Jump to content


Photo

oK problem!?


  • Please log in to reply
6 replies to this topic

#1 efect^

efect^

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 May 2004 - 10:06 PM

Im ussualy not a computer newbie.. i rarely have ever gotten spyware/virus.. but this is making me very mad.. i have scanned my computer with Search and destory.. Spyware Sweeper.. and i have purchased BPS spyware remover.. i can find these programs .. i find there location delete with Shreder in SD ... i dont get any pop ups or anything after i remove them.. then ill get one and then the programs are back.. neither of my programs can detect the main file which is installing all the others again... it seems to be twain.dll twain media ect .. at first it had Tv media and some crap but all gone.. only traces i can find are twain.dll..

i always get cfwaz.exe in my process menu.. and sometimes found in system32.. i safe shred gone .. then both of them come back.. im going insane people

i had freaking pop ups... how can i find this main file... i think it has to do with something tabi3 .. tabi tabi32.dll ... they are not found under last working run setup or what ever (the backup) there is a bunch of them..

please i need help ! :angry:

if more information is needed on what i find i can post

#2 Kevin_b_er

Kevin_b_er

    Gliding through the clutter

  • Retired Staff - Helper
  • Pip
  • 36 posts

Posted 29 May 2004 - 10:35 PM

I'm very, very sorry you got scamed into BPS spyware remover, those scumbags took the spybot search and destroy detection database and claimed it as their own, then started selling it! SpyBot: S&D is free.

As of today, the best solution to spyware is the free community of websites and forums of which spywareinfo.com is a part of, as well as 2 well-known programs, ad-aware and spybot: search and destroy. Its not some scam company claiming $30-$50 will get rid of your spyware problems.

If you'd care to download hijackthis and make a log for here (you can reply to this topic with it), we'd be glad to assist you in finding the casues and eliminating them. And we do it for free. (Though if you'd care to donate to the site, that'd be great too, but lets look at your log first)

Here's a link to get hijackthis:
http://www.tomcoyote.com/hjt/


Why BPS Spyware Removal is scamware:
http://www.spywarein...feb-2003/13.php
http://www.lavasofts...t=ST&f=1&t=3912
http://www.wildersse...read.php?t=7221
http://www.safer-net...tail=2003-02-12

#3 efect^

efect^

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 May 2004 - 12:10 AM

Logfile of HijackThis v1.97.7
Scan saved at 10:11:06 PM, on 5/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scotts Box\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [uhkknbqygxmqp] C:\WINDOWS\System32\cfzwaz.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKLM\..\RunOnce: [9xa64b0.exe] C:\WINDOWS\System32\9xa64b0.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8039.7467592593
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab



there

#4 efect^

efect^

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 May 2004 - 12:29 AM

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
O4 - HKLM\..\Run: [uhkknbqygxmqp] C:\WINDOWS\System32\cfzwaz.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -

i can tell all of those are spyware.. so is it safe to just delete

#5 efect^

efect^

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 May 2004 - 02:31 AM

ok, i have found out it what ever it is installs another .exe file when i delete a new one... they come with random names under system32 folder.. i need to find whats creating them.. becuase this is what is causing the pop ups.. when i dont have one in system32 i dont get any.. but 15 minutes later it generates another

#6 efect^

efect^

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 May 2004 - 02:48 AM

http://www.uploader....ges/img_grr.JPG


someone else seems to have the same problem .. i did waht they said to do .. and it did nothing

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 30 May 2004 - 09:06 AM

Hi,
Important! Create a folder via Windows Explorer for HijackThis, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate and delete the following:

C:\WINDOWS\system32\regsvrac32.dll
C:\WINDOWS\System32\cfzwaz.exe
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\9xa64b0.exe

While still in Safe Mode:
Close all open windows, rescan with HijackThis and "Fix checked" the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\system32\regsvrac32.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [uhkknbqygxmqp] C:\WINDOWS\System32\cfzwaz.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\RunOnce: [9xa64b0.exe] C:\WINDOWS\System32\9xa64b0.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


Restart normally and then ...

Disabling System Restore
http://vil.nai.com/v...eSysRestore.htm

How To: Scan for unwanted programs
http://vil.nai.com/v...valInstructions

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button