Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spylocked


  • This topic is locked This topic is locked
76 replies to this topic

#1 spunkyplyr7

spunkyplyr7

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 May 2007 - 09:07 PM

This weekend we received a popup saying that I needed to update some video codec thing (the kids have all kinds of stuff on the computer that I don't quite get) so I installed it...then I got a yellow shield with a flashing exclamation point and alerts that looked like microsoft alerts stating that I was infected with spylocked and had to "click here" to get rid of it. I clicked and the next thing I know all these crazy popups started happening saying that I had been infected with a WIN32 trojan and all kinds of problems. I thought this was a little extreme since I have the mcafee anti-virus/firewall suite. Anyway....I did a little research and found out that I had probably been infected with something called spylocked. I spent a lot of time last night trying everything I could think of to get rid of it and get the popups to stop and then found this site. (Spyhunter just wants you to purchase their software to get rid of it and so does just about everyone else...including that panda antivirus link that is on your directions on how to clean up your computer before posting the hijack this log help message.) I tried to do all the steps in order and got frustrated because nothing was finding anything. So I restored (thinking like a crazy woman) that this would solve my problem...it was late what can I say...anyhow...when I restored to last Friday the yellow icon and the popups disappeared...but I was back to a different problem I was having prior to the spylock thing. So I undid the restore. The spylocked icons and popups didn't come back. I also uninstalled realplayer while I was cleaning up the hard drive. After restarting numerous times I went back to your main site and tried to click on the ad-aware se link and my internet connection completely shut down. I started everything back up and tried it again only to have everything blink off again. There are some things that when I try to click on the links to them it just won't let me - it just blinks off. When I go to the taskmanager screen it's not even running anymore. I'm not sure what I did...but hopefully you can help. Listed below is my hijack this log...will you please take a look and tell me if it's ok or if I just messed things up more...do you know what the file C:\WINDOWS\system32\ezSP_Px.exe is? Thanks for your time and patience!

Logfile of HijackThis v1.99.1
Scan saved at 6:45:37 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176173946281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...06bc5dfc78ec69e
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: pushow9.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 PM

Posted 22 May 2007 - 09:37 PM

Hello spunkyplyr7,

do you know what the file C:\WINDOWS\system32\ezSP_Px.exe is?

Yes, ezsp_px.exe is a process which belongs to Easy Systems utilities.


You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\SYSTEM32\pushow9.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to couple of hours to reply.
You can copy/paste the results of scan results here.

********************

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by SifuMike, 22 May 2007 - 09:56 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 spunkyplyr7

spunkyplyr7
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 May 2007 - 10:03 PM

Hi SifuMike!

Thank you soooo much for your help. I'm already having issues though...I hate being stupid/ignorant. When I tried to click on the smitfraudfix.exe I was able to save it to my desktop; however, when I try to run it there is an error message that comes up and shuts me down. The error message states "Windows cannot find 'C:\WINDOWS\System32\cmd.exe2'. Make sure you typed the name correctly then try again. To search for a file, click the start button, then click search."
What does this mean?

I'm going to try and do the next thing you told me about showing the hidden files...

Hello spunkyplyr7,

do you know what the file C:\WINDOWS\system32\ezSP_Px.exe is?

Yes, ezsp_px.exe is a process which belongs to Easy Systems utilities.


You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\SYSTEM32\pushow9.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to couple of hours to reply.
You can copy/paste the results of scan results here.

********************

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 PM

Posted 22 May 2007 - 10:11 PM

You dont need to quote my entire post, as I can refer to it by scrolling up. :thumbsup:


To see the hidden files
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

then run virus total and post the log it produces.


Are you sure you allowed SmitfruadFix to run?
Read the note I have attached at the bottom. Some of the antivirus programs will try to prevent it from running, as they think it is malware.

Edited by SifuMike, 22 May 2007 - 10:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 spunkyplyr7

spunkyplyr7
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 May 2007 - 10:13 PM

There is no C:\WINDOWS\SYSTEM32\pushow9.dll - what do I do next?


Hi SifuMike!

Thank you soooo much for your help. I'm already having issues though...I hate being stupid/ignorant. When I tried to click on the smitfraudfix.exe I was able to save it to my desktop; however, when I try to run it there is an error message that comes up and shuts me down. The error message states "Windows cannot find 'C:\WINDOWS\System32\cmd.exe2'. Make sure you typed the name correctly then try again. To search for a file, click the start button, then click search."
What does this mean?

I'm going to try and do the next thing you told me about showing the hidden files...

Hello spunkyplyr7,

do you know what the file C:\WINDOWS\system32\ezSP_Px.exe is?

Yes, ezsp_px.exe is a process which belongs to Easy Systems utilities.


You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\SYSTEM32\pushow9.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to couple of hours to reply.
You can copy/paste the results of scan results here.

********************

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 PM

Posted 22 May 2007 - 10:16 PM

Please dont quote the entire post. :thumbsup: I uses up too much space and is unnecessary.

Did you set you files to see hidden and protected files?
If so then do a file search for it.

Edited by SifuMike, 22 May 2007 - 10:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 spunkyplyr7

spunkyplyr7
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 May 2007 - 10:29 PM

Dear SifuMike,

I don't know what I'm doing wrong...but there doesn't appear to be a pushow9.dll. I do know that the file exists or at least existed at one point because I remember seeing it and trying to find out information about it. I don't know what to do next. Should I disable my mcafee in order to run the mitfraud.exe? There wasn't anything attached at the bottom of your last message unless you were talking about the process.exe information.

There is no C:\WINDOWS\SYSTEM32\pushow9.dll - what do I do next?


Hi SifuMike!

Thank you soooo much for your help. I'm already having issues though...I hate being stupid/ignorant. When I tried to click on the smitfraudfix.exe I was able to save it to my desktop; however, when I try to run it there is an error message that comes up and shuts me down. The error message states "Windows cannot find 'C:\WINDOWS\System32\cmd.exe2'. Make sure you typed the name correctly then try again. To search for a file, click the start button, then click search."
What does this mean?

I'm going to try and do the next thing you told me about showing the hidden files...

Hello spunkyplyr7,

do you know what the file C:\WINDOWS\system32\ezSP_Px.exe is?

Yes, ezsp_px.exe is a process which belongs to Easy Systems utilities.


You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\SYSTEM32\pushow9.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to couple of hours to reply.
You can copy/paste the results of scan results here.

********************

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



Dear SifuMike,

I don't know what I'm doing wrong...but there doesn't appear to be a pushow9.dll. I do know that the file exists or at least existed at one point because I remember seeing it and trying to find out information about it. I don't know what to do next. Should I disable my mcafee in order to run the mitfraud.exe? There wasn't anything attached at the bottom of your last message unless you were talking about the process.exe information.

There is no C:\WINDOWS\SYSTEM32\pushow9.dll - what do I do next?


Hi SifuMike!

Thank you soooo much for your help. I'm already having issues though...I hate being stupid/ignorant. When I tried to click on the smitfraudfix.exe I was able to save it to my desktop; however, when I try to run it there is an error message that comes up and shuts me down. The error message states "Windows cannot find 'C:\WINDOWS\System32\cmd.exe2'. Make sure you typed the name correctly then try again. To search for a file, click the start button, then click search."
What does this mean?

I'm going to try and do the next thing you told me about showing the hidden files...

Hello spunkyplyr7,

do you know what the file C:\WINDOWS\system32\ezSP_Px.exe is?

Yes, ezsp_px.exe is a process which belongs to Easy Systems utilities.


You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\SYSTEM32\pushow9.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to couple of hours to reply.
You can copy/paste the results of scan results here.

********************

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



#8 spunkyplyr7

spunkyplyr7
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 May 2007 - 10:31 PM

Dear SifuMike,

I'm sorry - didn't realize I was sending all to you - just thought you'd get the last thing I said.

Spunkyplyr7

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 PM

Posted 22 May 2007 - 10:43 PM

Hi spunkyplyr7,

Should I disable my mcafee in order to run the mitfraud.exe?



Yes, disable McAfee antivirus, but only while you run SmitfraudFix with the 1 option.
When SmitfraudFix finishes, then enable it.

Then post the SmitfruadFix log.

Edited by SifuMike, 22 May 2007 - 10:50 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 spunkyplyr7

spunkyplyr7
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 May 2007 - 10:56 PM

It won't let me do anything. I disabled my whole mcafee suite - antivirus, web protection, firewall - everything. Then I tried to download and run it, run it from the link. It keeps coming back with that message about not finding c:\WINDOWS\system32\cmd.exe2

Any ideas?

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 PM

Posted 22 May 2007 - 11:04 PM

Hi spunkyplyr7,

It keeps coming back with that message about not finding c:\WINDOWS\system32\cmd.exe2


Are you sure you have the file name correct? It does not look like any file I have seen before. :thumbsup:
Are you sure it is not c:\WINDOWS\system32\cmd.exe? (no 2 on the end of the exe)?

When does it appear?

***********************


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Edited by SifuMike, 22 May 2007 - 11:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 spunkyplyr7

spunkyplyr7
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 May 2007 - 11:20 PM

I clicked on that file and saved combofix.exe to my desktop. When I double click on it - nothing happens. No window opens up asking me what I want to do - it's just like when I tried to download ad-aware se...I click and it does nothing. I'm ready to bang my head on my keyboard. I went to internet explorer options and found and unchecked the enable script debugging thinking that might do something - but it didn't do anything. :thumbsup:

I wasn't sure if you were still there - or called it a night. I didn't realize how late it was.

#13 spunkyplyr7

spunkyplyr7
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 May 2007 - 11:22 PM

About your question....
Are you sure you have the file name correct? It does not look like any file I have seen before.
Are you sure it is not c:\WINDOWS\system32\cmd.exe? (no 2 on the end of the exe)?

Yep I'm sure there's a 2 at the end of .exe - this isn't a good thing is it?

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 PM

Posted 22 May 2007 - 11:25 PM

Hi spunkyplyr7,

Sounds like you have major problems if you cannot even run ComboFix or Ad-aware. :thumbsup:
If we cant run the malware removal tools then you are out of luck.

Lets try this:

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...06bc5dfc78ec69e
O20 - AppInit_DLLs: pushow9.dll




*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.
Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)


C:\WINDOWS\ALCXMNTR.EXE <==file


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot to the Normal Mode , post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 spunkyplyr7

spunkyplyr7
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 22 May 2007 - 11:38 PM

Here I go...wish me luck. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users