Bujar Posted May 18, 2006 Share Posted May 18, 2006 I'm having big problems,a lot of critical messages are apearing will i'm working on the pc,tellin me i have spy were,viruses ,everytime i try to go on google.com ,i can't do that cause another site is there ,even when i type the adress on the adress bar ,i get the same website again(www.safetyuptodate.com),which is telling me that i should download anti-spywere..... I scaned the PC with Ad-Aware,with AVG Anti virus,Anti Tracks, CCleaner,but nothing is solving the problem..i still have those messages showing up all the time(it seems they come from Taskbar sometimes),still can't visit websites,please help me!!! Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted May 18, 2006 Moderators Share Posted May 18, 2006 Hello Bujar, Please post a hijack this log in the forum after you read these instructions. Someone will help you as soon as possible. http://forum.ccleaner.com/index.php?showtopic=3505 Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Bujar Posted May 19, 2006 Author Share Posted May 19, 2006 Thanks for your help.I'll try these when i go home(cause in my home pc i had those problems) Link to comment Share on other sites More sharing options...
Eldmannen Posted May 19, 2006 Share Posted May 19, 2006 Sounds like you got spyware on your computer that wants you to download a rouge anti-spyware software. Dont visit the website that the spyware tells you to goto. Use CWShredderer, ewido, HijackThis. Link to comment Share on other sites More sharing options...
Bujar Posted May 23, 2006 Author Share Posted May 23, 2006 After i have done all those scanings ,here's my Hijack This Logfile: Logfile of HijackThis v1.99.1 Scan saved at 8:27:35.PD, on 23-05-2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\atmclk.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\VIA\RAID\raid_tool.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe C:\Program Files\IM Names\IM-svr.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Sami\LOCALS~1\Temp\Rar$EX00.875\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE...sSUF9ADMervFCs= R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp1BF8.tmp (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [iMprocess] C:\Program Files\IM Names\IM-svr.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm185YYYU O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7E6B2A2F-3046-4633-8CDB-B449261EFD4D}: NameServer = 82.114.64.3,82.114.64.4 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Link to comment Share on other sites More sharing options...
AndyManchesta Posted May 23, 2006 Share Posted May 23, 2006 Hi Bujar, Ive not checked the log in any detail yet but will do after seeing the logs from the below programs, I can see signs of the Smitfraud infection so lets get that fixed first then we can clean up anything that remains Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please download, install, and update the free version of Ewido Anti-Malware: When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". From the main Ewido screen, click on update in the left menu, then click the Start update button. After the update finishes, the status bar at the bottom will display "Update successful" Exit Ewido. DO NOT run a scan yet. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. After SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.) Click on Scanner Click on Complete System Scan and the scan will begin. If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido Then please restart the PC so it returns to Normal Mode. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log. Note * Running option #2 will remove your Desktop background as some of the trojans related to this infection change the wallpaper and set restrictions to prevent you changing it back, When you reboot to Normal mode right click the desktop and choose Properties then goto the Desktop tab and select the wallpaper you want to use from there. Let us know if you have any questions or problems, Regards Andy Link to comment Share on other sites More sharing options...
CTskifreak Posted May 24, 2006 Share Posted May 24, 2006 Can I take a guess and say he is infected with SpyAxe, or some variation there of??? I had two different uncles infected, but other people took care of it before I could. AJ Link to comment Share on other sites More sharing options...
AndyManchesta Posted May 24, 2006 Share Posted May 24, 2006 Hi AJ Your spot on The system is infected with the same trojans that promote SpyAxe, This one is related to SpyFalcon but there really isnt much difference. These are the signs in the log: O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp1BF8.tmp (file missing) The hp****.tmp is a random named file but the CLSID "{f79fd28e-36ee-4989-aa61-9dd8e30a82fa}" shows it to be a variant of Trojan Zlob C:\WINDOWS\System32\atmclk.exe This file is a SpyFalcon component, as you can see in the log there isnt a start up entry for this file but its in the Running Processes, it will load via the SharedTaskScheduler registry key usually with a file named appmagr.dll as shown below. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ SharedTaskScheduler] {64ba30a2-811a-4597-b0af-d551128be340}= AppManager [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\ {64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32] @= C:\WINDOWS\system32\appmagr.dll This way its running all the time on the system as its loaded with explorer.exe so explorer.exe will need stopping to remove it which S!Ri's tool will do without problems, Usually the first step is to get a logfile from Smitfraudfix to confirm there is an infection but Ive skipped that as its clear what is on the system by the above entries. Andy Link to comment Share on other sites More sharing options...
Bujar Posted May 24, 2006 Author Share Posted May 24, 2006 Before i scaned the pc with hijack this ,i have scaned it with Ewido Anti-Malware than with SmitfraudFix,almost in the same way as you are saying,and heres my scan repoprt of SmitfraudFix: SmitFraudFix v2.45 Scan done at 18:29:51,60, 22-05-2006 Run from C:\Documents and Settings\Sami\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] ???????????????????????? Killing process ???????????????????????? Deleting infected files C:\WINDOWS\system32\ot.ico Deleted C:\WINDOWS\system32\stdole3.tlb Deleted C:\WINDOWS\system32\ts.ico Deleted C:\WINDOWS\system32\1024\ Deleted C:\DOCUME~1\Sami\FAVORI~1\Antivirus Test Online.url Deleted ???????????????????????? Deleting Temp Files ???????????????????????? Registry Cleaning Registry Cleaning done. ???????????????????????? End Also after i did all those scanings (with Ewido Anti-Malware and SmitfraudFix and last one with HijackThis),i don't seem to have those pop-ups showing on the desktop telling me i'm infected,i should download antispyware...,so i don't know ,it could be that those scanings have cleaned my machine. Link to comment Share on other sites More sharing options...
AndyManchesta Posted May 24, 2006 Share Posted May 24, 2006 Hi Bujar If you saved the report from Ewido can you post it back on here as there should of been more files deleted than whats showing, Ewido might of already removed them so it would help to see the log but its fine if you didnt save it. Can you to run option 1 on Smitfraud Fix so we can check that they have gone and check one of the Registry Keys then run a Online Virus scanner to see if there is more problems and finally post a new Hijack This log. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply Run Kaspersky WebScanner Please go HERE and click Kaspersky Online Scanner Read and Accept the Agreement You will be promted to install an ActiveX component from Kaspersky, Click Yes. If you see a Windows dialog asking if you want to install this software, click the Install button. The program will launch and then begin downloading the latest definition files, When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it. Click on the Scan Settings button, and in the next window select the Extended database, and click Ok. Under "Please select a target to scan:", click My Computer to start the scan. When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window. Please post the text file back from SmitFraudFix and from Kaspersky's scanner then post a New Hijack This log so we can finish the cleanup Thanks Andy Link to comment Share on other sites More sharing options...
Bujar Posted May 29, 2006 Author Share Posted May 29, 2006 Sorry for the late reply ,i haven't been in front of PC for a long time.Anyway here are my scan reports: SmitFraudFix v2.45 Scan done at 15:18:18,67, 26-05-2006 Run from C:\Documents and Settings\Sami\My Documents\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] ???????????????????????? C:\ ???????????????????????? C:\WINDOWS ???????????????????????? C:\WINDOWS\system ???????????????????????? C:\WINDOWS\Web ???????????????????????? C:\WINDOWS\system32 C:\WINDOWS\system32\dcomcfg.exe FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\ts.ico FOUND ! C:\WINDOWS\system32\1024\ FOUND ! ???????????????????????? C:\Documents and Settings\Sami\Application Data ???????????????????????? Start Menu ???????????????????????? C:\DOCUME~1\Sami\FAVORI~1 ???????????????????????? Desktop ???????????????????????? C:\Program Files ???????????????????????? Corrupted keys ???????????????????????? Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="http://images.ratemybody.com/mainPics/b/be/BerrySexay_thumb.jpg"'>http://images.ratemybody.com/mainPics/b/be/BerrySexay_thumb.jpg" "SubscribedURL"="http://images.ratemybody.com/mainPics/b/be/BerrySexay_thumb.jpg" "FriendlyName"="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="http://images.ratemybody.com/mainPics/b/be/BerrySexay.jpg"'>http://images.ratemybody.com/mainPics/b/be/BerrySexay.jpg" "SubscribedURL"="http://images.ratemybody.com/mainPics/b/be/BerrySexay.jpg" "FriendlyName"="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" ???????????????????????? Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{89aef01d-d237-49c7-84dc-4e1904c1fd31}"="AutoDisc Ware" [HKEY_CLASSES_ROOT\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32] @="C:\WINDOWS\System32\sbnudh.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32] @="C:\WINDOWS\System32\sbnudh.dll" ???????????????????????? Scanning wininet.dll infection ???????????????????????? End KASPERSKY ON-LINE SCANNER REPORT Friday, May 26, 2006 4:59:41 PM Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 26/05/2006 Kaspersky Anti-Virus database records: 196482 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ Scan Statistics Total number of scanned objects 40655 Number of viruses found 23 Number of infected objects 83 Number of suspicious objects 0 Duration of the scan process 00:41:43 Infected Object Name Virus Name Last Action C:\Documents and Settings\Sami\Local Settings\Temporary Internet Files\Content.IE5\WPUFC5QV\hbtools[1].exe/data0019/HbTools.mlp Infected: not-a-virus:AdWare.Win32.HotBar.bq skipped C:\Documents and Settings\Sami\Local Settings\Temporary Internet Files\Content.IE5\WPUFC5QV\hbtools[1].exe/data0019 Infected: not-a-virus:AdWare.Win32.HotBar.bq skipped C:\Documents and Settings\Sami\Local Settings\Temporary Internet Files\Content.IE5\WPUFC5QV\hbtools[1].exe NSIS: infected - 2 skipped C:\Program Files\2search\get.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\Program Files\2search\main.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\Program Files\2search\uninstall.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\Program Files\IM Names\1.exe/data.rar/main.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\Program Files\IM Names\1.exe/data.rar/uninstall.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\Program Files\IM Names\1.exe/data.rar/get.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\Program Files\IM Names\1.exe/data.rar/2search.dll Infected: not-a-virus:AdWare.Win32.2Search.f skipped C:\Program Files\IM Names\1.exe/data.rar Infected: not-a-virus:AdWare.Win32.2Search.f skipped C:\Program Files\IM Names\1.exe RarSFX: infected - 5 skipped C:\Program Files\IM Names\IM-svr.exe Infected: not-a-virus:AdWare.Win32.2Search.h skipped C:\Program Files\IM Names\IMNames.exe Infected: not-a-virus:AdWare.Win32.2Search.h skipped C:\Program Files\IM Names\main.exe Infected: not-a-virus:AdWare.Win32.2Search.g skipped C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL Infected: not-a-virus:AdWare.Win32.MySearch.g skipped C:\Program Files\MySearch\bar\1.bin\S4PLUGIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.al skipped C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af skipped C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.al skipped C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f skipped C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Infected: not-a-virus:AdWare.Win32.IWon.a skipped C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad skipped C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.q skipped C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ai skipped C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll Infected: not-a-virus:AdWare.Win32.Comet.c skipped C:\Program Files\Starware\bin\Starware.dll Infected: not-a-virus:AdWare.Win32.Comet.ay skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP49\A0032282.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/IM-svr.exe Infected: not-a-virus:AdWare.Win32.2Search.h skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/IMNames.exe Infected: not-a-virus:AdWare.Win32.2Search.h skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/main.exe Infected: not-a-virus:AdWare.Win32.2Search.g skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe/data.rar/main.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe/data.rar/uninstall.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe/data.rar/get.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe/data.rar/2search.dll Infected: not-a-virus:AdWare.Win32.2Search.f skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe/data.rar Infected: not-a-virus:AdWare.Win32.2Search.f skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe Infected: not-a-virus:AdWare.Win32.2Search.f skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar Infected: not-a-virus:AdWare.Win32.2Search.f skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe RarSFX: infected - 10 skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP68\A0041939.dll Infected: not-a-virus:AdWare.Win32.Comet.ay skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP68\A0041940.dll Infected: not-a-virus:AdWare.Win32.2Search.f skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044028.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044029.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044030.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe/data.rar/main.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe/data.rar/uninstall.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe/data.rar/get.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe/data.rar/2search.dll Infected: not-a-virus:AdWare.Win32.2Search.f skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe/data.rar Infected: not-a-virus:AdWare.Win32.2Search.f skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe RarSFX: infected - 5 skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044033.exe Infected: not-a-virus:AdWare.Win32.2Search.h skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044034.exe Infected: not-a-virus:AdWare.Win32.2Search.g skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044035.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af skipped C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP77\A0047159.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped C:\WINDOWS\system32\f3PSSavr.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped D:\Buci\Programe\Warwsi\New WinZip File.zip/WarezP2P_DLC.exe/stream/data0038 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped D:\Buci\Programe\Warwsi\New WinZip File.zip/WarezP2P_DLC.exe/stream Infected: not-a-virus:AdWare.Win32.NewDotNet skipped D:\Buci\Programe\Warwsi\New WinZip File.zip/WarezP2P_DLC.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped D:\Buci\Programe\Warwsi\New WinZip File.zip ZIP: infected - 3 skipped D:\Buci\Programe\Warwsi\WarezP2P.exe/stream/data0040 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped D:\Buci\Programe\Warwsi\WarezP2P.exe/stream/data0041 Infected: not-a-virus:AdWare.Win32.Lop.ai skipped D:\Buci\Programe\Warwsi\WarezP2P.exe/stream Infected: not-a-virus:AdWare.Win32.Lop.ai skipped D:\Buci\Programe\Warwsi\WarezP2P.exe NSIS: infected - 3 skipped D:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044039.exe/stream/data0040 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped D:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044039.exe/stream/data0041 Infected: not-a-virus:AdWare.Win32.Lop.ai skipped D:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044039.exe/stream Infected: not-a-virus:AdWare.Win32.Lop.ai skipped D:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044039.exe NSIS: infected - 3 skipped Scan process completed. Logfile of HijackThis v1.99.1 Scan saved at 4:23:38.MD, on 29-05-2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\VIA\RAID\raid_tool.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe C:\Program Files\IM Names\IM-svr.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Sami\LOCALS~1\Temp\Rar$EX00.922\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...jk1x83abx9kn1dQ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE...sSUF9ADMervFCs= R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp1BF8.tmp (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [iMprocess] C:\Program Files\IM Names\IM-svr.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm185YYYU O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7E6B2A2F-3046-4633-8CDB-B449261EFD4D}: NameServer = 82.114.64.3,82.114.64.4 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Link to comment Share on other sites More sharing options...
AndyManchesta Posted May 29, 2006 Share Posted May 29, 2006 Hi Bujar, Welcome Back, You have more junk now than you did in the first log so let's start this fix again , Please do not change the order of these fixes or take any shortcuts... If I ask you to remove something that you wish to keep then please let me know, Im going to suggest removing anything that is Adware or bundled with Adware but if you have read and accepted the agreements when installing those programs then I fully respect its your choice what you have running on your system... If you have any questions of problems please let me know. First of all you may want to print out this post or copy and paste it to notepad and save it to your desktop so you have a hard copy of these instructions as alot of the steps below will be performed in Safe mode (Please do not skip the safe mode steps) You have Hijack This running from your Temporary folder so this needs moving before we start, Hijack This creates backups if anything is fixed so its important that its not left in the Temporary folder as you will lose the backups if you clear the temp files (which we will be doing as part of this fix) Please goto the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs) and remove Hijack This and then download it again from HERE, do not run the program from the download link but save it to your C:\drive first then its in a permanent folder Download Ccleaner if you do not already have it from Here, Install and then close Ccleaner as we will be using again abit later. Next Goto the Add/Remove screen and remove these: Uninstall MySearch, MyWebSearch, MyWay SearchBar / Search Assistant if you did not knowingly install that yourself, If you have read and agreed to the licence agreement and you want it to stay on your system then its ok to ignore. More info on MySearch can be found Here and Here Next Remove Starware , More info on Starware can be found Here Also Remove 2Search and IM Names if they are listed on the Add/Remove screen. More info on them can be found Here and Here Next Please delete the SmitFraudFix folder as the infection is constantly updating and there is a newer version of SmitFraudFix available. Please then download the latest version of SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Please also download, install, and update the free version of Ewido Anti-Malware: When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment. From the main Ewido screen, click on update in the left menu, then click the Start update button. After the update finishes, the status bar at the bottom will display "Update successful" Exit Ewido. DO NOT run a scan yet. Next, reboot your computer into Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. AFTER SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.) Click on Scanner Click on Complete System Scan and the scan will begin. If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido Run Hijack This and choose Do A System Scan then place a check next to these entries R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = ht*p://as.starware.com/dp/search?x=wKX1ILE...jk1x83abx9kn1dQ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://as.starware.com/dp/search?x=wKX1ILE...sSUF9ADMervFCs= R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp1BF8.tmp (file missing) O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll O4 - HKLM\..\Run: [iMprocess] C:\Program Files\IM Names\IM-svr.EXE O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ht*p://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab Close all open browser and other windows except for Hijack This and press the Fix Checked button Optional Fixes If you choose To Remove MySearch/MyWebSearch please fix these entries using Hijack This if they remain in the log : O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O8 - Extra context menu item: &Search - ht*p://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm185YYYU Next Delete these Files D:\Buci\Programe\Warwsi\New WinZip File.zip/WarezP2P_DLC.exe D:\Buci\Programe\Warwsi\WarezP2P.exe Then delete these Folders: C:\Program Files\2search C:\Program Files\IM Names C:\Program Files\Screensavers.com C:\Program Files\Starware Optional If you remove MySearch also remove these folders: C:\Program Files\MySearch C:\Program Files\MyWebSearch Run Ccleaner, if you wish to keep your cookies then uncheck the cookies cleaning option on the menu to the left, Press the Run Cleaner button and when its finished removing Temp files close Ccleaner, Then please restart your PC into Normal Windows mode. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log. Regards Andy Warning : running option #2 (SmitFraudFix) on a non infected computer will remove your Desktop background. Link to comment Share on other sites More sharing options...
Bujar Posted June 7, 2006 Author Share Posted June 7, 2006 Here are my reports: SmitFraudFix v2.45 Scan done at 14:06:57,21, 07-06-2006 Run from C:\unzipped\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] ???????????????????????? Killing process ???????????????????????? Deleting infected files ???????????????????????? Deleting Temp Files ???????????????????????? Registry Cleaning Registry Cleaning done. ???????????????????????? End Logfile of HijackThis v1.99.1 Scan saved at 2:02:12.MD, on 07-06-2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\PROGRA~1\WinZip\winzip32.exe C:\unzipped\hijackthis\HijackThis.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O17 - HKLM\System\CCS\Services\Tcpip\..\{7E6B2A2F-3046-4633-8CDB-B449261EFD4D}: NameServer = 82.114.64.3,82.114.64.4 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Link to comment Share on other sites More sharing options...
AndyManchesta Posted June 7, 2006 Share Posted June 7, 2006 Hi Bujar Most of the log appears to be missing compared to your first log: O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONEO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab There is no malware showing in the new log but it doesnt look complete, run Panda Activescan to make sure there is no remaining problems. Run Panda Activescan from Here. Once you are on the Panda site click the Scan your PC button - A new window will open...click the Check Now button - Enter your Country - Enter your State/Province - Enter your e-mail address and click send - Select either Home User or Company - Click the big Scan Now button - If it wants to install an ActiveX component allow it - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) - When the download is complete, click on Local Disks to start the scan - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back. Please post back the Pandascan log and a New Hijack This log Thanks Andy Link to comment Share on other sites More sharing options...
Bujar Posted June 9, 2006 Author Share Posted June 9, 2006 Panda: Incident Status Location Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[data.coremetrics.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.com.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.microsofteup.112.2o7.net/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.hotlog.ru/] Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.spylog.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sami\Cookies\sami@atdmt[2].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sami\desctops\SmitfraudFix\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sami\My Documents\SmitfraudFix\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sami\My Documents\SmitfraudFix.zip[smitfraudFix/Process.exe] Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\Companion Wizard\WapCHK.dll Potentially unwanted tool:Application/Processor Not disinfected C:\unzipped\SmitfraudFix\SmitfraudFix\Process.exe Logfile of HijackThis v1.99.1 Scan saved at 4:20:04.MD, on 09-06-2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijacthis\HijackThis.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7E6B2A2F-3046-4633-8CDB-B449261EFD4D}: NameServer = 82.114.64.3,82.114.64.4 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Link to comment Share on other sites More sharing options...
AndyManchesta Posted June 9, 2006 Share Posted June 9, 2006 Hi Bujar Thats looking fine Run Ccleaner to remove the cookies, Its detected SmitfraudFix as a Potentially unwanted tool but that is just because its using a utility called Process.exe which is very common in fixtools as it allows them to stop system processes before cleaning the malware but as the tool isnt required now it can be removed from your PC. Delete these folders : C:\Documents and Settings\Sami\desctops\SmitfraudFix C:\Documents and Settings\Sami\My Documents\SmitfraudFix C:\Documents and Settings\Sami\My Documents\SmitfraudFix.zip C:\unzipped\SmitfraudFix Pandascan is also showing there is a component of WinAntiVirus 2006 on your system, WinSoftware which make WinAntiVirus is a rogue company who may have close links to infections like Trojan Vundo so I wouldnt trust their products to provide adequate protection. Its on Spyware Warrior's Rogue list here: http://spywarewarrior.com/rogue_anti-spyware.htm If it is on your system Id suggest it being removed using the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs) Then delete this file: C:\Program Files\Common Files\Companion Wizard\WapCHK.dll I have included afew recommended steps below to help prevent future malware infections. Please navigate to http://windowsupdate.microsoft.com and upgrade your system to Service Pack 2. Download all the critical updates for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. This may require you to Reboot and revisit Windows Updates again to get the remaining updates. Please follow the prompts on the Windows Updates site and keep re-visiting untill there is no more updates available. Your current version is outdated. I cannot stress enough how important this is. Keep Ewido on the system as shows its a 14 day trial but it works fine after that has expired as a "On-Demand" scanner and remover which you can manually update and use anytime. In order to protect yourself against spyware, you should consider installing and running the following free programs: Ad-Aware A tutorial on using Ad-Aware to remove spyware from your computer may be found Here Spybot Search & Destroy A tutorial on using Spybot to remove spyware from your computer may be found Here Please also enable Spybots Immunize feature. SpywareBlaster A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found Here Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle. * Avoid illegal sites, because that's where most malware is present. * Don't click on links inside popups or messenger programs. * Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware. * Download free software only from sites you know and trust as alot of free software can bundle other software, including spyware. Please make sure to run your Antivirus software regularly, and to keep it up-to-date. More information on how to prevent malware and to explain how you got infected can be found Here (By Tony Klein) and Here By following these steps it will lower the chances of getting any more malware issues but let us know if you have any questions or problems anytime. All The Best Andy Link to comment Share on other sites More sharing options...
Bujar Posted June 10, 2006 Author Share Posted June 10, 2006 I'm glad my machine is finnaly cleaned.And i thank you so much for your great assistance. I will follow all the steps you mentioned,so i can prevent my machine from getting infected. Again,thanks very much. Whish you all the best. Bujar Link to comment Share on other sites More sharing options...
AndyManchesta Posted June 10, 2006 Share Posted June 10, 2006 No Problem Bujar, Glad I could help Happy Surfing Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now