Suspected Serious Spyware On My Pc

[Gerry]

Hi Folks!

I'm new here so please bear with me if I slip up on something.

First of all I would like to say that I am extremely impressed with the professional set-up of this website and the quick manner in which a new member can get involved.

My problem: I suspect that my PC is infected with all types of Spyware because of the following:

1. For months now it has reacted strange. I find it difficult to access websites (takes a long time to respond to clicks - I use Firefox). And then it acts erratically. My PC is extremely slow - just about impossible to work with.

2. I invested in SpyZooka in July (I know - bad investment) and it could not detect any infections

3. I also downloaded NoAdware.net and it detected 47 infections after a scan, some critical (keyloggers)

4. XoftSpy detected 6 infections.

I have downloaded the latest version of HijackThis and have copied the log below for your info.

I will appreciate it if one of your experts could analyze this and advise me.

I use Windows 98SE.

Looking forward to your great assistance.

Many thanks.

Gerry

--------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:37:05, on 07/12/16

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE

C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\SPYZOOKA\SPYZOOKA.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\XSINET\DIALER.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F1 - win.ini: run=hpfsched

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKCU\..\Run: [spyZooka] C:\PROGRAM FILES\SPYZOOKA\SpyZookaLdr.exe

O4 - HKCU\..\Run: [NBJ] "C:\PROGRAM FILES\AHEAD\NERO BACKITUP\NBJ.EXE"

O4 - HKUS\.DEFAULT\..\Run: [spyZooka] C:\PROGRAM FILES\SPYZOOKA\SpyZookaLdr.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [Asmw Soft Popups Burner] (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [NBJ] "C:\PROGRAM FILES\AHEAD\NERO BACKITUP\NBJ.EXE" (User 'Default user')

O4 - .DEFAULT Startup: Reboot.exe (User 'Default user')

O4 - Startup: Reboot.exe

O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT

O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE

O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE

O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://webolr1.microgaming.com/360/webolr/OCX/FlashAX.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

--

End of file - 5156 bytes

[rmurphy]

Hi Gerry, welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.

Before we start cleaning, I would like to see an uninstall list:

• Open HijackThis, click Config, click Misc Tools
  Click "Open Uninstall Manager"
  Click "Save List" (generates uninstall_list.txt)
  

-Ryan

[Gerry]

Hello Ryan

Thanks for taking the time to assist me.

As requested I have copied the Uninstall list below for your info.

Thanks, Ryan.

Gerry

----------------------------------------------------------------------------------------------------------

Ad-Aware SE Personal

Adobe Acrobat - Reader 6.0.2 Update

Adobe Acrobat and Reader 6.0.3 Update

Adobe Acrobat and Reader 6.0.4 Update

Adobe Acrobat and Reader 6.0.5 Update

Adobe Download Manager 1.2 (Remove Only)

Adobe Flash Player Plugin

Adobe Reader 6.0.1

Asmw PC-Optimizer Pro

AVG Free Edition

BackRex Outlook Express Backup Demo

Chinese (Simplified) Language Support

Chinese (Simplified) Menus and Dialogs for Internet Explorer 6

Chinese (Traditional) Language Support

Chinese (Traditional) Menus and Dialogs for Internet Explorer 6

ColorPage-Vivid Pro II

Convert Image

Copernic Agent Basic

EasyCleaner

Foxit Reader

FreshDiagnose

FreshUI

HijackThis 2.0.2

HP DeskJet 710C Series (Remove only)

HP Photosmart Essential

HP Software Update

Internet Explorer Q903235

Internet Explorer Q916281

IrfanView (remove only)

Microsoft .NET Framework (English) v1.0.3705

Microsoft Data Access Components KB870669

Microsoft Internet Explorer 6 SP1 and Internet Tools

Microsoft Office 97, Professional Edition

Microsoft Outlook Express 6

Microsoft VGX Q833989

Microsoft Windows Critical Update Notification

Mozilla Firefox (2.0.0.11)

Nero Suite

NoAdware v5.0

Outlook Express Q837009

Panda ActiveScan

PCI Audio Driver

Piggs Peak Casino

Registry Mechanic

RegRepair 2000 (C:\Program Files\Easy Desk Utilities\RegRepair 2000\)

Spybot - Search & Destroy 1.4

Startup Delayer v2.3 (build 130)

Sterling House Casino

SUPERAntiSpyware Free Edition

TextBridge Classic 2.0

The Unzip Wizard

USB Flash Disk 98 Driver

Windows 98 KB891711 Update

Windows 98 KB896358 Update

Windows 98 KB908519 Update

Windows 98 KB918547 Update

Windows 98 Q823559 Update

Windows 98 Q840315 Update

Windows 98 Q888113 Update

Windows 98 Q890175 Update

Windows Media Player 7.1

WinPatrol

WinZip

Wise Disk Cleaner 2.6

Wise Registry Cleaner 2.8.5

XSInet Dialler

Yahoo! Toolbar

Zip backup to CD 3

ZoneAlarm

[rmurphy]

Please uninstall NoAdware v5.0.

Download CWShredder Here to its own folder.

Update CWShredder

• Open CWShredder and click I AGREE
  
• Click Check For Update
  
• Close CWShredder
  

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

After that, please update and scan with SUPERAntiSpyware. Please post the results of the scan along with a new hijack this log.

-Ryan

[Gerry]

Hi Ryan

I have done the following:

1. I could not gain direct access to the CWShredder.net website (did not respond) but downloaded the program from Filehippo.

2. Once downloaded I tried to update but this too did not respond

3. I then had to scan without an update. This could not find any CoolWebSearch infections on my system

4. A scan with SUPERAntispySpyware also could not detect anything.

5. Please note that I could not start up in Safe Mode. The PC simply ignored my attempts, to open up and started up normally. I usually use Safe Mode for Scandisk and Defrag without problems but this time without luck (tried quite a few times. How can I fix that?)

Ryan, please advise further.

Thanks.

Gerry

[rmurphy]

Please do an online scan with Kaspersky WebScanner

You will need to use Internet Explorer to do this

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
  
• Once the files have been downloaded click on NEXT
  
  
• Now click on Scan Settings
  
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
    
  • Extended (if available otherwise Standard)
    
  • Scan Options:
    
  • Scan Archives
    Scan Mail Bases
    

  [*]Click OK

  [*]Now under select a target to scan:

  • Select My Computer
    

  [*]This will program will start and scan your system.

  [*]The scan will take a while so be patient and let it run.

  [*]Once the scan is complete it will display if your system has been infected.

  • Now click on the Save as Text button:
    

  [*]Save the file to your desktop.

Please post the report from the Kaspersky scan.

-Ryan

[Gerry]

Please do an online scan with Kaspersky WebScanner

You will need to use Internet Explorer to do this

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
  
• Once the files have been downloaded click on NEXT
  
  
• Now click on Scan Settings
  
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
    
  • Extended (if available otherwise Standard)
    
  • Scan Options:
    
  • Scan Archives
    Scan Mail Bases
    

  [*]Click OK

  [*]Now under select a target to scan:

  • Select My Computer
    

  [*]This will program will start and scan your system.

  [*]The scan will take a while so be patient and let it run.

  [*]Once the scan is complete it will display if your system has been infected.

  • Now click on the Save as Text button:
    

  [*]Save the file to your desktop.

Please post the report from the Kaspersky scan.

-Ryan

[Gerry]

Ryan

I am having no luck with the Kaspersky Online Scanner with Explorer. I can access the website but when I click on 'Kaspersky Online Scanner' the hourglass comes up with the cursor but then disappears after a while and it just hangs. No firefox browser is open at the time, only Explorer.

When I try the scan on Firefox I have no problems but because I have to use Explorer for this I did not proceed.

Please advise me further, or suggest an alternative Online Scanner that I could use on Firefox.

My PC is getting worse by the day. On some days I can not access websites and just give up.

Thanks, Ryan!

Gerry

[rmurphy]

Try this scanner:

Please go HERE to run Panda's ActiveScan. You will need to use Internet Explorer to run it.

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
    
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    
  • When download is complete, click on My Computer to start the scan
    
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    

Post the contents of the ActiveScan report.

-Ryan

[Gerry]

Try this scanner:

Please go HERE to run Panda's ActiveScan. You will need to use Internet Explorer to run it.

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
    
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    
  • When download is complete, click on My Computer to start the scan
    
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    

Post the contents of the ActiveScan report.

-Ryan

[Gerry]

Try this scanner:

Please go HERE to run Panda's ActiveScan. You will need to use Internet Explorer to run it.

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
    
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    
  • When download is complete, click on My Computer to start the scan
    
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    

Post the contents of the ActiveScan report.

-Ryan

[Gerry]

Hi Ryan

Once again I have been unable to do a scan with Panda, same problem as with Kaspersky. I have aacessed the websites with Internet Explorer but the scans simply would not respond. (I have

not opened a Firefox browser). What do you think the reason for this could be?

I have, as an alternative, done a Full System Scan with a-sqaured. I realise that this is probably not the real McCoy but it is the only working alternative that I could think of. However, no serious infections were found and I have deleted all, except one which refused to be deleted (medium threat). I have copied the scan log below for your info.

I think my problems could be the cause of something else and I will submit a new post for further assistance.

Thanks for your help, Ryan

------------------------------------------------------------------------------------------------------

a-squared Free - Version 3.0

Last update: 07/12/25 05:47:57 AM

Scan settings:

Objects: Memory, Traces, Cookies, C:\, D:\

Scan archives: On

Heuristics: On

ADS Scan: Off

Scan start: 07/12/26 07:20:20 AM

c:\casino detected: Trace.Directory.CarnivalCasino

Value: HKEY_CURRENT_USER\Software\SearchHTML --> UrlSupport detected: Trace.Registry.AdwareFilter

Value: HKEY_LOCAL_MACHINE\SOFTWARE\AdwareFilter --> POST_INST_1_CHOICE detected: Trace.Registry.AdwareFilter

c:\program files\softwaredoctor\errordoctor detected: Trace.Directory.ErrorDoctor

Value: HKEY_CURRENT_USER\Software\Casino DelRio --> options_dealervoices detected: Trace.Registry.Casino Del Rio

Value: HKEY_CURRENT_USER\Software\Casino DelRio --> options_music detected: Trace.Registry.Casino Del Rio

Value: HKEY_CURRENT_USER\Software\Casino DelRio --> options_sounds detected: Trace.Registry.Casino Del Rio

Value: HKEY_CURRENT_USER\Software\Casino DelRio --> options_xlslots detected: Trace.Registry.Casino Del Rio

Value: HKEY_CURRENT_USER\Software\Casino DelRio --> options-fullscreen detected: Trace.Registry.Casino Del Rio

Value: HKEY_CURRENT_USER\Software\Casino DelRio --> options-volume detected: Trace.Registry.Casino Del Rio

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Casino DelRio --> advertisercode detected: Trace.Registry.Casino Del Rio

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Casino DelRio --> banner detected: Trace.Registry.Casino Del Rio

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Casino DelRio --> creferer detected: Trace.Registry.Casino Del Rio

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Casino DelRio --> profile detected: Trace.Registry.Casino Del Rio

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Casino DelRio --> referer detected: Trace.Registry.Casino Del Rio

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Casino DelRio --> safemode detected: Trace.Registry.Casino Del Rio

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Casino DelRio --> uninstall_lang detected: Trace.Registry.Casino Del Rio

Value: HKEY_CURRENT_USER\Software\MicroGaming\Thumper\Detect --> BD detected: Trace.Registry.Phoenician Casino

Value: HKEY_CURRENT_USER\Software\MicroGaming\Thumper\Detect --> DXVerN detected: Trace.Registry.Phoenician Casino

Value: HKEY_CURRENT_USER\Software\MicroGaming\Thumper\Detect --> FlashVerN detected: Trace.Registry.Phoenician Casino

Value: HKEY_CURRENT_USER\Software\MicroGaming\Thumper\Detect --> IEVerN detected: Trace.Registry.Phoenician Casino

Value: HKEY_CURRENT_USER\Software\MicroGaming\Thumper\Detect --> ScreenX detected: Trace.Registry.Phoenician Casino

Value: HKEY_CURRENT_USER\Software\MicroGaming\Thumper\Detect --> ScreenY detected: Trace.Registry.Phoenician Casino

Value: HKEY_CURRENT_USER\Software\CasinonetInstaller --> INSTALLER_GUID detected: Trace.Registry.CasinoOnNet

Value: HKEY_CURRENT_USER\Software\CasinonetInstaller --> URL_CASINO_2 detected: Trace.Registry.CasinoOnNet

Value: HKEY_CURRENT_USER\Software\casinoonnet\casino\init --> serial detected: Trace.Registry.CasinoOnNet

Value: HKEY_CURRENT_USER\Software\casinoonnet\casino\init --> test_data detected: Trace.Registry.CasinoOnNet

Value: HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL --> Upd_Flag detected: Trace.Registry.CasinoOnNet

Value: HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL --> Upg_Date detected: Trace.Registry.CasinoOnNet

C:\WINDOWS\Cookies\anyuser@statcounter[1].txt detected: Trace.TrackingCookie

C:\WINDOWS\TEMP\is-0TN84.tmp\askBarSetup.exe detected: Riskware.AdTool.Win32.MyWebSearch.bn

C:\WINDOWS\Sterling House Casino setup.exe detected: Adware.Win32.Casino.w

Scanned

Files: 122255

Traces: 153132

Cookies: 15

Processes: 18

Found

Files: 2

Traces: 29

Cookies: 1

Processes: 0

Registry keys: 0

Scan end: 07/12/26 04:32:27 PM

Scan time: 9:12:07