Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spylocked Got Me


  • Please log in to reply
7 replies to this topic

#1 TexasAngel67

TexasAngel67

    Bleeping Helper


  • Members
  • 1,551 posts
  • OFFLINE
  •  
  • Location:Fort Worth
  • Local time:08:34 AM

Posted 06 April 2007 - 08:05 PM

I don't even know who was on the computer last but the Spylocked infection is on my system. I tried SmitFraudFix but that doesn't work on Win98 or WinME. So what is the fix for this horrible infection that primarily attacks Win2000 and WinXP? Please help with instructions. Thanks.

BC AdBot (Login to Remove)

 


#2 chapo

chapo

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 06 April 2007 - 08:38 PM

Did you try smithfraudfix in safe mode, also try rougescanfix it is a similar program.

#3 chapo

chapo

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 06 April 2007 - 08:41 PM

Also this may explain things go to this link to learn more about that false program http://www.bleepingcomputer.com/forums/t/85376/how-to-remove-spylocked-and-spywarelocked-removal-instructions/

#4 TexasAngel67

TexasAngel67

    Bleeping Helper

  • Topic Starter

  • Members
  • 1,551 posts
  • OFFLINE
  •  
  • Location:Fort Worth
  • Local time:08:34 AM

Posted 06 April 2007 - 08:54 PM

Thanks. I already know about the false program and, yes, I did try SmitFraudFix in Safe Mode but it doesn't matter what mode I use it in because it doesn't work with WinME.

EDIT:

FWIW, the HijackThis entry for Spylocked is showing like this:

O21 - SSODL: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\SYSTEM\qzviz.dll

Edited by TexasAngel67, 06 April 2007 - 08:58 PM.


#5 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:07:34 AM

Posted 06 April 2007 - 09:45 PM

Reboot in Normal Mode.

THan
* Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Under Browsing History, click "Delete".
* Click "Delete Files", "Delete cookies" and "Delete history"
* Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu..
* Click the Clear now button below.. A new window will popup what to clear.
* Select all and click the Clear button again.
* Click OK to close the Options window

* Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

If that does not clear up matters than please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

After you have run the cleanmanager, prior to go over the steps for HiJacktThis please post back how this computer is running now

#6 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:07:34 AM

Posted 06 April 2007 - 09:47 PM

Sorry for the double post :thumbsup:

Please read this first before my other one...
Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in
SAFE MODE




#7 TexasAngel67

TexasAngel67

    Bleeping Helper

  • Topic Starter

  • Members
  • 1,551 posts
  • OFFLINE
  •  
  • Location:Fort Worth
  • Local time:08:34 AM

Posted 06 April 2007 - 11:13 PM

OMG! How humiliating! Here are the results of the scan...

SUPERAntiSpyware Scan Log
Generated 04/06/2007 at 11:02 PM

Application Version : 3.6.1000

Core Rules Database Version : 3215
Trace Rules Database Version: 1225

Scan type : Complete Scan
Total Scan Time : 00:44:36

Memory items scanned : 176
Memory threats detected : 1
Registry items scanned : 3116
Registry threats detected : 34
File items scanned : 29682
File threats detected : 309

Trojan.Smitfraud Variant
C:\WINDOWS\SYSTEM\QZVIZ.DLL
C:\WINDOWS\SYSTEM\QZVIZ.DLL
HKLM\Software\Classes\CLSID\{bd0fc212-0a36-4232-83cc-2063fb9282e0}
HKCR\CLSID\{BD0FC212-0A36-4232-83CC-2063FB9282E0}
HKCR\CLSID\{BD0FC212-0A36-4232-83CC-2063FB9282E0}\InProcServer32
HKCR\CLSID\{BD0FC212-0A36-4232-83CC-2063FB9282E0}\InProcServer32#ThreadingModel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#curdler

Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https

(EDITED TO DELETE NASTY ADWARE)

Trojan.Media-Codec
HKCR\VideoAXObject.Chl
HKCR\VideoAXObject.Chl\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#ProductionEnvironment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayVersion
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\UNINST.EXE

Malware.SpyLocked
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#UninstallString
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#uZsxugktAfPz
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#tiuwqdVtBIWb
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#Yexclxc
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#emJg
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#pmcmUx
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#zryBhpqWglcA
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\InprocServer32

Trojan.WinLog/System
C:\WINDOWS\SYSTEM\WINLOG.EXE

Trojan.DollarRevenue
C:\WINDOWS\SYSTEM\DR.EXE
C:\DR.EXE

Trojan.ZenoSearch
C:\WINDOWS\SYSTEM\LWINKRAG.EXE
C:\WINDOWS\SYSTEM\QJDSREGO.EXE
C:\BACKUPS\BACKUP-20060408-122855-412-ZENO.LNK

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM\W004B21B.DLL
C:\AC2_0003.EXE

Trojan.Unknown Origin
C:\WINDOWS\TEMPF.TXT

Trojan.Downloader-Gen/Win
C:\WINDOWS\0250.EXE

Trojan.NewDotNet
C:\WINDOWS\NDNUNINSTALL7_22.EXE
C:\BACKUPS\BACKUP-20060408-122854-241.DLL
C:\NNSCAA638.EXE

Adware.SysMon
C:\VISFX500.EXE

*********************************************************

You said to then scan in Safe Mode. Did you mean to rescan using this program the same way but in Safe Mode? Just wanted to be sure. I will follow the remaining directions as you've stated afterwards. Thanks for your help. I'm truly grateful.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

EDIT:
Nevermind, Master, the system is totally clean now. THANK YOU SO VERY MUCH! It's all entirely gone!

Edited by TexasAngel67, 06 April 2007 - 11:29 PM.


#8 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:07:34 AM

Posted 08 April 2007 - 12:02 AM

Your Welcome for the help :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users