6 replies to this topic

[Coydog]

Hi, my name is Dan, and I'm ready to chuck my laptop out the window because of reoccurring spyware. So far I've tried using PC Guard, WinAntiSpyware, WorldAntispyware,and last but not least XoftSpy, to the tune of about $110.00 in registration fees. I alsom have symantic antivirus installed in my computer. I'm pretty sure my problem centers around this "oneclicksearch.com" bug that never seems to delete. Also symantic and some of the anti-spyware programs have tried to delete a se.dll file that's located in my c:\documents and settings\local settings\ temp file with no luck. I tried to go the file directly and just can it, but it says that it is write protected or being used by another program. I shut any open windows just in case but it still wouldn't let me do anything with it. I downloaded the newest HiJackThis from your page and saved a log. Any help you could give me might save my sanity at this point.
Logfile of HijackThis v1.99.1
Scan saved at 1:33:53 AM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Generic\USB Card Reader Driver v2.2e\FlashIcon.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Documents and Settings\CoyDog\My Documents\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\CoyDog\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\CoyDog\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {11B1993D-D61B-46D3-8030-76CCD659016C} - C:\WINDOWS\system32\kead.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.2e\FlashIcon.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FNI.WAS5_0001_CP] "C:\Documents and Settings\CoyDog\Desktop\WinAntiSpyware2005Install.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\CoyDog\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = ?
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130969172343
O18 - Filter: text/html - {96545D87-C212-4100-AB6C-242829EB7CA7} - C:\WINDOWS\system32\kead.dll
O18 - Filter: text/plain - {96545D87-C212-4100-AB6C-242829EB7CA7} - C:\WINDOWS\system32\kead.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

[LDTate]

Hello Coydog, welcome to the forum. Sorry about the delay in responding If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

[Coydog]

Logfile of HijackThis v1.99.1
Scan saved at 11:11:05 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Generic\USB Card Reader Driver v2.2e\FlashIcon.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Netscape\NETSCA~1\netscape.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Common Files\AOL\1126102289\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1126102289\ee\AOLServiceHost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\CoyDog\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\CoyDog\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\CoyDog\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {11B1993D-D61B-46D3-8030-76CCD659016C} - C:\WINDOWS\system32\kead.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.2e\FlashIcon.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FNI.WAS5_0001_CP] "C:\Documents and Settings\CoyDog\Desktop\WinAntiSpyware2005Install.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\CoyDog\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = ?
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130969172343
O18 - Filter: text/html - {96545D87-C212-4100-AB6C-242829EB7CA7} - C:\WINDOWS\system32\kead.dll
O18 - Filter: text/plain - {96545D87-C212-4100-AB6C-242829EB7CA7} - C:\WINDOWS\system32\kead.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Thanks for trying to help me out with this

Dan

[LDTate]

Download CWShredder

If you are using anything other than Windows xp you may need a zip program.
Please download the evaluation version of Winzip.


Download SpSeHjfix.zip to the desktop. Then right click on the desktop and select new >folder, name it spfix unzip SpSeHjfix.zip into the new folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Once it is finished, run CWShredder - Hit The FIX button!

Reboot and post a new HJT log and the log that was created by 'SpSeHjfix'.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

[Coydog]

Logfile of HijackThis v1.99.1
Scan saved at 7:56:24 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Generic\USB Card Reader Driver v2.2e\FlashIcon.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1126102289\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1126102289\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1126102289\ee\AOLServiceHost.exe
C:\Documents and Settings\CoyDog\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\Generic\USB Card Reader Driver v2.2e\FlashIcon.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FNI.WAS5_0001_CP] "C:\Documents and Settings\CoyDog\Desktop\WinAntiSpyware2005Install.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = ?
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130969172343
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe



(11/15/05 7:39:40 PM) SPSeHjFix started v1.1.2
(11/15/05 7:39:40 PM) OS: WinXP Service Pack 2 (5.1.2600)
(11/15/05 7:39:40 PM) Language: english
(11/15/05 7:39:40 PM) Win-Path: C:\WINDOWS
(11/15/05 7:39:40 PM) System-Path: C:\WINDOWS\system32
(11/15/05 7:39:40 PM) Temp-Path: C:\DOCUME~1\CoyDog\LOCALS~1\Temp\
(11/15/05 7:39:44 PM) Disinfection started
(11/15/05 7:39:44 PM) Bad-Dll(IEP): c:\docume~1\coydog\locals~1\temp\se.dll
(11/15/05 7:39:44 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\system32\kead.dll
(11/15/05 7:39:44 PM) Searchassistant Uninstaller - Keys Deleted
(11/15/05 7:39:44 PM) UBF: 7 - UBB: 0 - UBR: 10
(11/15/05 7:39:44 PM) FilterKey: HKCR\text/html (deleted)
(11/15/05 7:39:44 PM) FilterKey: HKCR\CLSID\{96545D87-C212-4100-AB6C-242829EB7CA7} (deleted)
(11/15/05 7:39:44 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(11/15/05 7:39:44 PM) FilterKey: HKCR\text/plain (deleted)
(11/15/05 7:39:44 PM) FilterKey: HKCR\CLSID\{96545D87-C212-4100-AB6C-242829EB7CA7} (error while deleting)
(11/15/05 7:39:44 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(11/15/05 7:39:44 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11B1993D-D61B-46D3-8030-76CCD659016C} (deleted)
(11/15/05 7:39:44 PM) BHO-Key: HKCR\CLSID\{11B1993D-D61B-46D3-8030-76CCD659016C} (deleted)
(11/15/05 7:39:44 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\CoyDog\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(11/15/05 7:39:44 PM) UBF: 5 - UBB: 0 - UBR: 9
(11/15/05 7:39:44 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\coydog\locals~1\temp\se.dll/space.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\coydog\locals~1\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(11/15/05 7:39:44 PM) Stealth-String not found
(11/15/05 7:39:44 PM) File added to delete: c:\windows\system32\kead.dll
(11/15/05 7:39:44 PM) File added to delete: c:\docume~1\coydog\locals~1\temp\se.dll
(11/15/05 7:39:44 PM) Reboot


(11/15/05 7:41:03 PM) SPSeHjFix started v1.1.2
(11/15/05 7:41:03 PM) OS: WinXP Service Pack 2 (5.1.2600)
(11/15/05 7:41:03 PM) Language: english
(11/15/05 7:41:03 PM) Win-Path: C:\WINDOWS
(11/15/05 7:41:03 PM) System-Path: C:\WINDOWS\system32
(11/15/05 7:41:03 PM) Temp-Path: C:\DOCUME~1\CoyDog\LOCALS~1\Temp\


(11/15/05 7:50:11 PM) SPSeHjFix started v1.1.2
(11/15/05 7:50:11 PM) OS: WinXP Service Pack 2 (5.1.2600)
(11/15/05 7:50:11 PM) Language: english
(11/15/05 7:50:11 PM) Win-Path: C:\WINDOWS
(11/15/05 7:50:11 PM) System-Path: C:\WINDOWS\system32
(11/15/05 7:50:11 PM) Temp-Path: C:\DOCUME~1\CoyDog\LOCALS~1\Temp\
(11/15/05 7:50:20 PM) Disinfection started
(11/15/05 7:50:20 PM) Bad-Dll(IEP): c:\docume~1\coydog\locals~1\temp\se.dll
(11/15/05 7:50:20 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\system32\kead.dll
(11/15/05 7:50:20 PM) Searchassistant Uninstaller - Keys Deleted
(11/15/05 7:50:20 PM) UBF: 5 - UBB: 0 - UBR: 11
(11/15/05 7:50:20 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\CoyDog\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(11/15/05 7:50:20 PM) UBF: 5 - UBB: 0 - UBR: 10
(11/15/05 7:50:20 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\coydog\locals~1\temp\se.dll/space.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\coydog\locals~1\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(11/15/05 7:50:20 PM) Stealth-String not found
(11/15/05 7:50:20 PM) File added to delete: c:\windows\system32\kead.dll
(11/15/05 7:50:20 PM) File added to delete: c:\docume~1\coydog\locals~1\temp\se.dll
(11/15/05 7:50:20 PM) Reboot


(11/15/05 7:51:18 PM) SPSeHjFix started v1.1.2
(11/15/05 7:51:18 PM) OS: WinXP Service Pack 2 (5.1.2600)
(11/15/05 7:51:18 PM) Language: english
(11/15/05 7:51:18 PM) Win-Path: C:\WINDOWS
(11/15/05 7:51:18 PM) System-Path: C:\WINDOWS\system32
(11/15/05 7:51:18 PM) Temp-Path: C:\DOCUME~1\CoyDog\LOCALS~1\Temp\
(11/15/05 7:51:57 PM) Disinfection started
(11/15/05 7:51:57 PM) Bad-Dll(IEP): (not found)
(11/15/05 7:51:57 PM) Bad-Dll(IEP) in BHO: (not found)
(11/15/05 7:51:57 PM) UBF: 5 - UBB: 0 - UBR: 10
(11/15/05 7:51:57 PM) UBF: 5 - UBB: 0 - UBR: 10
(11/15/05 7:51:57 PM) Bad IE-pages: (none)
(11/15/05 7:51:57 PM) Stealth-String not found
(11/15/05 7:51:57 PM) Not infected->END

Wow, that's a ton of text! Well, cross-fingers, I'm pretty sure I ran those two programs correctly, and I think they got rid of that dll file. And, yup, IE is working just fine!!! Oh man, thank you so much, is there anything else I should do (run a spyware program or such)? If not, thanks again for the help with my first, and hopefully last, virus.....

[LDTate]

I suggest you do this:


Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

WorldAntiSpy, "rogue" spyware remover, installed as part of this_scam

Use Add/Remove Programs and remove: If listed.
WorldAntiSpy



Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O4 - HKLM\..\Run: [FNI.WAS5_0001_CP] "C:\Documents and Settings\CoyDog\Desktop\WinAntiSpyware2005Install.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe

Close ALL windows and browsers except HijackThis and click "Fix checked"



Restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.


delete these folders if listed:
C:\Program Files\WorldAntiSpy


Open C:\Windows\Prefetch\ Delete ALL files in this folder.





Do this also if these Temp Folders are part of your OS.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


Next navigate to the C:\Documents and Settings\(EVERY LISTED PROFILE USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

Edited by LDTate, 15 November 2005 - 07:23 PM.

[LDTate]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log