28 Alarms with positive id. What do I do now?

HELP! i've been using a registered full version tds-3 for over two years now, and haven't had any problems.

i just ran a full system scan which resulted in 28 alarms with positive id on the file names and locations.

below is a copy of the scandump. my questions are, is it safe to delete these files and do i have to delete each file one at a time? can i delete them by right clicking in the tds window or do i need to follow the path and delete them?

any help would be much appreciated. thank you fellow tds-3 users.

-frankie-
--------------------------------------------------------------------------
Scan Control Dumped @ 18:49:59 15-09-04
RegVal Trace: RAT.Imiserv: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Win Server Updt=C:\WINDOWS\wupdt.exe]

Positive identification: TrojanDownloader.Win32.PurityScan.e
File: c:\documents and settings\fgray\application data\snoe.exe

Positive identification: Adware.180Solutions.j
File: c:\documents and settings\fgray\local settings\temp\delb.tmp

Positive identification: TrojanDownloader.Win32.Agent.ab
File: c:\documents and settings\fgray\local settings\temporary internet files\content.ie5\lc8vhtcx\thnall1t[1].exe

Positive identification (in archive): TrojanDownloader.Win32.INService.h
File: awi.exe (In c:\program files\application downloads\key gen zip files\crack[1].cd-adobe_photoshop_cs_keygen_activation.zip)

Positive identification: TrojanDownloader.Win32.INService.h
File: c:\program files\application downloads\key gens\photoshop cs activation keygen\awi.exe

Positive identification (DLL): Adware.MiniBug (dll)
File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc5\weatherbug\minibugtransporter.dll

Positive identification (DLL): Adware.ToolBar.SideFind BHO (dll)
File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc7\sfbho.dll

Positive identification (DLL): Adware.ToolBar.SideFind (dll)
File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc7\sidefind.dll

Positive identification: TrojanDownloader.Win32.IstBar.fg
File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc7\update\sidefind.exe

Positive identification (DLL): RAT.Agent.aq1 (dll)
File: c:\windows\1090297506.dll

Positive identification: TrojanDownloader.Win32.Alchemic
File: c:\windows\alchem.exe

Positive identification: Adware.Elitebar.a
File: c:\windows\gx9fzj83m9.exe

Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\windows\msbbhook.dll

Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.cr (dll)
File: c:\windows\nem219.dll

Positive identification: TrojanDownloader.Win32.Agent.ae
File: c:\windows\polall1t.exe

Positive identification: TrojanDownloader.Win32.Agent.ae
File: c:\windows\polmx3.exe

Positive identification: Adware.BiSpy.f
File: c:\windows\preinstt.exe

Positive identification (DLL): Adware.IMI (dll)
File: c:\windows\systb.dll_tobedeleted

Positive identification (DLL): Adware.BiSpy.c (dll)
File: c:\windows\twaintec.dll

Positive identification (DLL): TrojanSpy.Win32.Briss.g (dll)
File: c:\windows\downloaded program files\bridge.dll

Positive identification (DLL): TrojanDownloader.Win32.IstBar.fa (dll)
File: c:\windows\downloaded program files\istactivex.dll

Positive identification (DLL): TrojanSpy.Win32.Briss.g1 (dll)
File: c:\windows\downloaded program files\jao.dll

Positive identification (embedded in file): TrojanDownloader.Win32.PurityScan.e
File: c:\windows\downloaded program files\mediaticketsinstaller.ocx

Positive identification (DLL): Adware.PurityScan.i Dropper (dll)
File: c:\windows\downloaded program files\mediaticketsinstaller.ocx

Positive identification (DLL): Adware.Toolbar.Elitebar.a (dll)
File: c:\windows\downloaded program files\v2.dll

Positive identification: Trojan.Win32.ShowAds
File: c:\windows\system32\explorer.exe

Positive identification (DLL): TrojanDownloader.Win32.PurityScan.f (dll)
File: c:\windows\system32\pnvsppr.dll

 

Hi GRAYmatter,

Please allow me to ask a question:
Did you download/install a crack...?

 

as a matter of fact, YES i did. although, it was a month or so back.

i take it that's a bad thing, right?

-frankie-

 

Most of those should delete no problems, make sure IE isn't running. Safe Mode mode be needed or use AdAware or Spybot (most of that is adware)

This thread explains how to use AdAware and Spybot, it seems like you need them ! Some browser security would go a long way to stop this happening again too
https://www.wilderssecurity.com/showthread.php?t=15913

 

Hi, GRAYmatter

.

Take Care,
TheQuest

 

thank you for the reply Gavin.

i'm usually pretty good about utilizing both adaware and spybot, but i guess i've been slacking in keeping up with my scans.

thank you for link as well. it confirmed that i was at least using the right apps to keep spyware and trojan free.

-frankie-

 

Hope your exec protection blocked files from executing and preventing more disasters too. Think your HiJackThis log would show lots too.
Only what i don't understand if you had that download several weeks ago why then now for the first time you see all those positive identifications. Guess your scanning the download shoyuld have informed you already. So you see downloads can come with a price and some extras.

 

Hello DiamondCS Support & Moderators,

I am following up as per the directions/suggestions sent o me in this post reply and in the email sent to me from my file submission.

I have run an AdAware 6 Plus scan as well as a SpyBot scan. I am also including below the results of the HijackThis scan log.

I am aware of the forum rules about HijacThis scan log reviews, but I am only following the directions as suggested to me, to both send it for review via email as well as within the original post.

I apologize if I somehow misunderstood what I was directed to do.

Thanks again for your help and I look forward to a response.

Regards,

-Frankie-

--------------------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 8:06:33 PM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\zyheet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Application Downloads\HijackThis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11971b80e40961cc9514/netzip/RdxIE601.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O21 - SSODL: System - {A45AB5BB-A284-4488-89FA-2A0FA6BF0E03} - C:\WINDOWS\system32\system32.dll (file missing)

 

Yeah Frankie, you did as asked for.
Unfortunately i am no expert, i do see a few things which i need to google what they are, so i do hope in the meantime others are able to comment.
Few general comments would be:
make sure you move the HJT exe to a folder of it's own, as it will place backups from possible fixes in the same folder.
Where files are missing i guess those could be fixed, but do it all together with possible other suggested fixes if there are.
Are there any files you don't recognise yourself?

Those lines with http://searchmiracle.com/sp.php need fixing
TkBellExe can be considered spyware by Real.
Any idea what this is?
O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe ?

 

Off-topic post by TDSfan, removed.

 

thanks for the reply jooske,

yes, i know...quite a mess this time around. i think i've gotten control of things but i'm still having a hard time trying to fix these below. tried to delete them with HJT, but that didn't work. any suggestions?

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

and as for the file, O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe i can't figure out what this is. it won't delete and it's a locked file when tds-3 scans it. totally puzzled.

i also followed your suggestion as to putting HJT in it's own folder. thanks for the tip. if you should happen to have any further suggestions or possible fixes, all would be greatly appreciated.

thanks and take care...

frankie

 

Hi Frankie,

For a Hijack tutorial have a look here: http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#RDiag

For your information you can copy and paste your log file here:
http://hijackthis.de/index.php?langselect=english

Take care if you see things you dont know about before deleting them.

Gerard

 

Hi Frankie,

Have you tried to run a full system scan with TDS-3 while you are in Safe Mode ?
(please at that moment no AVG resident !).
It could take some time so make yourself a coffee

 

Why are you helping someone who steals software?

 

Hello,

Anyone who knows me, know that I don't like stealing software; there cannot be any doubt about that.

But please consider that there is always a chance that people learn from this.
It isn't the first time that someone learned a lesson the hard way, and thinks to him/her-self "Hmmm, if all this mess on my PC is the price I have to pay, I'd better change things the way I was doing".

If that would happen in this case too, I really would be happy !

So the message to Frankie is : it's up to you, Frankie
Please think about what might have caused this on your machine...

And as a side-note:
What could have caused sooo many people asking for help with HJT-logs?
No, I'm definitely not saying that everyone of them were installing cracks.
But it is one of the reasons, together with visiting porn- and other sites unprotected, and lots of other reasons.


I DO hope that Frankie's PC can be cleaned !!!

Peace

Regards, Jan.

 

Can you find out in the properties anything more about the zyheet.exe, moment of creation or modification, etc? In windows search/find i try to look for more files of the same date the folder it's in or the file was modified which might give a clue. If you don't trust it please submit it.

Going back to an older restore point is no option for you?

You'll have to fix the DPF for that search thing too or it would install itself again after you fixed the R1 lines.


Like said, during the scans AVG really needs to be closed completely:
open the GUI and uncheck all there is, so the systray icon greys out. Then use your scanners, http://housecall.antivirus.com and al the rest.
If you check the zyheet.exe file at www.kaspersky.com/remoteviruschk.html does it beep on it?

 

Thanks a lot Derek for jumping in !!!!!
We needed an HJT expert advice

Warm regards, Jan.

 

Dump your XP restore file - it is full of whatever infected you. Reboot
without a restore file ( you should have a recent "data" backup - if needed ) -
Then run :
1. Full Deep Virus Scan ( update definifition files first)

2. You can try Adware SE Pro, Spybot or Pest Patrol Corporate
( personally I prefer Giant AntispyWare over ALL OF THE ABOVE )

I run Outpost Pro 2.1.303.4009 (313) with TDS3 Pro, Macafee Virusscan Pro , Blackice Server Protection 3.6cns version 3.6.319, Spybot (just
to protect my browser and startups) and Giant Antispyware - all - peacefully coexisting and protecting my happy arse.

Hope this help.

( been on the net before Mosiac was developed - when yahoo was just a .txt file on a university computer server accessed only by telnet. )

DudeX

 

LIFE RULE #2:
Stealing = BAD KARMA ( ALWAYS )

 

Hello fellow TDS forum members & moderators,

Thank you everyone for all your help and guidance in resolving my spyware dilemma. I'm sorry to have not posted sooner, but I've been dealing with a few health issues. (All is good though)

I think I've managed to finally get my computer clean. I also figured out why some of the harmful files were not being removed. Along with AdAware I was also running AdWatch which was set to block all changes in the registry and a few other places. Once I turned the monitoring off, everything seemed to get corrected, including the mysterious zyheet.exe file.

To all moderators, I did submit that file on my second tds full system scan for your review and testing.

As a matter of reference for all others newly reading this post, the information from moderators Jooske, FanJ, dvk01 and Gavin at DiamondCS was extremely helpful if followed carefully. Other contributing posts of great benefit were from forum members Dudex and gerardwil.

For those of you running HijackThis needing your scan logs to be evaluated quickly, the site gerardwil posted was not only easy to use and understand, but made making the decision to delete the harmful files form the needed files a safe choice. http://hijackthis.de/index.php?langselect=english

There's alot of help and much to learn within the posts of this thread. And yes, to all concerned that I downloaded a crack, potentially stealing software, I've learned my lesson.

Thanks again to all who offered help.

Frankie