing every orphaned entry. Our concern is with the entries detected as malware by online scans. Let's use a registry cleaner and see what it pulls out for you.

Download and install Ccleaner

Run CCleaner.
Next, click on the 'Issues' tab to clean registry. Be sure that box is checked to 'prompt to backup registry' in the Options>Advanced section.

Click 'Scan for Issues', then 'Fix Issues'
---------------------------------

Download the attached regdel.zip file to your desktop. Double click on the zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry.

---------------------------------

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and past the List from the notebook here.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 04-30-2006, 05:26 PM   #20
Guest
 
Join Date: Apr 2006
Posts: 23
OS:



I got a little hasty and found everything in my registry and deleted those files. I'll download CCleaner and do as you just mentioned because I'm sure there's more than just those four problems in there. Be back shortly.
bloodhound114 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 04:13 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts