Source: http://www.neowin.net/articles.php?action=more&id=81

Guide to Removing Spyware

This article is more of a preventive measure than a fix and will harden internet explorers security but at the same time retaining the functionality that IE has.

First in tools, internet options, advanced uncheck "Enable Install On Demand (Internet Explorer)" and "Enable Install On Demand (Other)" and "Enable Third-Party Browser Extensions (Requires Restart)" and choose apply and ok. Also ensure your internet security setting is at least medium (unless you know what you are doing and have made it custom).

Goto http://www.windowsupdate.com and make sure you have all the latest updates.

Then download Suns Java JRE from http://java.com/en/index.jsp (the link you want to hit is the "get it now" in the top right). Running Suns Java protects you because it has less exploited vulnerabilities than microsofts Java. Lots of spyware use holes in Microsofts java to install thier spyware so switching to Sun's closes a lot of holes.

>> Download: Sun Java

Then download Spybot Search and Destroy from http://www.safer-networking.org/ run it and make sure to let it download the newest updates. Now goto Spybots immunize function and under "permanent internet explorer immunity" choose immunize, then under "permanently running bad download blocker for internet explorer" select "ask for blocking confermation and choose install.

>> Download: Spybot S&D

Next, download spyware blaster from http://www.javacoolsoftware.com/spywareblaster.html run it and ensure it's fully updated. Now choose "select all" and then hit "Protect Against Checked Items". Just for reference all the items that are in red are items that Spybots immunize doesn't protect you against that's why you should use both programs.

>> Download: Spyware Blaster

Both Spybot search and destroy's immunize function and spyware blaster are one time set things, these programs no longer have to be running to keep you from getting infected with the stuff they block against. What they do is disallow any activeX program that's was known to them at the time you immunized from even running. With both Spybot and Spyware Blaster it is important that you check for updates every two weeks or so and re-immunize yourself when new updates are released to stay current. Spybot's other immunize function ("permanently running bad download blocker for internet explorer") installs a BHO that will ask you for permission to block other known bad BHO's from installing. BHO's are really not needed and fairly rare and most people only have the adobe acrobat BHO. You could have set this option to always block but I chose "ask for blocking confirmation" for those people that use something that I do not that uses a BHO.

Now download both DSOstop2 and HTAstop2003 from http://www.nsclean.com/freebies.html and run both of those.

>> Download: DSOstop2. HTAstop2003

In addition there's another great free utility that you can run but unlike everything above it has to always be open just like an antivirus called spywareguard from javacool. You can download it and run it as well to further increase your security against spyware if you choose. It's available here: http://www.wilderssecurity.net/spywareguard.html

>> Download: Spyware Guard

That should beef things up considerably. Having a good antivirus is also helpful because many of them are starting to add spyware to thier definitions, for instance my McAfee 8 caught that spyware trying to install.

I hope this helps you guys because these settings are pretty solid but at the same time loose enough that you can still have active scripting enabled and activeX. Granted you could disable those as well but at that point you might as well go download an old version of Mosiac browser because it isn't worth using IE with everything disabled.

Ad-Aware Personal: freeware adware removal tool
Trojan Defense Suite >> discontinued
Pest Patrol
Free Online Spyware Scanner and Cleaner
Bazooka Adware and Spyware Scanner

HijackThis
A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.
Download: Hijackthis
View: Homepage
View: Tutorial


CWShredder
A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D and Ad-aware tend to forget essential parts of the hijack, so until they update, you can use this to completely remove the hijack. This program is updated to remove the new variants once they come out.

Download: http://www.trendmicro.com/ftp/products/onl.../cwshredder.exe

This post has been edited by sUBs: Sep 1 2005, 12:04 PM

You should scan for spywares about once a week..also use the immunity function in spybot search & destroy, its useful.

Pop-ups can be caused by spyware, but more often then not it is just the websites you are surfing offering them.

You can use opera and ditch the 3rd party software to disable nagging pop-ups, you have an option to only open requested pop-ups.

Spyware normally consists of dialers, or just trackers that track your internet usage, and then offer your advertisements on their page tailored by checking your usage statistics.

I doubt you'll need a resident scanner, spyware doesn't pop-up that often now does it? and spyware blaster doesn't and can't be resident because it merely makes your pc "immune" to certain types of spyware.

Remember to always update the software definitions though...

Browser Hijacking

Hijacking browser is a common problem for Internet Explorer users.
The browser had certain bug that allow people to modified the registry so that it will direct to some other page.
Hijacking browser is a serious matter.. But i learn a few tricks on how to fight no hijacking in no time at all.

Note: Hijacking browser only happen 99% in most cases for IE users.

How do you fall prey to a browser hijacking? There are numerous ways. Here are some common ones:

1. By installing software which changes your browser settings. This may happen with commercial software, but is much more common with freeware or adware.
2. By visiting a site which exploits a browser bug to change settings without your permission.
3. By visiting a site which persuades you to allow your settings to be changed, usually by offering freebies. When you accept the offer, your browser settings are changed or software installed. While such sites may tell you of their intentions, usually it's in the fine print or couched in deceptive terms

And to the worst thing is spyware removal such as Spybot S&D won`t help much in repairing your hijack browser..

Reclaming hijack browser

These instructions involve editing the registry and other advanced techniques. Do not attempt these procedures without making proper backups (read Backing Up and Restoring the Windows Registry to learn how) and don't attempt them at all if you're not familiar with registry editing.

1. If you've been hijacked, you can reclaim your browser with a bit of work.
If your Control Panel's Internet Options have been disabled, get them back by locating the file control.ini (use Start -> Find/Search to locate it). Open control.ini in Notepad and look for the lines:

[don't load]
inetcpl.cpl=yes

Delete the second of these two lines, close and save the file and reboot your computer.



2. Close any open Internet Explorer windows.
a. Click Start -> Run, type regedit and click OK to open the Registry Editor.
b. Navigate to:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
If you find sub-folders called restricted or control panel, delete them.
Check for the same sub-folders in:HKEY_LOCAL_MACHINE\ Software\Policies\Microsoft\Internet Explorer and delete them, too, if they exist. Then close Regedit.

3. If your search pages have been redirected, re-establish the defaults:
a. Open the Registry Editor and navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Change the Search Page value to:
http://home.microsoft.com/access/allinone.asp
and, if it exists, change the Search Bar value to:
http://search.msn.com/spbasic.htm
b. Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL and change the default value to:
http://home.microsoft.com/access/autosearch.asp?p=%s
c. Navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search
Change the SearchAssistant value to:
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
and change the CustomizeSearch value to:
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

4. Reset your home page to your chosen page:
a. In Internet Explorer, choose Internet Options from the Tools Menu and, on the General tab, type in your preferred home page.
b. Do a search for any files with the extension HTA. If you find any such files, open each in turn in Notepad and see whether they contain a reference to the site which has hijacked your browser. Delete any HTA files which contain such a reference.
c. Locate the file HOSTS (it has no file extension) and open it in Notepad. Once again, look for any reference to the hijacking site. If you find any references, delete the lines containing those references.

5.
a. Click Start -> Run -> msconfig and check the programs under the Startup tab. If you find an entry which contains regedit.exe /s disable it, and disable other programs you know to be suspicious.
b. Still in msconfig, click the System.Ini tab and click the + beside [boot] to expand the section. Look for a line reading shell=explorer.exe. The line should read exactly that; delete any following commands, but make sure you leave shell=explorer.exe intact.
Note: If you're using Windows NT, 2000 or XP, this information is contained in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
which should contain the value explorer.exe.
c. Click OK to exit from msconfig and reboot your system.

This post has been edited by acedriver: Jul 1 2004, 12:12 PM

List of fake spyware cleaners

OK guys... There are alot of pop ups when you access certain says which says:-
Your Computer is not safe from Adwares or Spyware! Click here to download
Warning - if your computer has been running slower than usual, it maybe infected with adware or spyware.

Dun believe these links there are must probably adware or spyware itself. Just Ignore these popup and just close it.

One example is the attached picture

This post has been edited by benlye: Oct 4 2004, 09:26 AM


Attached thumbnail(s)

Ever wonder why everytime you clean your PC using SpyBot and you always get infected by DSO Exploit?

This is because there is a hole in Internet Explorer. This vurneribility involves with editing windows registry to alter values contained within Internet Explorer's Internet Zones configurations.

And microsoft is not doing anything about it.

Attach here is an application to help protect your computer from these attacks.

For more infomation please visit DSO Stop by Ns Clean

How it looks like



CLICK THE LINK BELOW TO DOWNLOAD
http://www.nsclean.com/dsostop2.exe

This post has been edited by benlye: Sep 25 2004, 12:52 PM

when all else fails you can install a trial of
Process Guard
it will then intercept each and every process that tries to start
(generally its installed on a known clean box and you just approve all these processes)
you can then allow, allow once, disallow or disallow once each process
this is enough to interrupt the most serious infection of not only spyware but truely serious malware infections

of course you need a clean or at least functional box to research which process is which
and then manually root them out (from the GUI, Safemode and sometime the commandline of the recovery console)

a list of potential startup processes > http://www.aros.net/~zaphod/startups.htm#A
Pest Patrol Research Library > http://www.pestpatrol.com/pestinfo/
googling individual processes is generally perferable however
Default Processes in W2K



How to manually unregister dlls (from Pest Patrol)

UnRegister DLLs

You can use the Regsvr32 tool (Regsvr32.exe) to register and unregister object linking and embedding (OLE) controls such as dynamic-link library (DLL) or ActiveX Controls (OCX) files that are self-registerable.

RegSvr32.exe has the following command-line options:

Regsvr32 [/u] [/n] [/i[:cmdline]] dllname

/u - Unregister server<BR/>
/i - Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
/n - do not call DllRegisterServer; this option must be used with /i

When you use Regsvr32.exe, it attempts to load the component and call its DLLSelfRegister function. If this attempt is successful, Regsvr32.exe displays a dialog indicating success. If the attempt is unsuccessful, Regsvr32.exe returns an error message, which may include a Win32 error code.

Example: To unregister Winshow's winshow.dll:

1. Click the Start button, and select Run
2. Enter this command line:

regsvr32 /u [systemroot]\winshow.dll

For example, in a Windows XP machine in which your systemroot was at c:\winnt, you would enter:

regsvr32 /u c:\winnt\winshow.dll

----------------------------------------------------------------------------------------------
from the commandline you can also generally use %systemroot%

Good Luck, if a reinstall is the alternative,
be not afraid, and ruthlessly cull registry entries

the worse you can do is bork the registry
but its Ideal for you to have multiple backups of your registry
from a known good state, dig out the current infection and then replace
%systemroot%\WINNT\system32\config with your backup

This post has been edited by Ice Czar: Sep 27 2004, 01:55 AM

Did you click on that website http://www.3721.com/ which I gave ?

Dirty bugger that CNS.DLL.. affects only IE (Idiot Exploiter) but not Mozilla, FireFox or Netscape.

I'm one of the several people have always advocate the use of alternative browsers, but many stubborn people around anyway.. so let it be!

In the Command Prompt line, type the following commands:

CD \WINDOWS\DOWNLO~1
ATTRIB *.* -H -S
DIR/P

This displays all hidden files in your "Downloaded Program Files" folder. You CANNOT see them under Explorer! You will see files CnsMin.dll, CnsHook.dll, keepMain.dll and keepmain.cab in there. Those are stubborn files to kill. These cannot be deleted under Safe Mode either because they make use of RUNDLL32 service which locks them from deletion (even in Safe Mode with Command Prompt only!).

You have to boot from your WinXP CD to delete these files (use the "Repair" function).

This post has been edited by lex: Apr 12 2005, 09:20 PM

http://castlecops.com/postt116415.html

How else... please read my previous post... like this one:

FYI

Anyway, I would like to inform all that a NEW VARIANT of this CNS spyware has been found locally! This one is a BIG cause of CONCERN because....

It is TOTALLY INVISIBLE to all anti-spyware, trojan detectors, rootkitrevealer and HijackThis detection!! It does NOT show up as an NT process, totally hidden... Must be using more advanced rootkit techniques. It does not show any signs of infection either (startups look normal).. everything looks normal. It does not install into folders that I expect CNS would install..

I did noticed CNS.EXE under Windows system folder. The tip balloon appeared saying it belongs to "Microsoft", checking its properties also says owner "Microsoft" but what was suspicious is that all TRUE Microsoft files shows "Microsoft Corporation", and not "Microsoft"! It cannot be deleted (even under Safe Mode!).

Using WinXP CD boot-up didn't clean it either (it came back! ) Looking around yielded that it installed itself as a WDM device driver in fact! Inside the Windows System32\Drivers folder, there it was... CnsMinKP.sys Damn! They are getting smarter all the time!

Just beware! These malware stuff are getting more sophisticated all the time..

Simplest way to check would be to fire up IE & do a simple keyword search.

If it doesn't automatically redirect you to a chinese website, you should be okay.

Adware lop.com is pretty old but also pretty nasty as it causes random Explorer crashes. Quite difficult (and tricky) to kill, also resides in the desktop whenver the system starts (even in Safe Mode!).

Here's what you can do....

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE v1.06:

1. Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
2. Close ALL windows except Ad-Aware SE.
3. Click on the'world' icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
4. Once the update is finished click on the 'Gear' icon (second from the left at the top of the window) to access the preferences/settings window:
   1. In the 'General' window make sure the following are selected in green:
      1. Under Safety:
         • Automatically save log-file
      2. Automatically quarantine objects prior to removal
      3. Safe Mode (always request confirmation)
   2. Under Definitions:
      • Prompt to update outdated definitions - set the number of days
5. Click on the 'Scanning' button on the left and select in green:
   1. Under Driver, Folders & Files:
      • Scan Within Archives
   2. Under Select drives & folders to scan:
      • choose all hard drives
   3. Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL's
      • Scan my Hosts file
6. Click on the 'Advanced' button on the left and select in green:
   1. Under Shell Integration:
      • Move deleted files to recycle bin
   2. Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
   3. Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
7. Click the 'Tweak' button and select in green:
   1. Under 'Scanning Engine':
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
   2. Under 'Cleaning Engine':
      • Let Windows remove files in use at next reboot
   3. Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not Select: Include Module list in logfile
8. Click on 'Proceed' to save the settings.
9. Click 'Start'
10. Choose 'Perform Full System Scan'
11. DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
12. Click 'Next' and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
13. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
    
14. Right-click on the list and choose Select All
15. Click the Next button to finish removing the items that were found
    
16. When finished, REBOOT to complete the removal of what Ad-Aware SE found

~~~~~~~~~~~~~~~

Download, Install & Run Spybot S&D. Click on the "Search for Updates" button. Install any updates that are available.

Go to the Mode menu and choose "Advanced Mode". Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, Select all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot.

If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.


~~~~~~~~~~~~~~~

After running the above programs, download HiJackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HiJackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit "Scan" and then click on "Save log".
3. Post the HiJackThis.log file in a new thread. Click here >> http://forum.lowyat.net/index.php?act=Post&CODE=00&f=25
. Do not fix anything in HiJackThis since they may be harmless.

SpywareInfo is a member of ASAP

ASAP stands for the Alliance of Security Analysis Professionals.

ASAP started out as a small band of security sites under seige, and is rapidly expanding to include the "Best of the Best" the Internet Security Community has to offer.

ASAP is made up of website and forum owners and administrators, forum and site staff, individuals, companies and various organizations dedicated to providing security related support to computer end users.

ASAP is a joint effort designed to assist helping end users with as seamless a process as possible by using methods such as cross-referrals, multiple product support services, easy information access, and cross referencing/verification.

ASAP's goals are:
To ensure a high standard and quality of security support no matter where you seek help.
To promote the products used to keep your computer clean and safe in an equal and fair manner.
To ensure that end users are not affected by so called "product wars" and unfair marketing tactics which have plagued several industries in recent years.

ASAP ensures that quality support and assistance will be freely available - knock one of the support networks out and another will pick it up immediately. In addition, pooled resources permit the ability to provide support redundancy, thereby adding an additional layer of protection against Internet based threats.

If you see the ASAP logo or banner used by a site, bulletin board, or person, you can be assured that you're getting the best support and assistance possible, as the combined efforts of all ASAP members are involved in helping everyone, and ASAP won't give up until your important investment is safe and clean.

ASAP is a non-profit volunteer network.

Member Sites of ASAP
AmazingTechs
Anti Spyware Offensief
Assiste.com
Atribune.org
BestTechie
BleepingComputer
Bluetack Internet Security Solutions
Calendar of Updates
CARMA
Common Sense Security
CPASecurity
CyberAnswers.org
Freedomlist
Geeks to Go
Gladiator Security
hpHosts
InfoSpyware
Infotex
JSKYs XP Support
Linha Defensiva
Lockergnome
MalwareBytes
MalWare Removal
ManageYourPC
MickeyTheMan
NeoPlanet
NetworkTechSupport
PCdistress
PCHelper
PC Pitstop
PCtorium
Pipex Support
RescueME
Short-Media.com
SpywareAid
SpyWare BeWare!
Spywarefri
SpywareInfo
Spyware Warrior
Subratam.org
Tankweb
Tech Support Forum
Tech Support Guy
TeMerc Internet Countermeasures
That Computer Guy
The Spykiller
TomCoyote
UBCD4Win
Vital Security.org

@servonet.

If you want something to be done about your malware problems, you have to furnish us with a HiJackThis log.
If unsure how to do it, here are some instructions...

Download HiJackThis - this program will help us determine if there are any spyware/malware on your computer.
Create a folder at C:\HJT and move HiJackThis.exe there.
Double click on the program to run it.

1. If it gives you an intro screen, just choose [Do a system scan and save a logfile].
2. If you don't get the intro screen, just hit [Scan] and then click on [Save log].
3. Post the HiJackThis.log file here. Do not fix anything in HiJackThis since most of the entries may be harmless

When you have a log, start a new thread by clicking here

I shall help you when I see your new thread.


sUBs

I have a simple way for you to find out on your own.

Download Trend Micro(tm) Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log".
If you wish, you may share the details with other LYF members by pasting the entire contents of that log here.

Download & Run Shoot the Messenger. Disable Messenger service & that should be the end of your woes

hmm. can i ask more? what possible reason i may cause that messenger popup? windows problem? or?

Read up on it here > http://www.grc.com/stm/shootthemessenger.htm
Feel free to ask if still in doubt

sUBs

Wondernig why my sent and receive the sent will more than the receieve ?? and i tried to use hijackthis spyware doctor etc to scan but nothing happen...

@wakl
I have already moved your post to a new thread. You know where it is. http://forum.lowyat.net/index.php?showtopic=180575

You already have a thread dedicated to your problem. Please do not post in this sticky.

Hye..

a friend of mine also have a pc which affected with spyware..pls help her
Her pc also running very slow (P4 2.8 ghz)

attached here with hijack this log and antispyware log for the pc:

1)Hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 1:29:09 PM, on 28/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\Documents and Settings\Izzuddin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.184.94.19:3128
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpywareStopper] C:\Program Files\SpyBlocker Software\SpywareStopper\spywarestopper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [1A2DFECE] C:\WINNT\system32\csl70nfg.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [8BCD3353] C:\WINNT\system32\aaamtmli.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: n8401.bat
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122367453718
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...544/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



2) antispyware log

Started Scanning
Internet Cookies
Found '2o7.net' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Free Hardcore Porn'
Found 'http' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2'
Found 'Order' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Free Hardcore Porn'
Internet URL Shortcuts
Files and Directories
Found 'GPInstall.exe' in 'C:\WINNT'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Found 'GPInstall.exe' in 'C:\WINNT'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\WINNT\GPInstall.exe' in shortcut areas.
Checking for 'C:\WINNT\GPInstall.exe' in startup areas.
Cleaning 'C:\WINNT\GPInstall.exe'
Finished Cleaning

ty

sUBs ...coughing blood..

lanroba - click here < Post new topic > to start a new thread & post that log there.

Hee..hee

Quite simple. Just go to this page > http://forum.lowyat.net/index.php?showforum=25
Locate & click the button. It's situated near the top & to the right hand side.

I'm not trying ot make life difficult for you. This is help you become more familiar with the forum's features so that you can be more of a regular member at LYF.


sUBs

Uninstall List - Add/Remove Programs

180 Solutions
180SAInstaller Class
180 Search Assistant
2020Search
404Search
411Ferret Toolbar
7FaSSt Search
The ABI Network- A Division of Direct Revenue (online uninstallation)
Active Alert
Ad Service
Advanced Search
AdvSearch
AdwareAlert
Alexa Toolbar
AM Server
ATP
autoSearch
B3d Projector
Bargain Buddy / Bulls Eye Network / CashBack / NaviSearch
BookedSpace
Browser Enhancer
BrowserAid
BrowserPal
Bulls Eye Network / CashBack / NaviSearch / Bargain Buddy
Cash Toolbar
CashBack / NaviSearch / Bargain Buddy / Bulls Eye Network
Chinese keywords
ClickTheButton
ClockSync
CommonName
Context Display
Cosmi
Cpr
CxtPls
DailyToolbar
Date Manager
DealHelper
DelFin Media Viewer / PgTools / PGate / DisplayUtility / DMVLite
Desktop Toolbar [WhenUSearch]
Download Receiver
DownloadWare
E2Give Browser Add On
Easy Search Bar
Ebates_MoeMoneyMaker
Elite SideBar
Elite ToolBar
eXact Search Bar
ezSearchBar
F1
FlashTrack Uninstall
flt
FreeScratchAndWin
FT Remove
FTApp
Fun Web Products Easy Installer
eXact Search Bar
eZula TopText
Gator eWallet
Go
GogoTools
Hotbar
Huntbar
Httper
Hyperlinker
IconForge
IE Helper
IE Menu Extension toolbar
IE Toolbar
IEDriver
IMZ
InetDoor
Internet 404 (internet connection is needed for removal)
Internet Optimizer
Internet Washer Pro
IPInsight
ISTBar
ISTSvc
iWon Plus
KeenValue
KeywordPlugin
Live 0n line Portal
LookSmart Search
L.O P. Uninsta11
Lycos Search
Lycos Sidesearch
masterbarHallmedia.net
MaxSpeed
mc
Media Access
Media Motor
MidADdle
MoreResults
Movie Viewer 2.1
MS AUpdate
MS Updates
mscman
MSIETS
MWSearch
My Way Speedbar
My Web Search
NavExcel Search Toolbar
Nav Helper
NaviSearch / Bargain Buddy / Bulls Eye Network / CashBack
Neo Technology Search Engine
Netpal Games
NewtonKnows
Oemji Toolbar
Onflow
Orbit
PeopleOnPage
PowerSearch Toolbar
PowerStrip
Precision Time
Preview AdService
POP
PuritySCAN
qidion - toolbar
Quick Browse ??
QuickSearch Toolbar
RapidBlaster
RelatedLinks
Rich Editor
RON Display
RSyncMon
RVP
SafeGuard
Save / WhenU Search / WeatherCast / ClockSync
Security IGuard
Search 2020
Search Assistant
Search Assistant Utility
Search Fast
Search Maid
Search Relevancy
Search Toolbar (internet connection is needed for removal)
Searchit - toolbar
SearchSquire
Select Cashback
ShopAtHomeSelect Agent
Shopping Community
Side Find
Side Search
SideStep
Slotchbar
Software Update Manager
supaseek - Toolbar
SuperBar IE Plugin
Surf SideKick 3
Surfairy
SysAI
TBPS
Tools for Internet Explorer (internet connection is needed for removal)
Toolbar - My toolbar
TopText
TSA
TV Media
Twaintech
UCmore
Ultimate Browser Enhancer
URL Display
VBRunDLL
Veevo
Virtual Maid
VVSN
WareOut
WAST
Web Offer
Web_Rebates
WebHancer
Web Toolbar
Web Tools by Hotbar
whazit tools
WhenU Search / Save / WeatherCast / ClockSync
WhileYouSurf
WinSrv Reg
wincomp
Windows SyncroAd
wintrim
WebSearch Toolbar (internet connection is needed for removal)
WebSearch Tools
Windows AdTools
Windows AFA Internet Enhancement
WinTools
Win-Tools Easy Installer (internet connection is needed for removal)
WSEM Update
XDiver
Your Site Bar
YuupSearch Toolbar
Zango
Zipclix
ZZ

sUBs:

i had one silly n00bie question here, about the eZula TopText. Removed it using search & destroy. even restarted the pc (as directed by S&D). the adware/spyware seems to be gone, but the directory in c:\program files still exists and cannot be deleted.

1. does this mean i am still infected? (thorough search + scan and no ezula running tasks in the services)

2. any way to remove the annoying files that end w/ *.tmp? i tried many software but still cannot remove the annoying drectory.

thanx

edit: problem 1 and 2 solved. my trust bitdefender deleted the *.tmp files, and thus letting me delete the annoying directory. however, new prob arises:

In the add/remove dialogue, the TOPTEXT, MYSEARCH and SEARCH ASSISTANT still exist.

1. does this mean I am still INFECTED?

2. can i just delete it from the registry entries manually?

3. any way to remove it w/o using registry edit?

edit : PROBLEM SOLVED. multiple software used to deal all this.

sheesh... just ONE wrong click, and i pent 2 hours cleaning each and every parasites... how did this happen? my 8 months w/o spyware record has been busted

This post has been edited by lucifah: Aug 24 2005, 12:57 AM

You should have uninstalled the programs with Add/Remove programs before allowing the antivirus to forcibly remove them. It may leave several orphaned entries in your Registry.

Try this first..

Download Trend Micro(tm) Anti-Spyware (by clicking the "Scan and Clean your PC" button).

• Double-click the tmas-web-scan.exe icon
• It will say "Loading TrendMicro definitions".
• Click "Start Scan"

After it's done scanning, click "Scan Results"

• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

It's quite good at removing such entries.

If that doesnt work, run HijackThis
Go to Config > Misc Tools - Open Uninstall Manager
Select the program & click "Delete this entry"

sUBs: problems all solved. thanx to your guides and tips.

time taken to be infected: less than 1 minute
time to clean: 2+ hours

here are the list of softwares that i've used:

1. BitDefender (the main s/w that alerted me 2 hours ago and stopped system wide infection)
2. Spybot Search & Destroy (sUBs recommendation)
3. Spyware Blaster (again, thanx to sUBs)
4. AdAware (long time forgotten s/ware tucked inside my hard drive)
5. RegCleaner (the registered version by the great Juno) - this is used to delet all the annoying add/remove lists


identified spyware:

1. 180solutions
2. search assistant
3. my search
4. ezula toptext


This post has been edited by lucifah: Aug 24 2005, 01:03 AM

LOP is a sneaky adware/spyware which I came across often before. It can infect both IE and Netscape/Mozilla as well, however only way it can enter your system is still thru IE (aka Idiot Exploiter). One it infects the system, your browser, desktop, explorer and search functions are hijacked. It also create/modify registry entries so that it can be used with Mozilla or Netscape. On some machines, especially those running older Windows ME operating systems, it randomly crashes the system.. usually causing Explorer crashes and illegal operations.

Anyway, DO NOT trust the uninstaller tool from the creators of LOP themselves. Its better to get a 3rd party utility to clean out that pesky LOP.

CWShredder or HijackThis closes immediately after opening?

There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them.

If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums).

http://www.microsoft.com/emea/itsshowtime/...spx?videoid=359

he teaches you the functions of process explorer & autoruns to specifically to find and remove malware.

here are the slides

 Sysinternal__s_Mark_Russinovich___Advanced_Malware_Cleaning.zip ( 889.87k ) Number of downloads: 286


This post has been edited by AsenDURE: Jun 20 2007, 01:48 PM