Spyware Warrior

[ryosuke_gunma]

I use AD-Aware & Spybot and it didn't found a spyware, but i used Spyware Doctor and it founds 6 spywares and it cannot remove!! Any help?

Here's the report :
"Spyware Doctor Activity Report
Generated on 3/22/2005 6:57:13 PM
Spyware Doctor Homepage PCTools Homepage Technical Support
Scans (basic information only):
Scan Results:
scan start: 3/22/2005 6:57:37 PM
scan stop: 3/22/2005 7:05:08 PM
scanned items: 106148
found items: 6
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner

Infection Name Location Risk
Bikinidesk C:\_RESTORE\TEMP\A0060719.0 High
Dyfuca/Internet Optimizer C:\_RESTORE\TEMP\A0060730.CPY High
DelfinProject C:\_RESTORE\TEMP\A0060833.CPY Elevated
ISTbar/XXXToolbar C:\_RESTORE\TEMP\A0060836.CPY Medium
DelfinProject C:\_RESTORE\TEMP\A0060838.CPY Elevated
ISTbar/XXXToolbar C:\_RESTORE\TEMP\A0060878.CPY Medium


Other Sections:

Copyright (C) 2003-2004 PCTools Pty Ltd Legal Notice"

And here's my Hijack Log :

Logfile of HijackThis v1.99.1
Scan saved at 7:20:34 PM, on 3/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\MAILFRONTIER\MANTISPM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\xbken7ch.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\xbken7ch.slt\prefs.js)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\PROGRAM FILES\SPYCATCHER\SCACTIVEBLOCK.DLL (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll

Thanks!
_________________
Best MOTORing fans

[Blinn]

hi ryosuke_gunma, I'm taking a look at your log, be back in a minute.

[QuietFusion]

Looks like your restore points are infected. First though, we can remove one item in your Hijackthis log. Run Hijackthis and place a check next to the following.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

and click fix.

Also reset your restore points, this will remove the infected restore points.

Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot.

Turn System Restore Back On.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK


Once complete re-run SpywareDoctor and let me know the results.
_________________
You want security? Disable Javascript and ActiveX!!

[Blinn]

haha man you're fast Quietfusion

[ryosuke_gunma]

How do i reset my restore points? (Sorry, i'm a newbie )
_________________
Best MOTORing fans

[QuietFusion]

Rest your Restore Points, follow these instructions.

Also reset your restore points, this will remove the infected restore points.

Turn off System Restore.

Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot.

Turn System Restore Back On.

Right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK

_________________
You want security? Disable Javascript and ActiveX!!

[ryosuke_gunma]

[QuietFusion]

The System Restore Tab, is on the second line.

You should see on the First line > General > Computer Name > Hardware > Advanced

Now look above that line and you'll see > System Restore > Automatic Updates > Remote

Click the System Restore Tab on the second line.
_________________
You want security? Disable Javascript and ActiveX!!

[ryosuke_gunma]

[QuietFusion]

I should have looked at your OS

Click Start > Settings > Control Panel. > Double-click the System icon. > On the Performance tab click File System > Click the Troubleshooting tab, and then check Disable System Restore > Click OK. Click Yes, when you are prompted to restart Windows

To enable Windows Me System Restore
Click Start > Settings > Control Panel.
Double-click System. > On the Performance tab click File System. >
On the Troubleshooting tab, uncheck Disable System Restore. >
Click OK. > Click Yes, when you are prompted to restart Windows.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam

Here's a link that details ME restore points.
_________________
You want security? Disable Javascript and ActiveX!!

[ryosuke_gunma]

I've decide to format my computer, so the spyware is remove.

Thanks anyway for your help! I really appreciate this forum !
_________________
Best MOTORing fans