Can someone help me with a virus that spybot can't remove?

Hi again,

There was a lot to do here and I was sick for a few days and wanted to do this all correctly and not rush through it, so I only got to this all now. Here's the check off list and a few questions I have.

1. ZoneAlarm Firewall installed. Do I need to change anything or any settings with the windows firewall?

2. OTMoveIt2 - Done

3. System Restore disabled and enabled - Done

4. IE Security Tab settings - all were already set as you stated, except "Navigate sub-frames across different domains" was set to Disable and not Prompt. Should I leave that as is or change to Prompt?

5. Antivirus - I currently have Avast and it is updated. I got a copy of Symantec from my office and since people have been telling me that is better, I would like to use that instead. Should I install it, and then enable it and then disable Avast?

6. I updated windows, custom, and checked all except Silverlight, as someone told me that I didn't need that software.

7. I installed SpywareBlaster, checked for updates and I suppose it is running automatically even though I don't see any icons in the bottom right tray. Should I, or do I need to start it up every time I start or restart the computer?

8. I downloaded the MVPS zip and unzipped it and per their instructions, double clicked on the bat file.

9. I installed the google toolbar, though I am not sure how to use it yet or if I need to set anything with it.

10. I installed Comodo and Winpatrol and both have icons in the bottom right tray, so I assume the just run automatically.

OK.... I do have some questions.

11. Do you need to see a new HiJack This or Kaspersky files just to make sure all the viruses are gone?

12. Do I need to do a defrag on my computer now since I guess lots of stuff got deleted?

13. Should I turn the SpyBot tea timer back on? With the newest program update to SpyBot this also appears to have its own desktop icon. I have no idea what this is or how to use it.

14. The firewall asked me if I wanted to allow or deny "printfilterpipelinesvc.exe" and I think at first I said to allow and when another alert came up I said to deny. I have no idea what this is or what I should allow or not allow. Ack!

15. Lastly, I am still getting many of the pop ups for "SpyBot - S&D's IE helper has detected an URL that is known as a malicious resource" and have to click DENY to close the pop up. I have the updated Spybot program on my work computer and I never get any of these pop ups at all, but visit the same web sites that I do at home. Why am I getting all of these pop ups at home? I still get them even after I did the MVPS bat file. Do I not have something set correctly? I would like for these bad urls to automatically be denied without the continual pop ups. Example, when I got to my yahoo mail, every mail I open up and ever screen I move to in Yahoo mail causes this pop up from SpyBot.

Thank you again for all your help with this! I plan to make a donation to SpyBot in appreciation of all the help you gave to me. :)

- Donna
 
Hi

1. You should disable windows firewall.

4. That is fine.

5. At least Symantec is a lot heavier than avast!
If you decide to switch, please uninstall avast!, yes.

7. Spywareblaster doesn't have icon in task bar or start with windows. It blocks things with settings; it's not running all the time. Just remember to update it often :)

11. No need unless symptoms left.

12. Defragging is always good to on regular bases.

13. Yes, you can turn it back on.

14. That is windows own file, link ,so you can allow it.

15. I think that you better ask it here
 
Last edited:
Thank you.

I figured out how to prevent the Spybot S&D IE helper frequent pop ups. I went to TOOLS in IE > Spybot Congfiguration (I did not even know that was there until today) and was able to select to "block all bad pages silently" -- and now no more annoying "helpful" pop ups -- Yay!!!

I don't seem to have any more virus symtpoms, but upon reboot yesterday when I had updated windows, I noticed this weird black box pop up that referred to win 32 or something. It closed by itself pretty quickly, so I could not write down what it actually said. So then opened up Spybot and updated/immunized, and then ran a scan check, and it picked up only one thing called, "win32.small.azl", so I selected to remove it and then also deleted it from the restore tab as well. When I turned on my computer today I ran Spybot again and it said "Congratulations - no threats"! So I guess this means I am all good now.

On last thing... just something I noticed. Comodo BOclean is not allowing me to check for updates. Every time I try to, I get an error. I am wondering if this is normal or if I should uninstall and try to install it again.

- Donna
 
Hi

"On last thing... just something I noticed. Comodo BOclean is not allowing me to check for updates. Every time I try to, I get an error. I am wondering if this is normal or if I should uninstall and try to install it again.

Have you allowed BOclean from ZoneAlarm?
 
"Have you allowed BOclean from ZoneAlarm?"

Yes. I even checked the program list in ZoneAlarm and it had green checks next to it.

I continued to get errors when I tried to update, so I read this on the BOClean support page - http://www.comodo.com/boclean/supboc.html

"....then a manual update can be done by ftp download from ftp://nsdownloads.comodo.com/pub/boc425.xvu and then moving the file to the location specified in the BOClean configuration screen. The manual update and the automatic update are the same at all times."

So I saved the ftp link to my bookmarks, and figured out where to save the file to (it asked to over write the same file name and I said yes), and I suppose I can just update it this way from now on.

- Donna
 
No other problems in the last few days. I just have to install the Symantec VP software now and then check for any updates for it, and then uninstall the Avast. I hope to get to doing this later tonight. Everything else is done and I just have to check for updates weekly as you mentioned, to try to prevent getting infected again.

I can not express my gratitude to you enough. This has been quite a learning experience for me. You have helped me fix my computer and have taught me so much on how to better protect it for the future. I just made a donation to SpyBot just now so I would not forget to do so. I am soooo appreciative. Thank you!!!

- Donna
 
OK... I think I may still have some virus remaining. :(

I installed Symantec last night, and updated it (though I received an error due to symantic being in the host file twice, and tried to remove the entries and could not, it still seemed to update properly regardless), and then I ran a full scan with Symantec that took well over an hour and it came back fully clean, and so lastly I uninstalled Avast and then rebooted.

Upon reboot, my system suddenly was running immensely slow... really slow... frustratingly slow. I figured maybe Symantec was running some sort of scan, but wondered why it was making my home computer operate so slowling and never made my work computer operate that way.

Then as I was on the internet, suddenly a yellow alert popped up saying that Symantex Auto Protection was disabled. Then the Windows Shield Alert also popped up saying I had no antivirus protection at all. !!!! I was completely freaked out by this. Then I was trying to open up the Symantec to turn the protection on and it wouldn't open for about four or five minutes it seemed. There was like an immense slow down of my system for some reason. Then when Symantec finally opened, I was able to turn the protection back on, but I was really upset that the protection was turned off like that and that everything was so slow. This has never happened with Avast at all. :(

Do I still have a residual virus or is this sort of thing normal with Symantec, and if it is normal... I will uninstall this horrible software (why did everyone tell me it was so much better) and put Avast back on. :(

Should I run scans again (and if so, in normal mode or safe mode (I was told safe mode is best, because viruses can hide in normal mode))?

- Donna
 
Hi

Yes, Norton is a way heavier than avast! So I would say it's normal.

You can post back a fresh HijackThis log.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:14 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\aaaaTemp\Setups\HiJack This\HiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0\Monitor.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PrevxCSI.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128397785765
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5853 bytes
 
Hi

Yes, uninstall Norton and install avast!

After that, please post back a fresh HijackThis log :)
 
I uninstalled Symantec and LiveUpdate for Symantec, and installed Avast! and updated it and have the scanners all on normal level (should I set any of them to high?). My computer seems to be running a bit more normal now. I also downloaded the free Avast! Virus Cleaner and ran a scan and it found no infections.

Here's a new HiJack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:15 PM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\internet explorer\iexplore.exe
C:\aaaaTemp\Setups\HiJack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128397785765
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5392 bytes
 
Everything seems so much better now that Symantec is off. I was just worried that a virus/infection still remained that was causing the problems I was having (with the massive slowness of my system and Symantec's protection being disabled on its own), but it seems that it was just a major problem with the Symantec software itself. With Symantec off and Avast back on, everything is good again. I would not recommend Symantec (SAV) to anyone.

Thank you for helping me again!
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top