-
Please help me to remove Spywarestrike 2.5!
I can't get rid of spywarestrike 2.5... have try with spyware doctor, spybot... nothing works. What should i do? i'm a real rookie with computers...! =)
-
In Memoriam -Always in our heart
Hi, I would start here:
Updated topic posted:
http://forums.spybot.info/showthread.php?t=1958
Follow those instructions except you do not need to start a New Topic, stick with this same one and I will get notified when you post.
Thanks...pskelley
Safer Networking Forums
Last edited by pskelley; 2006-02-04 at 17:18.
-
Problem solved... i think...!
1.
Logfile of HijackThis v1.99.1
Scan saved at 11:07:16, on 2006-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ldwbdi.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\Program\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\ewido anti-malware\ewidoguard.exe
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareStrike] C:\Program\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O9 - Extra button: Poker Million Online Poker - {47C16927-7BDE-465a-8E68-CE9C2CBB15B7} - C:\Program\pokermillionMPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.tele2.se
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
-
3.
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
Running from
C:\Documents and Settings\optik\Skrivbord\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
SharedTaskScheduler exporter by Grinler
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32]
@="Empty Value"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
quick launch SpywareStrike 2.5.lnk
~~~ Favorites ~~~
~~~ system32 folder ~~~
replmap.dll
1024 dir
ld****.tmp
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 772 'explorer.exe'
Killing PID 772 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
SharedTaskScheduler exporter by Grinler
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! 
4.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 13:24:00, 2006-02-06
+ Report-Checksum: DE551A36
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\optik\Cookies\optik@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/cd_install_329.exe/cd_clint.dll -> Spyware.Cydoor : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter1.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter13.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
-> : Error during cleaning
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter16.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter2.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter2.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter4.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter5.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter6.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter7.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter8.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@cz11.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@ehg-247internet.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@hg1.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@phg.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@sexlist[2].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@spylog[2].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\WINDOWS\system32\pskill.exe -> Not-A-Virus.NetTool.Win32.PsKill : Cleaned with backup
C:\WINDOWS\tstlb.hta -> Downloader.Psyme.av : Cleaned with backup
::Report End
5.
Logfile of HijackThis v1.99.1
Scan saved at 13:41:18, on 2006-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\Program\ewido anti-malware\ewidoguard.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ldwbdi.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\Program\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O9 - Extra button: Poker Million Online Poker - {47C16927-7BDE-465a-8E68-CE9C2CBB15B7} - C:\Program\pokermillionMPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.tele2.se
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
I think the problems are gone! =)
I don't get this annoying tool bar pop up "Your computer is infected" anymore!
-
Spybot report...
3.
The spybot report is 70000 characters long... and 20000 is maximum.
Should i split it and post it anyway?
-
In Memoriam -Always in our heart
Hold with what you have posted. I believe I have all the information I need now, and will let you know if I need more. What I do need is breakfast, been at this since five AM. You will be first after food.
Thanks...Phil
-
In Memoriam -Always in our heart
Hello and sorry for the delay. We do have a little more work to do, though as you said, it looks like the major infection is gone. Hold on to that Spybot log just in case I need it later, you may delete it once I pronouce you clean if I forget to tell you. One of the problems of working with global logs (and I do not know where you are located) is we often do not recognise all legitimate software, and you have one onboard now I need to ask your help with. This it is also running as a service.
C:\WINDOWS\system32\ldwbdi.exe
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe
Hackers call their junk anything to keep us from finding it. If you know this is a valid program, just let me know. If not, then use at least two of these free online scans to validate the item one way or the other. Let me know you findings.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
ewido anti-malware - Scan report Created on: 13:24:00, 2006-02-06
Looks like ewido was able to delete everything it located. You are allowing some nasty cookies to get to your computer, if you wouold like to control this, use this information:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/...cy/config.mspx
Logfile of HijackThis v1.99.1 Scan saved at 13:41:18, on 2006-02-06
We have a few issues here to fix, and I may have to remove the item I asked about above once you let me know what it is.
Turn off Spyware Doctor, it may block the fix we must make with HJT, make sure you remember to turn it back on when you finish.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SpywareStrike] C:\Program\SpywareStrike\SpywareStrike.exe /h
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O9 - Extra button: Poker Million Online Poker - {47C16927-7BDE-465a-8E68-CE9C2CBB15B7} - C:\Program\pokermillionMPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
(you may leave the next one if you want that as your startpage)
O14 - IERESET.INF: START_PAGE_URL=http://start.tele2.se
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program\SpywareStrike\ >>> folder
C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/art...efetch-XP.html
If we have not run a good cleaner yet, and you need one, use this one with these instructions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Post the information I need from above and a new HJT log. Let me know how things are running and if the item running as a service is valid, you will be on your way.
Thanks...Phil
-
I live in Sweden...!
I have no idea what "ldwbdi.exe" are. Kaspersky found nothing but virusscan.jotti found this:
Dr.Web Found BACKDOOR.Trojan (probable variant)
NOD32 Found a variant of Win32/Delf.HZ
VBA32 Found Backdoor.Delf.150 (paranoid heuristics) (probable variant)
-
In Memoriam -Always in our heart
OK...thanks and I have other friends in Sweden. That item is bad, would you like me to edit it into that last set of instructions or should I let you complete those, then give you additional instructions for the removal after I see a new HJT log. I can do it either way, your call. Good thing you speak English I always have a hard time finding a good translation for Swedish.
Thanks....Phil
-
I can do the other things first...
Nothing happens when i try to download ccleaner...?
It was the same with panda activescan, nothing happend when i push the "check now" button??!!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
