Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Big Warning Sign And Self-launching Ie


  • This topic is locked This topic is locked
10 replies to this topic

#1 rd-man

rd-man

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 10 May 2008 - 03:43 AM

I have recently been hijacked by something that has taken over my desktop wallpaper with a warning sign about spyware and now launches ie every so often offering me sys-removal tools and such. I initially ran spybot search and destroy and lavasoft programs to no avail. Then, I ran the combofix program and the desktop appears to be back to normal and the ie hasn't launched itself in a little while, so perhaps it's fixed. However, as you suggest, I am posting my log for you to look at and hopefully help me complete whatever I need to do to get rid of this thing! Thanks very much in advance for your help.

ComboFix 08-05-09.1 - Douglas Wright 2008-05-10 2:31:52.1 - NTFSx86

Running from: C:\Documents and Settings\Douglas Wright\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Douglas Wright\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mywallpaper.bmp
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\zyshbnmarcz.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SZKG5
-------\Service_szkg5


((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))
.

2008-05-10 01:52 . 2008-05-10 01:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-09 19:05 . 2008-05-10 02:45 496 --a------ C:\WINDOWS\system32\drivers\kgpcpy.cfg
2008-05-09 19:03 . 2008-05-09 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-05-09 19:00 . 2008-05-09 19:00 <DIR> d-------- C:\Program Files\STOPzilla!
2008-05-09 19:00 . 2008-05-09 19:00 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-05-09 19:00 . 2008-05-10 02:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-05-09 17:50 . 2008-05-09 17:50 <DIR> d-------- C:\Documents and Settings\Douglas Wright\DoctorWeb
2008-05-09 16:35 . 2008-05-09 16:48 4,508 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-09 15:37 . 2008-05-09 15:37 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-09 12:31 . 2008-05-09 12:29 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-09 12:31 . 2008-05-09 12:31 2,552 --a------ C:\WINDOWS\unins000.dat
2008-05-09 09:28 . 2008-05-09 09:28 84,032 --a------ C:\WINDOWS\sysyeabdgfp.exe
2008-05-09 09:28 . 2008-05-09 09:28 1,409 --a------ C:\WINDOWS\zysauqdhnyc.exe
2008-05-09 09:28 . 2008-05-09 09:28 1,272 --a------ C:\WINDOWS\zysrhupbxtf.exe
2008-05-08 17:58 . 2008-05-08 17:58 389,120 -ra------ C:\WINDOWS\system32\SZComp5.dll
2008-05-08 17:58 . 2008-05-08 17:58 258,048 -ra------ C:\WINDOWS\system32\SZBase5.dll
2008-05-07 18:47 . 2008-05-07 18:47 34,432 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys
2008-05-06 14:53 . 2008-05-06 14:53 364,544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2008-05-06 14:53 . 2008-05-06 14:53 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2008-05-06 14:52 . 2008-05-06 14:52 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2008-05-06 14:52 . 2008-05-06 14:52 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2008-05-06 14:52 . 2008-05-06 14:52 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2008-05-06 14:51 . 2008-05-06 14:51 196,608 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2008-05-06 14:50 . 2008-05-06 14:50 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2008-05-06 14:50 . 2008-05-06 14:50 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2008-05-06 14:47 . 2008-05-06 14:47 708,608 -ra------ C:\WINDOWS\system32\IS3Base5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 07:46 352 ----a-w C:\WINDOWS\system32\drivers\kgpfr2.cfg
2008-05-10 07:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-10 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-10 07:27 --------- d-----w C:\Documents and Settings\Douglas Wright\Application Data\Skype
2008-05-10 06:47 --------- d-----w C:\Program Files\My Downloads
2008-05-10 06:31 --------- d-----w C:\Documents and Settings\Douglas Wright\Application Data\OpenOffice.org2
2008-05-10 06:16 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-10 05:02 --------- d-----w C:\Documents and Settings\Douglas Wright\Application Data\skypePM
2008-05-09 18:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-09 17:33 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 13:59 --------- d-----w C:\Documents and Settings\Douglas Wright\Application Data\AdobeUM
2008-03-26 05:25 --------- d-----w C:\Program Files\Lavasoft
2008-03-26 05:25 --------- d-----w C:\Documents and Settings\Douglas Wright\Application Data\Lavasoft
2008-03-26 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-26 05:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-16 19:56 --------- d-----w C:\Documents and Settings\Douglas Wright\Application Data\Creative
2008-03-16 19:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-16 19:50 --------- d-----w C:\Program Files\SightSpeed
2008-03-16 19:47 --------- d-----w C:\Program Files\ArcSoft
2008-03-16 19:43 --------- d-----w C:\Program Files\Creative
2008-03-11 01:06 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-07 19:03 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-03-07 19:03 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-03-01 13:06 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-01 13:06 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-01 13:06 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-01 13:06 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-01 13:06 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-01 13:06 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-01-30 06:45 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-04-27 03:24 184,119 ----a-w C:\Program Files\NSSetup-Full.exe
2005-04-27 02:36 178,341 ----a-w C:\Program Files\NSSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mozilla Quick Launch"="C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.exe" [2004-08-04 15:41 526224]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-01-17 19:10 21686568]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 20:31 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 20:27 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-02-07 08:43 606208]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 14:03 135168]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2002-04-26 12:53 12288]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 20:58 81920]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 23:00 864256]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 21:05 116328]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 00:00 771440]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"PD0870 STISvc"="P0870Pin.dll" [2005-05-04 12:00 36864 C:\WINDOWS\system32\P0870Pin.dll]

C:\Documents and Settings\Douglas Wright\Start Menu\Programs\Startup\
IC Task Manager.lnk - C:\Program Files\Aladdin Systems\Internet Cleanup\onictask.exe [2005-04-29 15:31:59 61440]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 17:45:48 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-04-22 14:49:13 24576]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 15:27:34 471040]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-09-03 08:45:28 176128]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-02-07 02:27:47 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=


*Newly Created Service* - COMHOST
*Newly Created Service* - SZKG5
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 20:24:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-24 03:56:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Douglas Wright.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 02:40:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\SoftwareDistribution\Download\ea3863a5336a3a84f11ecb9a77ebd04d\update\update.exe
.
**************************************************************************
.
Completion time: 2008-05-10 3:10:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-10 08:09:59

Pre-Run: 13,965,307,904 bytes free
Post-Run: 17,220,071,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

201 --- E O F --- 2008-04-10 13:22:16

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 10 May 2008 - 08:33 AM

Hi,

There are still some leftovers present, so navigate to and delete the following files:

C:\WINDOWS\sysyeabdgfp.exe
C:\WINDOWS\zysauqdhnyc.exe
C:\WINDOWS\zysrhupbxtf.exe

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rd-man

rd-man
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 10 May 2008 - 11:31 AM

Hi,

Thanks very much for your help. I have done as you've suggested and things seem to be getting back to normal. However, my cpu seems to be running non-stop now. At the risk of over analyzing what's going on here, I will tell you some of the other things I tried as suggested by other sites that I unfortunately came upon before finding this one.

-Downloaded, installed and ran Spybot 1.5.2--from that point on, any time I ran some other spyware software, spybot would ask about if I wanted to "Allow these changes to" whatever key, delete certain things, add certain things, etc.. I assumed, perhaps wrongly, that I should allow these things to change.
-Downloaded, installed and ran Stopzilla 5.0 (this one actually cost me money and ticked me off!)
-Ran Lavasoft 7.0.2.7
-Ran iclean 3.0
-Unistalled ie 7.0
-Ran Norton scan

Most of the spyware cleaners found and deleted some things, but certainly not everything. Plus, things that were deleted came back, obviously. Nothing but your directives got the wallpaper back to normal and stopped the ie from self-launching. Are any of the above spyware/virus programs in conflict with one another? To my knowledge, the Stopzilla, Norton, and Spybot all seem to be running behind the scenes even though I've disabled the Stopzilla for now. As I have typed this, the CPU light has finally gone off, so perhaps it's fixed?? I wish I'd found this site first! Anyway, thanks very much for your continued help. I look forward to your reply.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 10 May 2008 - 11:42 AM

Stopzilla is indeed a resource hog and to be honest, I don't really recommend Stopzilla anyway, because I've seen it being pushed by malware - which means, malware causes to display popups where it asks to install Stopzilla. This doesn't make sense and that's why it makes Stopzilla a questionable application.

On the other side, you have Norton installed. This one is also known to be a huge resource hog and causing high cpu spikes.
Also read this: What Really Slows Windows Down

-Unistalled ie 7.0

Please reinstall it again, because it's more secure than IE6.

-Downloaded, installed and ran Spybot 1.5.2--from that point on, any time I ran some other spyware software, spybot would ask about if I wanted to "Allow these changes to" whatever key, delete certain things, add certain things, etc.. I assumed, perhaps wrongly, that I should allow these things to change.

This is your Spybot Teatimer causing this. This is an extra utility in Spybot that monitors the registry for changes. This means, it alerts you of every change, including legitimate ones. If you block the legitimate ones, you may have some problems with applications that want to run.
That's why the Teatimer option is still for advanced users who know exactly what keys to allow or ignore. So, if you made some changes on your system, installed programs, uninstalled programs, updated programs, then make sure you let Spybot Teatimer allow the changes.
If you're not sure - then I suggest you disable Teatimer, because I've seen too many issues with it - for example, when people wanted to update a program, it never finishes its update because of Teatimer.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 rd-man

rd-man
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 10 May 2008 - 04:01 PM

Is there a way to find out if I have, indeed, already screwed something up with the Teatimer? Is there a way to diagnose things that might have been altered that should not have been and visa versa? It seems like I allowed most things, but perhaps not everything. Does Teatimer store these changes in some kind of log? Also, do you suggest uninstalling the Stopzilla software? It did strike me as a rip due to the fact that it would find all these things to remove and then charge you before doing so. It probably put them there in the first place. Do I sound cynical? Thanks for your help.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 11 May 2008 - 01:22 AM

Hi,

For Teatimer..
Download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.
This will "flush" the Teatimer cache. So all previous "block" or "allow" will be flushed. This is useful in case you told a certain program to block while it should be allowed.

And as I said, I do not really recommend Stopzilla, not only because it's being pushed by malware, but also because it slows down, and it may give a lot of false positives. It's isn't that great in detection and removal either.

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 rd-man

rd-man
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 11 May 2008 - 02:19 AM

Hi,

Thanks again for your reply. I clicked on your link titled "ResetTeaTimer.bat" and the following window popped up:

@echo off
:: Edited 9:48 AM 9/21/2007
:: s!ri thanks for sharing your script
:: Please do not mirror this batch
if [%OS%]==[Windows_NT] set path=%windir%;%SystemRoot%\system32

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO winme

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

echo Unsupported Version
goto last

:NT
Echo.
Echo SpyBot and Tea Timer must be closed!! & pause
Echo.
CScript /?>nul 2>&1 && echo/Check OK>log1.txt || echo/Windows Script Host access is disabled on this machine. >log2.txt
if exist log1.txt goto continue

echo Post this in the forum please.>>log2.txt & start notepad log2.txt & exit

:continue
if exist log1.txt del log1.txt

echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath ^& "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" ^& TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath ^& "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" ^& TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat


(@echo off
del /q %CommonAppData%\spybot~1\Snapshots\*.*
del /q %CommonAppData%\spybot~1\Snapshots2\*.*
del /q %CommonAppData%\spybot~1\excludes\RegKeyWhite.sbe
del /q %CommonAppData%\spybot~1\excludes\RegKeyblack.sbe
del /q %CommonAppData%\spybot~1\excludes\ProcWhite.sbe
del /q %CommonAppData%\spybot~1\excludes\ProcBlack.sbe
del /q %CommonAppData%\spybot~1\excludes\UpdateDL.sbe
del /q %CommonAppData%\spybot~1\logs\resident.log
)>NUL 2>&1
Echo.
Echo Finished & pause & exit

:win
Echo.
Echo SpyBot and Tea Timer must be closed!!
pause
echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath & "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath & "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat




deltree /y %AppData%\spybot~1\snapshots\*.*
deltree /y %AppData%\spybot~1\Snapshots2\*.*
del %AppData%\spybot~1\logs\resident.log
del %AppData%\spybot~1\excludes\ProcBlack.sbe
del %AppData%\spybot~1\excludes\ProcWhite.sbe
del %AppData%\spybot~1\excludes\RegKeyWhite.sbe
del %AppData%\spybot~1\excludes\RegKeyBlack.sbe
del %AppData%\spybot~1\excludes\UpdateDL.sbe
cls
Echo.
Echo Finished
exit



:winme
Echo.
Echo SpyBot and Tea Timer must be closed!!
pause
echo.Option Explicit>GetPaths.vbs
echo.>>GetPaths.vbs
echo Dim Shell>>GetPaths.vbs
echo Dim KeyPath>>GetPaths.vbs
echo Dim ObjFileSystem>>GetPaths.vbs
echo Dim ObjOutputFile>>GetPaths.vbs
echo Dim ObjRegExp>>GetPaths.vbs
echo Dim File>>GetPaths.vbs
echo Dim TmpVar>>GetPaths.vbs
echo Dim Var>>GetPaths.vbs
echo Dim Accent>>GetPaths.vbs

echo.>>GetPaths.vbs
echo KeyPath = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo File = "SetPaths.bat">>GetPaths.vbs
echo.>>GetPaths.vbs
echo Set Shell = WScript.CreateObject("WScript.Shell")>>GetPaths.vbs
echo Set ObjFileSystem = CreateObject("Scripting.fileSystemObject")>>GetPaths.vbs
echo Set ObjOutputFile = ObjFileSystem.CreateTextFile(File, TRUE)>>GetPaths.vbs
echo Set ObjRegExp = New RegExp>>GetPaths.vbs
echo.>>GetPaths.vbs

echo Function ShortFileName(Path)>>GetPaths.vbs
echo Dim f>>GetPaths.vbs
echo Set f = ObjFileSystem.GetFolder(Path)>>GetPaths.vbs
echo ShortFileName = f.ShortPath>>GetPaths.vbs
echo End Function>>GetPaths.vbs

echo Function Accents(Str)>>GetPaths.vbs
echo ObjRegExp.Pattern = "[^a-zA-Z_0-9\\: ]">>GetPaths.vbs
echo ObjRegExp.IgnoreCase = True>>GetPaths.vbs
echo ObjRegExp.Global = True>>GetPaths.vbs
echo Accents = ObjRegExp.Replace(Str, "?")>>GetPaths.vbs
echo End Function>>GetPaths.vbs
echo.>>GetPaths.vbs

echo TmpVar = Shell.RegRead (KeyPath & "AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set AppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo KeyPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\">>GetPaths.vbs
echo TmpVar = Shell.RegRead (KeyPath & "Common AppData")>>GetPaths.vbs
echo TmpVar = ShortFileName(TmpVar)>>GetPaths.vbs
echo Var = "Set CommonAppData=" & TmpVar>>GetPaths.vbs
echo ObjOutputFile.WriteLine(Var)>>GetPaths.vbs
echo ObjOutputFile.Close>>GetPaths.vbs
echo Set objFileSystem = Nothing>>GetPaths.vbs
echo Set Shell = Nothing>>GetPaths.vbs
echo Set ObjRegExp = nothing>>GetPaths.vbs
echo.>>GetPaths.vbs


cscript //I //nologo GetPaths.vbs
del GetPaths.vbs
Call SetPaths.bat
del SetPaths.bat


del /y %CommonAppData%\spybot~1\snapshots\*.*
del /y %CommonAppData%\spybot~1\snapshots2\*.*
del %CommonAppData%\spybot~1\excludes\UpdateDL.sbe
del %CommonAppData%\spybot~1\excludes\RegKeyWhite.sbe
del %CommonAppData%\spybot~1\excludes\RegKeyblack.sbe
del %CommonAppData%\spybot~1\excludes\ProcWhite.sbe
del %CommonAppData%\spybot~1\excludes\ProcBlack.sbe
del %CommonAppData%\spybot~1\logs\resident.log
cls
Echo.
Echo Finished
exit

:last
echo Press any key to exit,..
pause
exit

Nothing to download showed up. Please advise. Thanks very much. P.S. My machine is officially running like molasses.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 11 May 2008 - 02:26 AM

Hi,

Did you read this?

Download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").


AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 rd-man

rd-man
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 12 May 2008 - 10:22 PM

Thanks very much for all your help. Everything seems to be back to normal. I downloaded the Teatime fix correctly and uninstalled the Stopzilla program, and things suddenly got much faster. I am contemplating uninstalling the Norton anti-virus/anti-spyware/firewall and going with one of the one the ones you listed on your prevention page. I'm assuming they work just as well (hopefully better...), and perhaps don't hog up as much CPU energy. Would I need to then download one of each of the virus scanner, spyware scanner, and firewall? Once again, I very much appreciate your help through this little experience. I will strive to be more careful in the future.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 13 May 2008 - 12:19 AM

Hi,

You already have Ad-Aware as your spywarescanner.

A good combination Antivirus - Firewall is Avira Antivirus in combination with the Comodo Firewall.
Both are free.

However, for Avira, there's also a premium version which is not for free, but this one has more options and scans for Spyware/adware as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:49 AM

Posted 20 May 2008 - 01:05 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users