In many of the infected computers I've dealt with, programs like "Video Access ActiveX Object" show up in the Control Panel and are the initial infection that start the whole issue. Most of these programs when scanned with an up-to-date virus scanner are shown to be infected with viruses like Troj.Zlob.AN, which was part of the original SpyAxe trojan attack a couple years ago. In the case of Spylocked, I found two programs in the Add/Remove Programs Control Panel that appeared after the infection. One called "Video Access Active X Object 2.07" and the other called "Windows Safety Alert", both shown below. Soon after these programs were installed, the system tray popup started. and then Spylocked downloaded and started scanning the system The Hijackthis
log shows the following information. Problem files are bolded, you'll
notice this system allowed Spylocked to load even though it had the
latest version of AVG Antivirus and Symantec Antivirus running at the
time along with Spybot Search and Destroy. I don't recommend running
two antivirus program simultaneously because they will often conflict,
in this case neither alerted the user to the presence of this attack.
Logfile of HijackThis v1.99.1 Scan saved at 4:06:24 PM, on 4/4/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\SpywareLocked 3.3\Spy-Locked.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\michelle\Application Data\U3\0000060420057146\LaunchPad.exe C:\Documents and Settings\michelle\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uci.net/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video Access ActiveX Object\isadd.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file) O3 - Toolbar: (no name) - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file) O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [66676A6C666B6969] D7D8DBDDD7DCDA.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM\..\Run: [SpywareLocked 3.3] "C:\Program Files\SpywareLocked 3.3\Spy-Locked.exe" /h O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O15 - Trusted Zone: forms.orefonline.com O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - https://forms.orefonline.com/OLF/Runtime/FormLoader_OREF.CAB O16 - DPF: {CE837F87-F828-492E-91A6-9A24E529DBC2} (WinMedia.Updater) - http://microsoft.viewlicense.com/License/Distro/WinMedia_Updater.ocx O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe SmitFraudFix Results v2.164
Scan done at 17:09:17.23, Wed 04/04/2007 Run from C:\Documents and Settings\michelle\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is FAT32 Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{bd0fc212-0a36-4232-83cc-2063fb9282e0}"="curdler" [HKEY_CLASSES_ROOT\CLSID\{bd0fc212-0a36-4232-83cc-2063fb9282e0}\InProcServer32] @="C:\WINDOWS\system32\qzviz.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{bd0fc212-0a36-4232-83cc-2063fb9282e0}\InProcServer32] @="C:\WINDOWS\system32\qzviz.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\qzviz.dll Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport DNS Server Search Order: 10.0.0.2 HKLM\SYSTEM\CCS\Services\Tcpip\..\{14743A96-E156-4031-B896-11D3D66D93F6}: DhcpNameServer=10.0.0.2 HKLM\SYSTEM\CS1\Services\Tcpip\..\{14743A96-E156-4031-B896-11D3D66D93F6}: DhcpNameServer=10.0.0.2 HKLM\SYSTEM\CS2\Services\Tcpip\..\{14743A96-E156-4031-B896-11D3D66D93F6}: DhcpNameServer=10.0.0.2 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Step by Step Procedure for Removing Spylocked Before attempting this removal procedure, download the following removal tools to your desktop and install them.
Removal Procedure 1) Download the programs above to your desktop, extracting and install them. 2) Open SmitFraudFix, and choose option 4 to check for updates and download any updates, then quit the program 3) Restart your computer in Safe Mode 4) Open the SmitRem folder and double-click on RunThis.bat to start the SmitRem removal procedure. Besides removing particular files that it looks for, the tool also runs the Disk Cleanup tool to remove temporary files on the hard drive that may contain problem files. For a Tutorial on using SmitRem click here 5) After SmitRem has finished, open SmitFraudFix and choose to search (option 1) and clean (option 2) and run a full system scan to remove anything it finds. For a tutorial on using SmitFraudFix click here 6)
Double-click on MalwareBytes Anti-Malware, install it, update it, and run it to remove misc rogue
application files. If you prefer you can purchase MalwareBytes Anti-Malware which provides a realtime monitor that will alert you if you attempt to download a rogue
program. 7) While still in Safe Mode, run CCleaner. Analyze and Clean files it finds, then click on the Issues button on the left side of the screen and Scan and Fix any Registry issues CCleaner discovers. Run both the Registry Scanner and the File Analyzer until nothing else is found. 8) Run Hijackthis and Remove any leftover issues. If you are not sure, if a line in Hijackthis is a problem, reboot in normal mode and use the Online HiJackthis Scanner to see if the file is a threat. Just copy and paste your Hijackthis log file into the scanner and let it analyze it for you. Although its not perfect, it will give you an idea if your system is clean or still needs some work. Do not delete anything with Hijackthis unless you are absolutely sure what the file is and what it does. Another great tool to use is Process Library to see if a file is a threat. For items in the Hijackthis log like the following, that will not delete manually, use KillBox to browse to the location of the file and delete it or delete it on reboot. Items that are impossible to remove unless using Killbox usually show up in the 20 section of Hijackthis. O20
- Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll 9) Reboot computer in Normal mode 10) Open the Add/Remove Control Panel, and uninstall any leftover programs like "Windows Security Alert" or "Video Access Active X Object" 11) Scan your computer with online virus scanner like Housecall, BitDefender, or eTrust or download and install an antivirus program and run a complete scan. A list of online scanners is below, some however will only scan but not remove issues. Online
Virus Checkers You may also want to run a thorough scan for adware/spyware using Ad-aware SE, Spybot Search and Destroy, or Windows Defender as well to make sure your system is absolutely clean of other malware. You can visit my page for other Essential Tools to Use in Removing Spyware, Adware, Trojans, and Viruses Congratulations! Your computer should be free of the Spylocked. Please be careful when being prompted to download any more Video Active X components to watch a particular video. If in doubt, dont install it.
Printer Friendly Version of This Page Bookmark and Share this Article on PCHELL with these Social Networks: Removal Instructions for Other Programs Spyware Removal and Other Resources Essential Tools for Removing Spyware, Adware, and Malware Rootkit Removal Tools and Help How to Delete Undeleteable Files Review of Free Registry Cleaner How to Manually Run the Microsoft Malicious Software Removal Tool How to Remove Windows Diagnostic or Windows Restore malware Bargain Buddy Removal Instructions and Help Click2FindNow and I-Lookup Removal Electronic Greeting Card Virus - MSDATAACCESS.EXE Removal Instructions and Help Powered by Zedo Popup Ad Removal Instructions and Help Search and Destroy Removal Instructions and Help Spyaxe, Spy Trooper, Spy Sheriff, Brave Sentry and Similar Removal Instructions and Help TheSpyBot Removal Instructions and Help Spam Blocker Utility Removal Instructions and Help DriveCleaner Removal Instructions and Help Alfacleaner Removal Instructions and Help Spylocked Removal Instructions and Help AntivirusGolden Removal Instructions and Help VirusProtectPro Removal Instructions and Help UltimateDefender and UltimateCleaner 2007 Removal Instructions and Help VirusRescue Removal Instructions and Help PestCapture Removal Instructions and Help SystemDoctor 2006 Removal Instructions and Help How to Fix Task Manager disabled by your Administrator How to Fix Problem Changing Desktop Wallpaper How to Remove SmitFraud Variants like WinAntivirus Pro 2007 and PestCapture SurfSideKick Removal Instructions and Help How to Remove Zango Search Assistant and Toolbar About:Blank Homepage Hijacker Removal Instructions and Help Kazaa Removal Instructions and Help How to Disable Windows XP Security Alert Balloons and Notifications res://random.dll Homepage Hijacker Removal Instructions and Help IBIS Web Search (websearch.com) Removal Instructions and Help Open Search Web (Lop.com) Removal Instructions and Help UPDMGR.EXE Removal Instructions and Help FCADVICE.EXE Removal Instructions and Help U3 Smart Drives - What are they and how to remove U3 Dubolom.com Homepage Hijacker Removal Instructions and Help DSO Exploit Removal Instructions and Help FastSearch.cc Homepage Hijacker Removal Instructions and Help My Web Search Removal Instructions and Help Cursor Mania Removal Instructions and Help Fun Buddy Icons Removal Instructions and Help Smiley Central Removal Instructions and Help My Mail Stamps Removal Instructions and Help My Mail Stationery Removal Instructions and Help My Mail Signatures Removal Instructions and Help Fun Web Products Popular Screensavers Removal Instructions and Help Webfetti Removal Instructions and Help What is PDF Spam and Does it Contain Viruses Hugesearch.net Homepage Hijacker Removal Instructions and Help Search-Space.com and Start-Space.com Homepage Hijacker Removal Instructions and Help How to Remove Global-Finder.com Homepage Hijacker Huntbar and Search Toolbar Info and Removal Look2Me Removal Instructions and Help Lookfor.cc (res://mshp.dll/index.html) Homepage Hijacker Removal Instructions and Help MaximumSearch.net Homepage Hijacker Removal Instructions and Help Ncase Removal Instructions and Help People OnPage Toolbar Info and Removal SearchMyRequest.com Homepage Hijacker Removal Instructions and Help Smartsearch.ws Homepage Hijacker Removal Instructions and Help SysUpd.exe (TSCash) Removal Instructions and Help Ezula TopText (yellow underlined links) Removal Instructions and Help How to Remove SpeedBlaster and MemoryMeter TopRebates and WebRebates Removal Instructions and Help Twaintec.dll Removal Instructions and Help Viewpoint Removal Instructions and Help WildTangent Removal Instructions and Help |
Tools for Removing Spyware, Adware, and Malware PC HELL Welchia (Dllhost.exe and SVCHost.exe) Worm Removal Uninstall Antivir Instructions How to Manually Run the Microsoft Malicious Software Removal Tool Bloodhound.Exploit.6 Virus Removal Backdoor SDBot.H Trojan Removal
iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad Download Hoyle Games |
Recommended Software for PC Hell Visitors | |||||
Malwarebytes Anti-Malware |
iolo System Mechanic® |
Emsisoft Anti Malware |
|||
Search PCHELL.COM |
|