Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

Spyware Help!

vman

By vman
in Lounge

Recommended Posts

enoskype Newbie

enoskype

Posted
Posted

Hi mikki,

 

First of all, it is better to update to XP SP3.

 

Fix the following.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp

 

Fix the following and install the latest Java 1.6.0_17. Download and run JavaRa to clean the clutter of old java software.

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

 

 

Check if the following is shown in your next start up, and delete if it is there.

O4 - HKLM\..\Run: [CheckPoint Cleanup] C:\DOCUME~1\Administrator.YOUR-4F1261A8E5.001\Local Settings\Temp\cpes_clean_launcher.exe C:\DOCUME~1\Administrator.YOUR-4F1261A8E5.001\Local Settings\Temp\cpes_clean.exe

 

The following is said safe by users, but sharing files with P2P links is not safe at all. I would fix them if I were you.

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

 

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

 

I would also use an Anti Virus program instead of Spyware Doctor.

 

BTW, your HijackThis software is old, either use v2.02 or Beta 2.03 of HijackThis, which are available on the web.

 

 

Cheers.

Link to comment
Share on other sites
  • Replies 57
  • Created
  • Last Reply
Melvin_Deal Newbie

Melvin_Deal

Posted
Posted

Hi mikki, welcome to Iobit forum!

 

Please follow Enoskype's suggestions. Your system is pretty lean :-P.

 

Consider replacing or augmenting the spyware doctor with Superantispyware... it has a higher detection rate and is easy to use. You can find it here: http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html

 

There are many many choices for anti virus as Ennoskype suggests, you should be running at least one. Avira, Avast, and AVG are just a few good ones that are free. Each has advantages and drawbacks. AVG can be pretty "heavy" on your system (while scanning especially). Until you evaluate the options out there, I would install and run Avira in the meantime for protection right now. You can find it here: http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html

 

Hope you are having a happy holiday season!!

Link to comment
Share on other sites
usefullll Newbie

usefullll

Posted
Posted

@Enoskype can help read my logs? though (i can read some of it) i think it's pretty clean but Combofix

detected and quarantined some nasty stuffs. I'll post Combofix Full logs later.

 

Combofix Deletion

 

c:\windows\system32\w32apiw.dll (0 bytes thus cannot be upload to Virustotal)

c:\windows\system32\win32.dll (uploaded to Virustotal and detected 0/41 result)

 

And win32.dll basically is this virus? http://www.avast.com/eng/win32mtx.html

Can anyone clarify on w32apiw.dll? google but not much info.

 

-------------------------------------------

 

Scan saved at 12:44:15 AM, on 12/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\RunOnce: [Ad-Watch Live!] //~c:\program files\lavasoft\ad-aware\ad-aware.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

--

End of file - 3739 bytes

Link to comment
Share on other sites
enoskype Newbie

enoskype

Posted
Posted

This seems to be fairly lean as far as I know usefullll.

 

I would fix the following.

 

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)

 

 

Although c:\windows\system32\win32.dll is an MS file, it is not a native XP file.

If you have not created by C++, it must have come with an installed program, I think.

 

The filename W32APIW.DLL was seen on 06.17.2009, and it is considered unsafe.

Threat name: Win32.X

Filename: c:\windows\system32\w32apiw.dll

Filesize: Unknown.Last seen 06.17.2009

Status: Known to be as unsafe.

.

This file can perform following behavior

- Usualy created by unsafe process.

- Registered as a Dynamic Link Library File.

- Usualy have random filename and refers to many versions of a dynamic link library.

- Can be injected/attached to the legitimate Windows process such as explorer.exe or other.

 

Also, please use the following to see if it catches anything concerning that file.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

 

Cheers.

Link to comment
Share on other sites
usefullll Newbie

usefullll

Posted
Posted

How about reformatting? so the WIN32.DLL consider safe? and also..

 

So W32APIW.DLL what kind of infection? i mean keylogger or something?

Note : W32APIW.DLL is 0 bytes thus cannot be upload to Virustotal.

 

This seems to be fairly lean as far as I know usefullll.

 

I would fix the following.

 

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)

 

 

Although c:\windows\system32\win32.dll is an MS file, it is not a native XP file.

If you have not created by C++, it must have come with an installed program, I think.

 

The filename W32APIW.DLL was seen on 06.17.2009, and it is considered unsafe.

Threat name: Win32.X

Filename: c:\windows\system32\w32apiw.dll

Filesize: Unknown.Last seen 06.17.2009

Status: Known to be as unsafe.

.

This file can perform following behavior

- Usualy created by unsafe process.

- Registered as a Dynamic Link Library File.

- Usualy have random filename and refers to many versions of a dynamic link library.

- Can be injected/attached to the legitimate Windows process such as explorer.exe or other.

 

Also, please use the following to see if it catches anything concerning that file.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

 

Cheers.

Link to comment
Share on other sites
usefullll Newbie

usefullll

Posted
Posted

I went for a second scan with Combofix and only W32APIW.DLL found and not WIN32.DLL? :-(

 

 

ComboFix 09-12-24.02 - Owner 12/27/2009 23:33:11.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1661 [GMT 8:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1368 [VPS 091227-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\w32apiw.dll

Link to comment
Share on other sites
  • 2 months later...
King Newbie

King

Posted
Posted
If your infected with malware, and need help cleaning it, proceed with the following steps:

 

Hijack this:

http://dw.com.com/redir?edId=3&siteId=4&oId=3000-8022_4-10227353&ontId=8022_4&spi=e3cba69fdc32b4649a3d11b576fb9945&lop=link&tag=tdw_dltext&ltype=dl_dlnow&pid=10781312&mfgId=6283336&merId=6283336&pguid=8dN3XgoPjAIAADksgz0AAAAL&destUrl=http%3A%2F%2Fwww.download.com%2F3001-8022_4-10227353.html%3Fspi%3De3cba69fdc32b4649a3d11b576fb9945

 

 

Upon installation, scan and save log file, and post it up on this forum.

 

Wait for further instructions.

 

 

 

 

 

 

 

*By accepting help form the users on this forum, you accept full responsibility for damages*

 

 

 

 

Hello vman

 

 

How to remove cpes_clean_launcher.exe and cpes_clean.exe from your computer.

 

First, use Windows Explorer’s Search Function to find all locations of cpes_clean_lanucher.exe and cpes_clean.exe.

 

Second, use Windows Explorer to delete cpes_clean_lanucher.exe and cpes_clean.exe from all locations found and displayed in the Search Results.

 

Third, turn Off the AC Power to the computer for one minute, then turn On the AC Power to the computer and wait for the computer to reboot.

 

Fourth, confirm that the problem has been removed from the computer and things should function correctly.

 

From King

 

This is what I did to remove that problem from my computer.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...