Anti-virus Gold Help

[Jack]

I've had this stupid Adware that Adsubtract and Microsoft
Anti-Spyware cannot get rid of. I've run the 'Hijack
This' Program and I'm not sure what to do next. I will
cut and paste the 'Hijack This' results below. Any help
will be greatly appreciated.

Thanks

Jack

C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jack Russell\Local
Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.oneclicksearches.com/search.php?
qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://www.oneclicksearches.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=localhost:1032
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\System32\hp566D.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-
6B829A8A27CB} - C:\Program Files\McAfee\McAfee
VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MCAgentExe] C:\Program
Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program
Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32
\intel32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32
\hookdump.exe
O4 - Startup: AdSubtract.lnk = C:\Program
Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Billminder.lnk = C:\Program
Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program
Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: AdSubtract: Bypass Site -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/2745b48cf6f606c67e01/netzip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F3FEE0-2210-
4283-8FC6-F5D7794E8768}: NameServer =
151.164.1.8,206.13.28.12
O23 - Service: AVSync Manager (AvSynMgr) - Network
Associates, Inc. - C:\Program Files\McAfee\McAfee
VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access -
Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee Firewall - Unknown owner -
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE
(file missing)
O23 - Service: McShield - Unknown owner - C:\Program
Files\Common Files\Network
Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

[Aaron]

Well, I'm not entirely a pro at removing spyware, but I
can give it a shot. Ok well, I'm gonna start doing
research on some of this stuff, but I kinda need to know
if you know how to do things like searching for exes,
restarting in safe mode, and editing the registry. That
way I know what I need to explain or not.


Ok *goes to look at log file*

-----Original Message-----
I've had this stupid Adware that Adsubtract and Microsoft
Anti-Spyware cannot get rid of. I've run the 'Hijack
This' Program and I'm not sure what to do next. I will
cut and paste the 'Hijack This' results below. Any help
will be greatly appreciated.

Thanks

Jack

C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jack Russell\Local
Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.oneclicksearches.com/search.php?
qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://www.oneclicksearches.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=localhost:1032
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\System32\hp566D.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4- A021-
6B829A8A27CB} - C:\Program Files\McAfee\McAfee
VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MCAgentExe] C:\Program
Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program
Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32
\intel32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32
\hookdump.exe
O4 - Startup: AdSubtract.lnk = C:\Program
Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Billminder.lnk = C:\Program
Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program
Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: AdSubtract: Bypass Site -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/2745b48cf6f606c67e01/netzip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F3FEE0-2210-
4283-8FC6-F5D7794E8768}: NameServer =
151.164.1.8,206.13.28.12
O23 - Service: AVSync Manager (AvSynMgr) - Network
Associates, Inc. - C:\Program Files\McAfee\McAfee
VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access -
Creative Technology Ltd - C:\WINDOWS\System32 \CTsvcCDA.exe
O23 - Service: McAfee Firewall - Unknown owner -
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE
(file missing)
O23 - Service: McShield - Unknown owner - C:\Program
Files\Common Files\Network
Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



.

 

[Aaron]

Ok, just a follow-up

I see your browswer has been hijacked by
www.oneclicksearches.com


These are the three malware entries i found in your log.
I can't be sure that these are the only entries however.



O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\System32\hp566D.tmp

I can't be sure that this is a bad entry because google
wouldnt give me anything on it, but I'm pretty sure cuz I
just did my neighbor's computer (it had a ton of spyware
too) and there was a .tmp file hijacking the browser.



O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32
\intel32.exe

O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32
\hookdump.exe

These two are bad ones for sure.



Can I chat with you on instant messaging or get your
email? It may make things easier. I'm going to write up
some instructions on how to get rid of these things just
give me a bit of time.

-----Original Message-----
Well, I'm not entirely a pro at removing spyware, but I
can give it a shot. Ok well, I'm gonna start doing
research on some of this stuff, but I kinda need to know
if you know how to do things like searching for exes,
restarting in safe mode, and editing the registry. That
way I know what I need to explain or not.


Ok *goes to look at log file*

-----Original Message-----
I've had this stupid Adware that Adsubtract and Microsoft
Anti-Spyware cannot get rid of. I've run the 'Hijack
This' Program and I'm not sure what to do next. I will
cut and paste the 'Hijack This' results below. Any help
will be greatly appreciated.

Thanks

Jack

C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jack Russell\Local
Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.oneclicksearches.com/search.php?
qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://www.oneclicksearches.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=localhost:1032
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\System32\hp566D.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4- A021-
6B829A8A27CB} - C:\Program Files\McAfee\McAfee
VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MCAgentExe] C:\Program
Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program
Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32
\intel32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32
\hookdump.exe
O4 - Startup: AdSubtract.lnk = C:\Program
Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Billminder.lnk = C:\Program
Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program
Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: AdSubtract: Bypass Site -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/2745b48cf6f606c67e01/netzip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F3FEE0-2210-
4283-8FC6-F5D7794E8768}: NameServer =
151.164.1.8,206.13.28.12
O23 - Service: AVSync Manager (AvSynMgr) - Network
Associates, Inc. - C:\Program Files\McAfee\McAfee
VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access -
Creative Technology Ltd - C:\WINDOWS\System32 \CTsvcCDA.exe
O23 - Service: McAfee Firewall - Unknown owner -
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE
(file missing)
O23 - Service: McShield - Unknown owner - C:\Program
Files\Common Files\Network
Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



.

.

 

[Aaron]

Ok, here's what you need to do:


Part one - Removing the files

1. Shut down your computer. Make sure the power turns
OFF, not a warm reset.
2. Turn on the power. Tap F8 till the Windows XP startup
options menu appears. Choose "Safe Mode" be sure to
pick the one that says exactly that and not one
like "Safe mode with network support".
3. When your computer boots, it will be in low-resolution
screen mode so dont worry. Try to log on "Administrator"
if you can remember the password. If you can't, it's ok,
but you have to log on to an account that has
administrator privileges.
4. A dialogue box will appear with two choices "yes"
and "no" Choose "yes".
5. You should now see your desktop. Choose "Start" and
then "Run"
6. Load "explorer" (clear out everything in the box and
type "explorer" in and press ok)
7. Navigate to the C: drive. It will be under "my
computer". From there, click the "windows" folder and
then the "system32" folder.
8. Find the file "intel32.exe" Hilight it and
press "delete" on the keyboard. Also find "hookdump.exe"
and delete it also. Lastly find hp566d.tmp and delete
it. Although I can't be sure if it is malware, .tmp
files can be deleted at any time so delete it anyhow. (I
recently removed spyware from another computer and a .tmp
file was hijacking the home page)
9. If any files will not allow you to delete them, bring
up task manager (press ctrl-alt-del) and navigate to the
"processes" tab and be sure that the file that you are
trying to delete is not running. (So if intel32.exe will
not be deleted, check the process list for that name) if
it is running, select it and hit "end process" Then try
to delete the file again.


Part two - Removing the registry keys relating to those
files

10. Now that all the files are gone, close "Windows
explorer" and get back to the desktop.
11. Choose "Start" then "run" and this time open "regedit"
12. On the left-hand side of the screen, there is a tree
view with "My computer" at the top. Select it.

At this point you should back up the registry by
following the instructions at the bottom of this
message's text.

13. Click the "edit" menu and then choose "find". Search
for "intel32.exe" and be sure all the check boxes in
the "look at" panel are checked while "match whole string
only" is unchecked.
14. When the program finds any key matching your search,
it will hilight it. Delete any matching keys by
pressing "delete" on the keyboard when they are still
hilighted. Once you delete a key, press F3 and repeat
this step till you get a "Finished searching through the
registry" message.
15. Go back and repeat steps 13 and 14 but search for the
file "hookdump.exe" and upon completion, search
for "hp566d.tmp".
16. Close the registry editor.


Part three - Resetting your browser and other settings

17. while still in safe mode, open Microsoft
AntiSpyware. You should be able to by clicking "start"
then "programs" and then by looking for a "microsoft
AntiSpyware" program group.
18. In the main window, click "Advanced tools". Then
click "browser restore"
19. Click the "check all" thingy near the bottom of the
window and press the "restore" button. Once
MSAntiSpyware confirms it done, close the window.
20. You should now be at your desktop again. Click the
start menu and shut down your computer.
21. If you have an always-on internet connection, turn
off the modem. If you have dial-up, be sure that when
you boot your computer in the next step, you do NOT allow
it to connect to the internet.
22. Turn your computer back on and let it start up
normally. Log on as your main account with administrator
privileges.
23. Take a moment to see if your computer is behaving
normally once more. Please note that your wallpaper may
be changed and that doesn't mean you still have spyware.
If there are any settings you want to change, do so now.
If you are able to change them permanently, then you are
probably in the clear.
24. Open internet explorer while you are still
disconnected from the internet. Click the "tools" menu
and then "internet options"
25. Click the "delete files" button, check the box in the
window that comes up, and press OK. You also may want to
change your homepage.
26. Click the "security" tab and click the "internet"
icon. Then click "default level". Do this for the other
3 icons as well.
27. Click the "Privacy" icon and set the slider
to "medium High". If you have trouble viewing sites
later on, go change it to "medium" but you shouldnt have
trouble.
28. Click the "ok" button and close Internet explorer.


Part four - Prevent yourself from getting the junk over
again.

29. Open your internet connection. Once you are
connected, immediately go to "www.windowsupdate.com" in
internet explorer even if you usually use another browser
for internet access. Download all Critical updates by
following the instructions. This would be the "express"
install. You may have to restart after doing this, but
if you do, it will tell you so. Also, windowsupdate
tells you install a service pack, you should know that
doing that is risky, so if you decide to do it, back up
your files first. Any other updates, download no matter
what.
30. I saw that you had McAfee's antivirus program on your
computer. Open it now and be SURE THAT ITS VIRUS
SIGNATURES ARE UPDATED. If they are not and you can't
seem to update them for an unknown reason, try
uninstalling and re-installing the program.


Hopefully this helps ya out. You can email me at
(e-mail address removed), but be sure to put a good subject
line in cuz I get so much stupid spam and I may miss the
message. You can also IM me using my AIM sn: ABeakyboy
and my MSN id: (e-mail address removed)






-----Instructions for backing up the registry-----
In the registry editor, choose "file" and then "export"

In the window that comes up, change the "export range"
to "all" if it is not already set to that.

Navigate to the C: drive and type a file name (anything
with just letters will do)

Press "save" and you're done.

-----Original Message-----
Ok, just a follow-up

I see your browswer has been hijacked by
www.oneclicksearches.com


These are the three malware entries i found in your log.
I can't be sure that these are the only entries however.



O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\System32\hp566D.tmp

I can't be sure that this is a bad entry because google
wouldnt give me anything on it, but I'm pretty sure cuz I
just did my neighbor's computer (it had a ton of spyware
too) and there was a .tmp file hijacking the browser.



O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32
\intel32.exe

O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32
\hookdump.exe

These two are bad ones for sure.



Can I chat with you on instant messaging or get your
email? It may make things easier. I'm going to write up
some instructions on how to get rid of these things just
give me a bit of time.

-----Original Message-----
Well, I'm not entirely a pro at removing spyware, but I
can give it a shot. Ok well, I'm gonna start doing
research on some of this stuff, but I kinda need to know
if you know how to do things like searching for exes,
restarting in safe mode, and editing the registry. That
way I know what I need to explain or not.


Ok *goes to look at log file*

-----Original Message-----
I've had this stupid Adware that Adsubtract and Microsoft
Anti-Spyware cannot get rid of. I've run the 'Hijack
This' Program and I'm not sure what to do next. I will
cut and paste the 'Hijack This' results below. Any help
will be greatly appreciated.

Thanks

Jack

C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jack Russell\Local
Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.oneclicksearches.com/search.php?
qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://www.oneclicksearches.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=localhost:1032
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\System32\hp566D.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4- A021-
6B829A8A27CB} - C:\Program Files\McAfee\McAfee
VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MCAgentExe] C:\Program
Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program
Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32
\intel32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32
\hookdump.exe
O4 - Startup: AdSubtract.lnk = C:\Program
Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Billminder.lnk = C:\Program
Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program
Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: AdSubtract: Bypass Site -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site -
res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-
00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/? LinkId=39204&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/2745b48cf6f606c67e01/netzip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F3FEE0-2210-
4283-8FC6-F5D7794E8768}: NameServer =
151.164.1.8,206.13.28.12
O23 - Service: AVSync Manager (AvSynMgr) - Network
Associates, Inc. - C:\Program Files\McAfee\McAfee
VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access -
Creative Technology Ltd - C:\WINDOWS\System32 \CTsvcCDA.exe
O23 - Service: McAfee Firewall - Unknown owner -
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE
(file missing)
O23 - Service: McShield - Unknown owner - C:\Program
Files\Common Files\Network
Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



.

.

.

 

[AndyManchesta]

Hope you dont mind me stepping in to offer some help
Aaron,Ive only just noticed the log posted.Im really busy
today but wanted to try help out before i go back off.


First you need to move Hijack this out of your temp
files .

Right click a empty space on desktop of c/drive or where
you want except temp files ,then choose new >then new
folder > name it and put hijack this into it,If you have
problems finding it then just download it again into the
new folder you created :

'Hijack This'

http://www.spywareinfo.com/~merijn/files/HijackThis.exe


Click here

http://castlecops.com/zx/flrman1/smitRem.zip

to download smitRem.zip. Save the file to your desktop.
Unzip smitRem.zip to extract the two files it contains.
Do not do anything with it yet. You will run the
RunThis.bat file later in safe mode.



Download Ccleaner and install to remove temp and unused
files

http://download.ccleaner.com/download121bino.asp


Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/download/

Install ewido.
During the installation, under "Additional Options"
uncheck "Install background guard" and "Install scan via
context menu".
Launch ewido
It will prompt you to update click the OK button and it
will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe
mode.


Click Here
(http://www.downloads.subratam.org/KillBox.exe) and
download Killbox and save it to your desktop.


Now copy these instructions to notepad and save them to
your desktop. You will need them to refer to in safe mode.



Once you have all the above downloads then boot into safe
mode (Reboot and keep tapping F8 then choose safe mode
from the list)



With all windows closed in safe mode check these entries
for fixing :


R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.oneclicksearches.com/bar.html

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.oneclicksearches.com/search.php?
qq=%1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page = http://www.oneclicksearches.com/

R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=localhost:1032

F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\System32\hp566D.tmp

O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32
\intel32.exe

O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32
\hookdump.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) - http://software-
dl.real.com/2745b48cf6f606c67e01/netzip/RdxIE601.cab

With these checked press 'Fix Checked'




Open the smitRem folder, then double click the
RunThis.bat file to start the tool. Follow the prompts on
screen.
Wait for the tool to complete and disk cleanup to finish.


* Double-click on Killbox.exe to run it. Now put a tick
by Standard File Kill. In the "Full Path of File to
Delete" box, copy and paste each of the following lines
one at a time then click on the button that has the red
circle with the X in the middle after you enter each
file. It will ask for confimation to delete the file.
Click Yes. Continue with that same procedure until you
have copied and pasted all of these in the "Paste Full
Path of File to Delete" box.

C:\WINDOWS\System32\intel32.exe

C:\WINDOWS\System32\msmsgs.exe

C:\WINDOWS\System32\hookdump.exe

C:\WINDOWS\System32\hp566D.tmp


Note: It is possible that Killbox will tell you that one
or more files do not exist. If that happens, just
continue on with all the files. Be sure you don't miss
any.

Exit the Killbox.


Run Ewido:

Click on scanner
Put a check by the following before you scan:
Binder
Crypter
Archives
Click the Start Scan button to start the scan.
During the scan it will prompt you to clean files, click
OK
When the scan is finished, look at the bottom of the
screen and click the Save report button.
Save the report to your desktop


Start Ccleaner and click Run Cleaner also use the issues
button and fix and faults detected


* Go to Control Panel > Internet Options. Click on the
Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.


* Next go to Control Panel > Display. Click on
the "Desktop" tab then click the "Customize Desktop"
button. Click on the "Web" tab. Under "Web Pages" you
should see an entry checked called something
like "Security info" or similar. If it is there, select
that entry and click the "Delete" button. Click OK then
Apply and OK.


Restart back into Windows normally now.


Run A online virus scan here

http://www.pandasoftware.com/activescan/


When the scan is finished, anything that it cannot clean
have it delete it. Make a note of the file location of
anything that cannot be deleted so you can delete it
yourself.
- Save the results from the scan!


Post a new HiJackThis log along with the results from
ActiveScan and the ewido scan




Over to you Aaron

If your clean turn off system restore & reboot then re-
enable it but if its not clean then post the logs


Regards

Andy

 

[AndyManchesta]

I forgot to post a couple of things:

The reason for moving hijack this into a folder is so
that it creates backup's of everything that is
deleted.This way if needed you can opened Hijack This,go
to the back ups folder and restore anything later.

With Ewido Just choose 'Complete system scan' i've just
downloaded the new version and its changed abit since i
run it last ,so ignore the settings i mentioned in the
last post(Binder,Crypter,Archives) not needed now.

All the best

Andy


Good work Aaron ! I didnt notice your latest reply untill
id already posted mine but its good advise from what i
can see,

Im no expert myself just know what should be there more
than anything the run command they have for [yahoopager]1
is also suspicious as the usual entries give a path to
the yahoo file( C:\Program Files\Yahoo!
\Messenger\ypager.exe ) but i didnt have time to check it
in detail so i'll leave that to the user if they know
they have yahoopager starting everytime they boot then it
may be genuine.

I'll be off now to tomorrow so hopefully it all goes well

Regards

Andy

 

[Aaron]

Hey, I'm glad you gave a second opinion. I'm not an
expert at this, (I've only removed spyware on my
neighbor's computer, but it was like this) so I'm glad
that Jack has another proceedure to try. I keep my
computers really secure so I don't usually get spyware
myself, just tracking cookies lol. I put the ypager.exe
into google and it said that it was a legit process name
(usually it will say if it is legit but spyware can also
fake it) but they may not have updated the site recently.

What does killbox.exe do? does it simply delete the files
you tell it to? If so, why use it? Im just curious cuz I
want to improve my spyware killing skills.

And oh yeah, I did forget turning off (and turning back
on) system restore to clear it out. oh well i guess
noone's perfect lol

 

[Aaron]

In light of Andy's post and some research on my part, you
should also delete the file "msmsgs.exe" just like you
did "intel32.exe" However, sometimes msmsgs.exe can be
a legit program so if you notice problems with Windows
Messenger after you do this, you may want to try
restoring the file.

-----Original Message-----

Ok, here's what you need to do:


Part one - Removing the files

1. Shut down your computer. Make sure the power turns
OFF, not a warm reset.
2. Turn on the power. Tap F8 till the Windows XP startup
options menu appears. Choose "Safe Mode" be sure to
pick the one that says exactly that and not one
like "Safe mode with network support".
3. When your computer boots, it will be in low- resolution
screen mode so dont worry. Try to log on "Administrator"
if you can remember the password. If you can't, it's ok,
but you have to log on to an account that has
administrator privileges.
4. A dialogue box will appear with two choices "yes"
and "no" Choose "yes".
5. You should now see your desktop. Choose "Start" and
then "Run"
6. Load "explorer" (clear out everything in the box and
type "explorer" in and press ok)
7. Navigate to the C: drive. It will be under "my
computer". From there, click the "windows" folder and
then the "system32" folder.
8. Find the file "intel32.exe" Hilight it and
press "delete" on the keyboard. Also find "hookdump.exe"
and delete it also. Lastly find hp566d.tmp and delete
it. Although I can't be sure if it is malware, .tmp
files can be deleted at any time so delete it anyhow. (I
recently removed spyware from another computer and a .tmp
file was hijacking the home page)
9. If any files will not allow you to delete them, bring
up task manager (press ctrl-alt-del) and navigate to the
"processes" tab and be sure that the file that you are
trying to delete is not running. (So if intel32.exe will
not be deleted, check the process list for that name) if
it is running, select it and hit "end process" Then try
to delete the file again.


Part two - Removing the registry keys relating to those
files

10. Now that all the files are gone, close "Windows
explorer" and get back to the desktop.
11. Choose "Start" then "run" and this time open "regedit"
12. On the left-hand side of the screen, there is a tree
view with "My computer" at the top. Select it.

At this point you should back up the registry by
following the instructions at the bottom of this
message's text.

13. Click the "edit" menu and then choose "find". Search
for "intel32.exe" and be sure all the check boxes in
the "look at" panel are checked while "match whole string
only" is unchecked.
14. When the program finds any key matching your search,
it will hilight it. Delete any matching keys by
pressing "delete" on the keyboard when they are still
hilighted. Once you delete a key, press F3 and repeat
this step till you get a "Finished searching through the
registry" message.
15. Go back and repeat steps 13 and 14 but search for the
file "hookdump.exe" and upon completion, search
for "hp566d.tmp".
16. Close the registry editor.


Part three - Resetting your browser and other settings

17. while still in safe mode, open Microsoft
AntiSpyware. You should be able to by clicking "start"
then "programs" and then by looking for a "microsoft
AntiSpyware" program group.
18. In the main window, click "Advanced tools". Then
click "browser restore"
19. Click the "check all" thingy near the bottom of the
window and press the "restore" button. Once
MSAntiSpyware confirms it done, close the window.
20. You should now be at your desktop again. Click the
start menu and shut down your computer.
21. If you have an always-on internet connection, turn
off the modem. If you have dial-up, be sure that when
you boot your computer in the next step, you do NOT allow
it to connect to the internet.
22. Turn your computer back on and let it start up
normally. Log on as your main account with administrator
privileges.
23. Take a moment to see if your computer is behaving
normally once more. Please note that your wallpaper may
be changed and that doesn't mean you still have spyware.
If there are any settings you want to change, do so now.
If you are able to change them permanently, then you are
probably in the clear.
24. Open internet explorer while you are still
disconnected from the internet. Click the "tools" menu
and then "internet options"
25. Click the "delete files" button, check the box in the
window that comes up, and press OK. You also may want to
change your homepage.
26. Click the "security" tab and click the "internet"
icon. Then click "default level". Do this for the other
3 icons as well.
27. Click the "Privacy" icon and set the slider
to "medium High". If you have trouble viewing sites
later on, go change it to "medium" but you shouldnt have
trouble.
28. Click the "ok" button and close Internet explorer.


Part four - Prevent yourself from getting the junk over
again.

29. Open your internet connection. Once you are
connected, immediately go to "www.windowsupdate.com" in
internet explorer even if you usually use another browser
for internet access. Download all Critical updates by
following the instructions. This would be the "express"
install. You may have to restart after doing this, but
if you do, it will tell you so. Also, windowsupdate
tells you install a service pack, you should know that
doing that is risky, so if you decide to do it, back up
your files first. Any other updates, download no matter
what.
30. I saw that you had McAfee's antivirus program on your
computer. Open it now and be SURE THAT ITS VIRUS
SIGNATURES ARE UPDATED. If they are not and you can't
seem to update them for an unknown reason, try
uninstalling and re-installing the program.


Hopefully this helps ya out. You can email me at
(e-mail address removed), but be sure to put a good subject
line in cuz I get so much stupid spam and I may miss the
message. You can also IM me using my AIM sn: ABeakyboy
and my MSN id: (e-mail address removed)






-----Instructions for backing up the registry-----
In the registry editor, choose "file" and then "export"

In the window that comes up, change the "export range"
to "all" if it is not already set to that.

Navigate to the C: drive and type a file name (anything
with just letters will do)

Press "save" and you're done.

-----Original Message-----
Ok, just a follow-up

I see your browswer has been hijacked by
www.oneclicksearches.com


These are the three malware entries i found in your log.
I can't be sure that these are the only entries however.



O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\System32\hp566D.tmp

I can't be sure that this is a bad entry because google
wouldnt give me anything on it, but I'm pretty sure cuz I
just did my neighbor's computer (it had a ton of spyware
too) and there was a .tmp file hijacking the browser.



O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32
\intel32.exe

O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32
\hookdump.exe

These two are bad ones for sure.



Can I chat with you on instant messaging or get your
email? It may make things easier. I'm going to write up
some instructions on how to get rid of these things just
give me a bit of time.

-----Original Message-----
Well, I'm not entirely a pro at removing spyware, but I
can give it a shot. Ok well, I'm gonna start doing
research on some of this stuff, but I kinda need to know
if you know how to do things like searching for exes,
restarting in safe mode, and editing the registry. That
way I know what I need to explain or not.


Ok *goes to look at log file*


-----Original Message-----
I've had this stupid Adware that Adsubtract and
Microsoft
Anti-Spyware cannot get rid of. I've run the 'Hijack
This' Program and I'm not sure what to do next. I will
cut and paste the 'Hijack This' results below. Any help
will be greatly appreciated.

Thanks

Jack

C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jack Russell\Local
Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,
(Default) = http://www.oneclicksearches.com/search.php?
qq=%1
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Local
Page = http://www.oneclicksearches.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Interne

t

Settings,ProxyServer = http=localhost:1032
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-
FFFFFFFFFFFA} - C:\WINDOWS\System32\hp566D.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-
A021-
6B829A8A27CB} - C:\Program Files\McAfee\McAfee
VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program
Files\McAfee\McAfee Shared
Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MCAgentExe] C:\Program
Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program
Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32
\intel32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32
\hookdump.exe
O4 - Startup: AdSubtract.lnk = C:\Program
Files\interMute\AdSubtract\AdSub.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Billminder.lnk = C:\Program
Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program
Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: AdSubtract: Bypass

Site -
Image -
Site -

.

.

 

[Bill Sanderson]

Killbox will allow you to delete or rename files which are otherwise
"busy"--i.e. you can't do anything to them because the spyware is active,
perhaps even in safe mode.

--

Hey, I'm glad you gave a second opinion. I'm not an
expert at this, (I've only removed spyware on my
neighbor's computer, but it was like this) so I'm glad
that Jack has another proceedure to try. I keep my
computers really secure so I don't usually get spyware
myself, just tracking cookies lol. I put the ypager.exe
into google and it said that it was a legit process name
(usually it will say if it is legit but spyware can also
fake it) but they may not have updated the site recently.

What does killbox.exe do? does it simply delete the files
you tell it to? If so, why use it? Im just curious cuz I
want to improve my spyware killing skills.

And oh yeah, I did forget turning off (and turning back
on) system restore to clear it out. oh well i guess
noone's perfect lol

-----Original Message-----


I forgot to post a couple of things:

The reason for moving hijack this into a folder is so
that it creates backup's of everything that is
deleted.This way if needed you can opened Hijack This,go
to the back ups folder and restore anything later.

With Ewido Just choose 'Complete system scan' i've just
downloaded the new version and its changed abit since i
run it last ,so ignore the settings i mentioned in the
last post(Binder,Crypter,Archives) not needed now.

All the best

Andy


Good work Aaron ! I didnt notice your latest reply untill
id already posted mine but its good advise from what i
can see,

Im no expert myself just know what should be there more
than anything the run command they have for [yahoopager] 1
is also suspicious as the usual entries give a path to
the yahoo file( C:\Program Files\Yahoo!
\Messenger\ypager.exe ) but i didnt have time to check it
in detail so i'll leave that to the user if they know
they have yahoopager starting everytime they boot then it
may be genuine.

I'll be off now to tomorrow so hopefully it all goes well

Regards

Andy

.

 

[Aaron]

oooo cool! I'm going to download that for my tool
collection right now! Thanks.

-----Original Message-----
Killbox will allow you to delete or rename files which are otherwise
"busy"--i.e. you can't do anything to them because the spyware is active,
perhaps even in safe mode.

--

Hey, I'm glad you gave a second opinion. I'm not an
expert at this, (I've only removed spyware on my
neighbor's computer, but it was like this) so I'm glad
that Jack has another proceedure to try. I keep my
computers really secure so I don't usually get spyware
myself, just tracking cookies lol. I put the ypager.exe
into google and it said that it was a legit process name
(usually it will say if it is legit but spyware can also
fake it) but they may not have updated the site recently.

What does killbox.exe do? does it simply delete the files
you tell it to? If so, why use it? Im just curious cuz I
want to improve my spyware killing skills.

And oh yeah, I did forget turning off (and turning back
on) system restore to clear it out. oh well i guess
noone's perfect lol

-----Original Message-----


I forgot to post a couple of things:

The reason for moving hijack this into a folder is so
that it creates backup's of everything that is
deleted.This way if needed you can opened Hijack This,go
to the back ups folder and restore anything later.

With Ewido Just choose 'Complete system scan' i've just
downloaded the new version and its changed abit since i
run it last ,so ignore the settings i mentioned in the
last post(Binder,Crypter,Archives) not needed now.

All the best

Andy


Good work Aaron ! I didnt notice your latest reply untill
id already posted mine but its good advise from what i
can see,

Im no expert myself just know what should be there more
than anything the run command they have for

[yahoopager]
1

is also suspicious as the usual entries give a path to
the yahoo file( C:\Program Files\Yahoo!
\Messenger\ypager.exe ) but i didnt have time to check it
in detail so i'll leave that to the user if they know
they have yahoopager starting everytime they boot then it
may be genuine.

I'll be off now to tomorrow so hopefully it all goes well

Regards

Andy

.

.

 

[AndyManchesta]

Hi Aaron ,

Just saw your question,Its what Bill Says , Killbox is
great for files that just dont want to quit and its a
easier was to make sure they go first time.

The user who posted the log does have serious problems
this isnt a easy fix so thats why i wanted to post some
help.

It looks like they have a trojan running thats opened a
backdoor on the pc,this allows the attacker to control the
pc and perform whatever they wish.

This isnt easy to get around except just to go for it and
deal with any problems as they come up.If its the trojan i
think it is then it add's itself to different area's of
the registry so that it runs Windows starts,Runs when you
open Notepad etc.. It also injects itself into Internet
Explorer so that it runs when you use that so there isnt a
simple fix.

Maybe they got the help they need from somewhere else but
its not the sort of thing they want to allow to continue
or its going to get worse and knowing that a backdoor had
been opened if they cannot fix it then they need to format
and reinstall windows.

Trying to fix is always the first step but you cannot make
any guarantees when your dealing with something like this.

About the [yahoopager]1 entry i know the official entry is
genuine but their log doesnt have a path to the file on
c:drive which is suspicious but like i said the user would
know if they have yahoopager starting when they boot so
only they can answer that.

Hopefully they found the fix they need

Andy

 

[Aaron]

Yeah, I doubt it will be as simple as what both you and I
posted. But hey, thats all that can be done without
actually looking at it or getting a response. Hopefully,
deleting the exes in safe mode will kill the stuff, but
somehow, I doubt it. Anyways, it was fun trying to
figure out how to get rid of the junk. (I like fixing
computers) I'm going to use some of your advice for
future malware killing because some of it seems much
simpler than actually deleting all of it manually. Well
it was nice comparing strategies I'd practice this
more often, but there is a strange practice in my
neighborhood. People just live with spyware on their
systems; it's only when it gets so bad that the thing
freezes is when they want help and by then, it's usually
too late to do anything except a fresh XP/whateverOS
install. Oh well, at least mine are fast


~Aaron~

 

[AndyManc]

SmitRem should not be used !!

It causes irreversable damage ,I trusted the auther and
included it in the fix as he is a MS MVP and has his own
site,but ive tested it on my system and its screwed it
up,Ive written to the auther but he has not responded so
all i can say is do not use it or repost his link anywhere!

Any comments or questions should be sent to the Auther of
the Batch file (e-mail address removed)

or through his site http://www.windowsbbs.com/

Sorry for posting this without testing it myself first but
there needs to be abit of trust when your dealing with
problems and i believe now his fixtool is dangerous so
wanted to repost ,

At present i cannot uninstall service pack 2 its saying
file not found,I cannot do a repair as i have XP on disc
and XP SP2 installed,The Blue bar at the bottom of the
screen which should be Blue is now gray the same as it
appears in safe mode,My restore points have all failed and
cannot restore to a earlier date etc.. etc.. etc..

Time for a format and fresh install i think but i wanted
to let people know about this bat file just so its not
reposted anywhere,Its not a problem for the user with
AVgold problems and the backdoor trojan as a reinstall is
probably best for them anyway but even so im really
shocked at this file and its author.

Thanks Andy

 

[AndyManchesta]

Ive sorted out my problems and its not caused by Smitrem
which is a relief i thought id posted some dangerous
advise so wanted to let people know there was a problem
at least till i had spoke to the Author of the file.

I think ive just took afew problems and related them to
SmitRem which is abit unfair to him ,I worked out the
desktop problem was just because it had been changed to a
modified theme which was fixed easy enough.

Im not sure why i cannot uninstall SP2 or why all my
restore points have gone corrupt but its safe to say this
isnt caused by SmitReg.Ive checked the bat file with
notepad and it has nothing to do with my problems with
system restore or SP2 as it doesnt effect these area's at
all

I have been testing on some files recently so it could be
due to alot of reasons and i will just flush the restore
and can live with SP2 not uninstalling as thats not
advisable anyway.

It was just something i noticed and with the restore
points not working and the desktop changing i put all
this on Smitrem but im wrong on that which i know now
after chatting to the Author of the file.

Im sorry for causing any problems but this is a new fix
for AntivirusGold,Smitfraud etc.. so i wanted to test it
myself

This file is already very popular on hijack this sites
and im not suprised as the Author is very talented,you
can clearly see that from reading the bat file so i
apologise for inferring that it caused my problems.

Go for smitrem if you have AV gold problems as its safe
its just me finding problems that are unrelated to
smitrem,but thats myown fault for playing with malware

Thanks Andy

 

[Bill Sanderson]

Have you tried sfc /scannow?

 

[AndyManc]

Thanks Bill

I was just putting 2 and 2 together and getting something
like 32 thats how far im off on this,Ive made a mistake
by questioning his file and have spent the last hour
chatting to him about this (And Apologizing

The fix tool put my desktop into a modified theme so
tried to run the windows disc thinking there was a fault
or a file missing but it said the version installed was
newer than the one on disc so i tried to uninstall SP2 as
a temp' measure as i dont have SP2 on disc but that says
file not found when it starts uninstalling.Then tried my
restore but every point i tried is corrupt and will not
restore. Its fine now though once i realised my desktop
had been put into a modified theme i reposted here to
explain id made a mistake, and after chatting to its
Author who is both very genuine and very helpfull i
realise any problems im having it unrelated to his fix

I will try the SFC way as its strange its saying file not
found when i try to uninstall SP2,its not that i need to
uninstall it but it was just something i noticed so
thought it was connected to the fixtool i tested.

To be honest though Bill I infected myself with Aurora
yesterday to tryout a fix using batch files and cmd
screen which went great but i still needed ewido to find
them random named files but i got rid of it within 30
mins, I cannot blame anyone or a fix tool for causing my
problems but just noticed the problems after trying the
fixtool but again im sure its myown fault for playing
with malware files ive obviously caused some problems
somewhere but at least everything is now back to normal
Ive created a new restore point and will try SFC scannow
but i remember last time i tried this it was asking for
files that were not on my original xp disc because ive
upgraded to SP2 i assume but will give it another try.

Thanks Bill just disregard my original response i was
worried id give the user unsafe advise after testing the
fixtool but i made a mistake so wish i wouldnt of posted
that to i checked out things abit more ,

Thanks Andy

 

[AndyManchesta]

After reading a few sites i found that unless this file
has been archived when installing SP2 then its not
possible to uninstall it:

C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe

So im happy that i dont have any problems at all
now ,Just some corrupt restore points which is not
anything to worry about,

Thanks for your advise Bill but i just made a mistake
with this i think so im happy to repost SmitRem now to
anyone who has PSguard,Smitfraud or Antivirus Gold
problems as it seems a great fix tool, I was just worried
because this was the first one where id posted a fixtool
i hadnt tested myself so didnt want to add to their
problems but i know now the fix i posted was fine after
testing and working through my problems.

Regards

Andy