28 Alarms with positive id. What do I do now?

Discussion in 'Trojan Defence Suite' started by GRAYmatter, Sep 15, 2004.

Thread Status:
Not open for further replies.
  1. GRAYmatter

    GRAYmatter Registered Member

    Joined:
    Sep 15, 2004
    Posts:
    11
    HELP! i've been using a registered full version tds-3 for over two years now, and haven't had any problems.

    i just ran a full system scan which resulted in 28 alarms with positive id on the file names and locations.

    below is a copy of the scandump. my questions are, is it safe to delete these files and do i have to delete each file one at a time? can i delete them by right clicking in the tds window or do i need to follow the path and delete them?

    any help would be much appreciated. thank you fellow tds-3 users.

    -frankie-
    --------------------------------------------------------------------------
    Scan Control Dumped @ 18:49:59 15-09-04
    RegVal Trace: RAT.Imiserv: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Win Server Updt=C:\WINDOWS\wupdt.exe]

    Positive identification: TrojanDownloader.Win32.PurityScan.e
    File: c:\documents and settings\fgray\application data\snoe.exe

    Positive identification: Adware.180Solutions.j
    File: c:\documents and settings\fgray\local settings\temp\delb.tmp

    Positive identification: TrojanDownloader.Win32.Agent.ab
    File: c:\documents and settings\fgray\local settings\temporary internet files\content.ie5\lc8vhtcx\thnall1t[1].exe

    Positive identification (in archive): TrojanDownloader.Win32.INService.h
    File: awi.exe (In c:\program files\application downloads\key gen zip files\crack[1].cd-adobe_photoshop_cs_keygen_activation.zip)

    Positive identification: TrojanDownloader.Win32.INService.h
    File: c:\program files\application downloads\key gens\photoshop cs activation keygen\awi.exe

    Positive identification (DLL): Adware.MiniBug (dll)
    File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc5\weatherbug\minibugtransporter.dll

    Positive identification (DLL): Adware.ToolBar.SideFind BHO (dll)
    File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc7\sfbho.dll

    Positive identification (DLL): Adware.ToolBar.SideFind (dll)
    File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc7\sidefind.dll

    Positive identification: TrojanDownloader.Win32.IstBar.fg
    File: c:\recycler\s-1-5-21-527237240-2139871995-682003330-1005\dc7\update\sidefind.exe

    Positive identification (DLL): RAT.Agent.aq1 (dll)
    File: c:\windows\1090297506.dll

    Positive identification: TrojanDownloader.Win32.Alchemic
    File: c:\windows\alchem.exe

    Positive identification: Adware.Elitebar.a
    File: c:\windows\gx9fzj83m9.exe

    Positive identification (DLL): Adware.180Solutions.g (dll)
    File: c:\windows\msbbhook.dll

    Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.cr (dll)
    File: c:\windows\nem219.dll

    Positive identification: TrojanDownloader.Win32.Agent.ae
    File: c:\windows\polall1t.exe

    Positive identification: TrojanDownloader.Win32.Agent.ae
    File: c:\windows\polmx3.exe

    Positive identification: Adware.BiSpy.f
    File: c:\windows\preinstt.exe

    Positive identification (DLL): Adware.IMI (dll)
    File: c:\windows\systb.dll_tobedeleted

    Positive identification (DLL): Adware.BiSpy.c (dll)
    File: c:\windows\twaintec.dll

    Positive identification (DLL): TrojanSpy.Win32.Briss.g (dll)
    File: c:\windows\downloaded program files\bridge.dll

    Positive identification (DLL): TrojanDownloader.Win32.IstBar.fa (dll)
    File: c:\windows\downloaded program files\istactivex.dll

    Positive identification (DLL): TrojanSpy.Win32.Briss.g1 (dll)
    File: c:\windows\downloaded program files\jao.dll

    Positive identification (embedded in file): TrojanDownloader.Win32.PurityScan.e
    File: c:\windows\downloaded program files\mediaticketsinstaller.ocx

    Positive identification (DLL): Adware.PurityScan.i Dropper (dll)
    File: c:\windows\downloaded program files\mediaticketsinstaller.ocx

    Positive identification (DLL): Adware.Toolbar.Elitebar.a (dll)
    File: c:\windows\downloaded program files\v2.dll

    Positive identification: Trojan.Win32.ShowAds
    File: c:\windows\system32\explorer.exe

    Positive identification (DLL): TrojanDownloader.Win32.PurityScan.f (dll)
    File: c:\windows\system32\pnvsppr.dll
     
  2. FanJ

    FanJ Guest

    Hi GRAYmatter,

    Please allow me to ask a question:
    Did you download/install a crack...?
     
  3. GRAYmatter

    GRAYmatter Registered Member

    Joined:
    Sep 15, 2004
    Posts:
    11
    as a matter of fact, YES i did. although, it was a month or so back.

    i take it that's a bad thing, right?

    -frankie-
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Most of those should delete no problems, make sure IE isn't running. Safe Mode mode be needed or use AdAware or Spybot (most of that is adware)

    This thread explains how to use AdAware and Spybot, it seems like you need them ! Some browser security would go a long way to stop this happening again too
    https://www.wilderssecurity.com/showthread.php?t=15913
     
  5. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, GRAYmatter

    :oops: :eek: :D :D :rolleyes:.

    Take Care,
    TheQuest :cool:
     
  6. GRAYmatter

    GRAYmatter Registered Member

    Joined:
    Sep 15, 2004
    Posts:
    11
    thank you for the reply Gavin.

    i'm usually pretty good about utilizing both adaware and spybot, but i guess i've been slacking in keeping up with my scans.

    thank you for link as well. it confirmed that i was at least using the right apps to keep spyware and trojan free.

    -frankie-
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hope your exec protection blocked files from executing and preventing more disasters too. Think your HiJackThis log would show lots too.
    Only what i don't understand if you had that download several weeks ago why then now for the first time you see all those positive identifications. Guess your scanning the download shoyuld have informed you already. So you see downloads can come with a price and some extras.
     
  8. GRAYmatter

    GRAYmatter Registered Member

    Joined:
    Sep 15, 2004
    Posts:
    11
    Hello DiamondCS Support & Moderators,

    I am following up as per the directions/suggestions sent o me in this post reply and in the email sent to me from my file submission.

    I have run an AdAware 6 Plus scan as well as a SpyBot scan. I am also including below the results of the HijackThis scan log.

    I am aware of the forum rules about HijacThis scan log reviews, but I am only following the directions as suggested to me, to both send it for review via email as well as within the original post.

    I apologize if I somehow misunderstood what I was directed to do.

    Thanks again for your help and I look forward to a response.

    Regards,

    -Frankie-

    --------------------------------------------------------------------------

    Logfile of HijackThis v1.98.2
    Scan saved at 8:06:33 PM, on 9/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\zyheet.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Application Downloads\HijackThis1982.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    R3 - Default URLSearchHook is missing
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11971b80e40961cc9514/netzip/RdxIE601.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O21 - SSODL: System - {A45AB5BB-A284-4488-89FA-2A0FA6BF0E03} - C:\WINDOWS\system32\system32.dll (file missing)
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yeah Frankie, you did as asked for.
    Unfortunately i am no expert, i do see a few things which i need to google what they are, so i do hope in the meantime others are able to comment.
    Few general comments would be:
    make sure you move the HJT exe to a folder of it's own, as it will place backups from possible fixes in the same folder.
    Where files are missing i guess those could be fixed, but do it all together with possible other suggested fixes if there are.
    Are there any files you don't recognise yourself?

    Those lines with http://searchmiracle.com/sp.php need fixing
    TkBellExe can be considered spyware by Real.
    Any idea what this is?
    O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe ?
     
    Last edited: Sep 18, 2004
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Off-topic post by TDSfan, removed.
     
  11. GRAYmatter

    GRAYmatter Registered Member

    Joined:
    Sep 15, 2004
    Posts:
    11
    thanks for the reply jooske,

    yes, i know...quite a mess this time around. i think i've gotten control of things but i'm still having a hard time trying to fix these below. tried to delete them with HJT, but that didn't work. any suggestions?

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

    and as for the file, O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe i can't figure out what this is. it won't delete and it's a locked file when tds-3 scans it. totally puzzled.

    i also followed your suggestion as to putting HJT in it's own folder. thanks for the tip. if you should happen to have any further suggestions or possible fixes, all would be greatly appreciated.

    thanks and take care...

    frankie
     
  12. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
  13. FanJ

    FanJ Guest

    Hi Frankie,

    Have you tried to run a full system scan with TDS-3 while you are in Safe Mode ?
    (please at that moment no AVG resident !).
    It could take some time so make yourself a coffee ;)
     
  14. Why?

    Why? Guest

    Why are you helping someone who steals software?
     
  15. FanJ

    FanJ Guest

    Hello,

    Anyone who knows me, know that I don't like stealing software; there cannot be any doubt about that.

    But please consider that there is always a chance that people learn from this.
    It isn't the first time that someone learned a lesson the hard way, and thinks to him/her-self "Hmmm, if all this mess on my PC is the price I have to pay, I'd better change things the way I was doing".

    If that would happen in this case too, I really would be happy ! :)

    So the message to Frankie is : it's up to you, Frankie ;)
    Please think about what might have caused this on your machine...

    And as a side-note:
    What could have caused sooo many people asking for help with HJT-logs?
    No, I'm definitely not saying that everyone of them were installing cracks.
    But it is one of the reasons, together with visiting porn- and other sites unprotected, and lots of other reasons.


    I DO hope that Frankie's PC can be cleaned !!!

    Peace

    Regards, Jan.
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Can you find out in the properties anything more about the zyheet.exe, moment of creation or modification, etc? In windows search/find i try to look for more files of the same date the folder it's in or the file was modified which might give a clue. If you don't trust it please submit it.

    Going back to an older restore point is no option for you?

    You'll have to fix the DPF for that search thing too or it would install itself again after you fixed the R1 lines.


    Like said, during the scans AVG really needs to be closed completely:
    open the GUI and uncheck all there is, so the systray icon greys out. Then use your scanners, http://housecall.antivirus.com and al the rest.
    If you check the zyheet.exe file at www.kaspersky.com/remoteviruschk.html does it beep on it?
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    First download CWshredder from http://www.thespykiller.co.uk and put it on the desktop as you will need to run it a bit later on

    before going any further please copy these files ( if they all exist, don't worry if any are missing) and zip them and send to submit@diamondcs.com.au with a short note referring to this thread

    C:\WINDOWS\mxTarget.dll
    C:\WINDOWS\system32\system32.dll
    C:\WINDOWS\systb.dll
    C:\WINDOWS\System32\zyheet.exe

    and as they weren't found by adaware either please also submit them to adaware http://www.lavahelp.net/submit/

    Now once you have sent them off this will hopefully fix your problem

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    R3 - Default URLSearchHook is missing
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [lxitkaxh] C:\WINDOWS\System32\zyheet.exe
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11971b8...ip/RdxIE601.cab
    O21 - SSODL: System - {A45AB5BB-A284-4488-89FA-2A0FA6BF0E03} - C:\WINDOWS\system32\system32.dll (file missing)

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    now Run CWSHREDDER
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    then

    Delete these files
    C:\WINDOWS\mxTarget.dll
    C:\WINDOWS\system32\system32.dll
    C:\WINDOWS\systb.dll
    C:\WINDOWS\System32\zyheet.exe

    then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it (repeat for every user name/account )

    and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well and everything in C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware SE from http://www.lavasoft.de/support/download


    and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml

    and run it before the main adaware scan and follow it's directions

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R8 13.09.2004 or a higher number/later date
    Then ........
    click the "Scan" button. and select full scan

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries. You can safely ignore any MRU entries though and not delete them

    reboot again

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/

    reboot again

    it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then post a new hijackthis log to check what is left
     
  18. FanJ

    FanJ Guest

    Thanks a lot Derek for jumping in !!!!! :D
    We needed an HJT expert advice :)

    Warm regards, Jan.
     
  19. ?Dudex

    ?Dudex Guest

    Dump your XP restore file - it is full of whatever infected you. Reboot
    without a restore file ( you should have a recent "data" backup - if needed ) -
    Then run :
    1. Full Deep Virus Scan ( update definifition files first)

    2. You can try Adware SE Pro, Spybot or Pest Patrol Corporate
    ( personally I prefer Giant AntispyWare over ALL OF THE ABOVE )

    I run Outpost Pro 2.1.303.4009 (313) with TDS3 Pro, Macafee Virusscan Pro , Blackice Server Protection 3.6cns version 3.6.319, Spybot (just
    to protect my browser and startups) and Giant Antispyware - all - peacefully coexisting and protecting my happy arse.

    Hope this help.

    ( been on the net before Mosiac was developed - when yahoo was just a .txt file on a university computer server accessed only by telnet. )

    DudeX
     
  20. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    LIFE RULE #2:
    Stealing = BAD KARMA ( ALWAYS )
     
  21. GRAYmatter

    GRAYmatter Registered Member

    Joined:
    Sep 15, 2004
    Posts:
    11
    Hello fellow TDS forum members & moderators,

    Thank you everyone for all your help and guidance in resolving my spyware dilemma. I'm sorry to have not posted sooner, but I've been dealing with a few health issues. (All is good though)

    I think I've managed to finally get my computer clean. I also figured out why some of the harmful files were not being removed. Along with AdAware I was also running AdWatch which was set to block all changes in the registry and a few other places. Once I turned the monitoring off, everything seemed to get corrected, including the mysterious zyheet.exe file.

    To all moderators, I did submit that file on my second tds full system scan for your review and testing.

    As a matter of reference for all others newly reading this post, the information from moderators Jooske, FanJ, dvk01 and Gavin at DiamondCS was extremely helpful if followed carefully. Other contributing posts of great benefit were from forum members Dudex and gerardwil.

    For those of you running HijackThis needing your scan logs to be evaluated quickly, the site gerardwil posted was not only easy to use and understand, but made making the decision to delete the harmful files form the needed files a safe choice. http://hijackthis.de/index.php?langselect=english

    There's alot of help and much to learn within the posts of this thread. And yes, to all concerned that I downloaded a crack, potentially stealing software, I've learned my lesson.

    Thanks again to all who offered help.

    Frankie
     
Thread Status:
Not open for further replies.