Jump to content
CCleaner Community Forums

Help Please!?


Bujar

Recommended Posts

I'm having big problems,a lot of critical messages are apearing will i'm working on the pc,tellin me i have spy were,viruses ,everytime i try to go on google.com ,i can't do that cause another site is there ,even when i type the adress on the adress bar ,i get the same website again(www.safetyuptodate.com),which is telling me that i should download anti-spywere.....

I scaned the PC with Ad-Aware,with AVG Anti virus,Anti Tracks, CCleaner,but nothing is solving the problem..i still have those messages showing up all the time(it seems they come from Taskbar sometimes),still can't visit websites,please help me!!!

:(:(

Link to post
Share on other sites

Sounds like you got spyware on your computer that wants you to download a rouge anti-spyware software. Dont visit the website that the spyware tells you to goto.

 

Use CWShredderer, ewido, HijackThis.

Link to post
Share on other sites

After i have done all those scanings ,here's my Hijack This Logfile:

 

Logfile of HijackThis v1.99.1

Scan saved at 8:27:35.PD, on 23-05-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\atmclk.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\VIA\RAID\raid_tool.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\Program Files\IM Names\IM-svr.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\Sami\LOCALS~1\Temp\Rar$EX00.875\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE...sSUF9ADMervFCs=

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp1BF8.tmp (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [iMprocess] C:\Program Files\IM Names\IM-svr.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm185YYYU

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E6B2A2F-3046-4633-8CDB-B449261EFD4D}: NameServer = 82.114.64.3,82.114.64.4

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Link to post
Share on other sites

Hi Bujar,

 

Ive not checked the log in any detail yet but will do after seeing the logs from the below programs, I can see signs of the Smitfraud infection so lets get that fixed first then we can clean up anything that remains :)

 

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

 

 

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

 

 

Please download, install, and update the free version of Ewido Anti-Malware:

  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. From the main Ewido screen, click on update in the left menu, then click the Start update button.
  3. After the update finishes, the status bar at the bottom will display "Update successful"
  4. Exit Ewido. DO NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

 

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

 

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

 

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

 

After SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)

  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido

Then please restart the PC so it returns to Normal Mode. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log.

 

Note * Running option #2 will remove your Desktop background as some of the trojans related to this infection change the wallpaper and set restrictions to prevent you changing it back, When you reboot to Normal mode right click the desktop and choose Properties then goto the Desktop tab and select the wallpaper you want to use from there.

 

Let us know if you have any questions or problems,

 

Regards

 

Andy

Link to post
Share on other sites

Can I take a guess and say he is infected with SpyAxe, or some variation there of??? I had two different uncles infected, but other people took care of it before I could.

 

AJ

Link to post
Share on other sites

Hi AJ

 

Your spot on :)

 

The system is infected with the same trojans that promote SpyAxe, This one is related to SpyFalcon but there really isnt much difference.

 

These are the signs in the log:

 

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp1BF8.tmp (file missing)

The hp****.tmp is a random named file but the CLSID "{f79fd28e-36ee-4989-aa61-9dd8e30a82fa}" shows it to be a variant of Trojan Zlob

 

 

C:\WINDOWS\System32\atmclk.exe

This file is a SpyFalcon component, as you can see in the log there isnt a start up entry for this file but its in the Running Processes, it will load via the SharedTaskScheduler registry key usually with a file named appmagr.dll as shown below.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

SharedTaskScheduler]

{64ba30a2-811a-4597-b0af-d551128be340}= AppManager

 

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\

{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]

@= C:\WINDOWS\system32\appmagr.dll

 

This way its running all the time on the system as its loaded with explorer.exe so explorer.exe will need stopping to remove it which S!Ri's tool will do without problems, Usually the first step is to get a logfile from Smitfraudfix to confirm there is an infection but Ive skipped that as its clear what is on the system by the above entries.

 

Andy

Link to post
Share on other sites

Before i scaned the pc with hijack this ,i have scaned it with Ewido Anti-Malware than with SmitfraudFix,almost in the same way as you are saying,and heres my scan repoprt of SmitfraudFix:

 

SmitFraudFix v2.45

 

Scan done at 18:29:51,60, 22-05-2006

Run from C:\Documents and Settings\Sami\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600]

 

???????????????????????? Killing process

 

 

???????????????????????? Deleting infected files

 

C:\WINDOWS\system32\ot.ico Deleted

C:\WINDOWS\system32\stdole3.tlb Deleted

C:\WINDOWS\system32\ts.ico Deleted

C:\WINDOWS\system32\1024\ Deleted

C:\DOCUME~1\Sami\FAVORI~1\Antivirus Test Online.url Deleted

 

???????????????????????? Deleting Temp Files

 

 

???????????????????????? Registry Cleaning

 

Registry Cleaning done.

 

???????????????????????? End

 

Also after i did all those scanings (with Ewido Anti-Malware and SmitfraudFix and last one with HijackThis),i don't seem to have those pop-ups showing on the desktop telling me i'm infected,i should download antispyware...,so i don't know ,it could be that those scanings have cleaned my machine.

Link to post
Share on other sites

Hi Bujar

 

If you saved the report from Ewido can you post it back on here as there should of been more files deleted than whats showing, Ewido might of already removed them so it would help to see the log but its fine if you didnt save it.

 

Can you to run option 1 on Smitfraud Fix so we can check that they have gone and check one of the Registry Keys then run a Online Virus scanner to see if there is more problems and finally post a new Hijack This log.

 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply

 

Run Kaspersky WebScanner

  • Please go HERE and click Kaspersky Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Please post the text file back from SmitFraudFix and from Kaspersky's scanner then post a New Hijack This log so we can finish the cleanup

 

Thanks

 

Andy

Link to post
Share on other sites

Sorry for the late reply ,i haven't been in front of PC for a long time.Anyway here are my scan reports:

 

SmitFraudFix v2.45

Scan done at 15:18:18,67, 26-05-2006

Run from C:\Documents and Settings\Sami\My Documents\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600]

 

???????????????????????? C:\

 

 

???????????????????????? C:\WINDOWS

 

 

???????????????????????? C:\WINDOWS\system

 

 

???????????????????????? C:\WINDOWS\Web

 

 

???????????????????????? C:\WINDOWS\system32

 

C:\WINDOWS\system32\dcomcfg.exe FOUND !

C:\WINDOWS\system32\ot.ico FOUND !

C:\WINDOWS\system32\ts.ico FOUND !

C:\WINDOWS\system32\1024\ FOUND !

 

???????????????????????? C:\Documents and Settings\Sami\Application Data

 

 

???????????????????????? Start Menu

 

 

???????????????????????? C:\DOCUME~1\Sami\FAVORI~1

 

 

???????????????????????? Desktop

 

 

???????????????????????? C:\Program Files

 

 

???????????????????????? Corrupted keys

 

 

???????????????????????? Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="http://images.ratemybody.com/mainPics/b/be/BerrySexay_thumb.jpg"'>http://images.ratemybody.com/mainPics/b/be/BerrySexay_thumb.jpg"

"SubscribedURL"="http://images.ratemybody.com/mainPics/b/be/BerrySexay_thumb.jpg"

"FriendlyName"=""

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]

"Source"="http://images.ratemybody.com/mainPics/b/be/BerrySexay.jpg"'>http://images.ratemybody.com/mainPics/b/be/BerrySexay.jpg"

"SubscribedURL"="http://images.ratemybody.com/mainPics/b/be/BerrySexay.jpg"

"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

???????????????????????? Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{89aef01d-d237-49c7-84dc-4e1904c1fd31}"="AutoDisc Ware"

 

[HKEY_CLASSES_ROOT\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]

@="C:\WINDOWS\System32\sbnudh.dll"

 

[HKEY_CURRENT_USER\Software\Classes\CLSID\{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]

@="C:\WINDOWS\System32\sbnudh.dll"

 

 

???????????????????????? Scanning wininet.dll infection

 

 

???????????????????????? End

 

 

 

KASPERSKY ON-LINE SCANNER REPORT

Friday, May 26, 2006 4:59:41 PM

Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)

Kaspersky On-line Scanner version: 5.0.78.0

Kaspersky Anti-Virus database last update: 26/05/2006

Kaspersky Anti-Virus database records: 196482

Scan Settings

Scan using the following antivirus database extended

Scan Archives true

Scan Mail Bases true

Scan Target My Computer

A:\

C:\

D:\

E:\

Scan Statistics

Total number of scanned objects 40655

Number of viruses found 23

Number of infected objects 83

Number of suspicious objects 0

Duration of the scan process 00:41:43

 

Infected Object Name Virus Name Last Action

C:\Documents and Settings\Sami\Local Settings\Temporary Internet Files\Content.IE5\WPUFC5QV\hbtools[1].exe/data0019/HbTools.mlp Infected: not-a-virus:AdWare.Win32.HotBar.bq skipped

C:\Documents and Settings\Sami\Local Settings\Temporary Internet Files\Content.IE5\WPUFC5QV\hbtools[1].exe/data0019 Infected: not-a-virus:AdWare.Win32.HotBar.bq skipped

C:\Documents and Settings\Sami\Local Settings\Temporary Internet Files\Content.IE5\WPUFC5QV\hbtools[1].exe NSIS: infected - 2 skipped

C:\Program Files\2search\get.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\Program Files\2search\main.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\Program Files\2search\uninstall.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\Program Files\IM Names\1.exe/data.rar/main.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\Program Files\IM Names\1.exe/data.rar/uninstall.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\Program Files\IM Names\1.exe/data.rar/get.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\Program Files\IM Names\1.exe/data.rar/2search.dll Infected: not-a-virus:AdWare.Win32.2Search.f skipped

C:\Program Files\IM Names\1.exe/data.rar Infected: not-a-virus:AdWare.Win32.2Search.f skipped

C:\Program Files\IM Names\1.exe RarSFX: infected - 5 skipped

C:\Program Files\IM Names\IM-svr.exe Infected: not-a-virus:AdWare.Win32.2Search.h skipped

C:\Program Files\IM Names\IMNames.exe Infected: not-a-virus:AdWare.Win32.2Search.h skipped

C:\Program Files\IM Names\main.exe Infected: not-a-virus:AdWare.Win32.2Search.g skipped

C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped

C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL Infected: not-a-virus:AdWare.Win32.MySearch.g skipped

C:\Program Files\MySearch\bar\1.bin\S4PLUGIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.al skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.al skipped

C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f skipped

C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Infected: not-a-virus:AdWare.Win32.IWon.a skipped

C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped

C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad skipped

C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped

C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.q skipped

C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped

C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ai skipped

C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll Infected: not-a-virus:AdWare.Win32.Comet.c skipped

C:\Program Files\Starware\bin\Starware.dll Infected: not-a-virus:AdWare.Win32.Comet.ay skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP49\A0032282.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/IM-svr.exe Infected: not-a-virus:AdWare.Win32.2Search.h skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/IMNames.exe Infected: not-a-virus:AdWare.Win32.2Search.h skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/main.exe Infected: not-a-virus:AdWare.Win32.2Search.g skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe/data.rar/main.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe/data.rar/uninstall.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe/data.rar/get.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe/data.rar/2search.dll Infected: not-a-virus:AdWare.Win32.2Search.f skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe/data.rar Infected: not-a-virus:AdWare.Win32.2Search.f skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar/1.exe Infected: not-a-virus:AdWare.Win32.2Search.f skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe/data.rar Infected: not-a-virus:AdWare.Win32.2Search.f skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP67\A0041916.exe RarSFX: infected - 10 skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP68\A0041939.dll Infected: not-a-virus:AdWare.Win32.Comet.ay skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP68\A0041940.dll Infected: not-a-virus:AdWare.Win32.2Search.f skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044028.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044029.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044030.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe/data.rar/main.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe/data.rar/uninstall.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe/data.rar/get.exe Infected: not-a-virus:AdWare.Win32.2Search.c skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe/data.rar/2search.dll Infected: not-a-virus:AdWare.Win32.2Search.f skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe/data.rar Infected: not-a-virus:AdWare.Win32.2Search.f skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044032.exe RarSFX: infected - 5 skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044033.exe Infected: not-a-virus:AdWare.Win32.2Search.h skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044034.exe Infected: not-a-virus:AdWare.Win32.2Search.g skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044035.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af skipped

C:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP77\A0047159.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped

C:\WINDOWS\system32\f3PSSavr.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

D:\Buci\Programe\Warwsi\New WinZip File.zip/WarezP2P_DLC.exe/stream/data0038 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

D:\Buci\Programe\Warwsi\New WinZip File.zip/WarezP2P_DLC.exe/stream Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

D:\Buci\Programe\Warwsi\New WinZip File.zip/WarezP2P_DLC.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

D:\Buci\Programe\Warwsi\New WinZip File.zip ZIP: infected - 3 skipped

D:\Buci\Programe\Warwsi\WarezP2P.exe/stream/data0040 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

D:\Buci\Programe\Warwsi\WarezP2P.exe/stream/data0041 Infected: not-a-virus:AdWare.Win32.Lop.ai skipped

D:\Buci\Programe\Warwsi\WarezP2P.exe/stream Infected: not-a-virus:AdWare.Win32.Lop.ai skipped

D:\Buci\Programe\Warwsi\WarezP2P.exe NSIS: infected - 3 skipped

D:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044039.exe/stream/data0040 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

D:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044039.exe/stream/data0041 Infected: not-a-virus:AdWare.Win32.Lop.ai skipped

D:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044039.exe/stream Infected: not-a-virus:AdWare.Win32.Lop.ai skipped

D:\System Volume Information\_restore{00A29188-831D-40E3-A72E-E0B9401D21AA}\RP76\A0044039.exe NSIS: infected - 3 skipped

Scan process completed.

 

Logfile of HijackThis v1.99.1

Scan saved at 4:23:38.MD, on 29-05-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\VIA\RAID\raid_tool.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\Program Files\IM Names\IM-svr.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\Sami\LOCALS~1\Temp\Rar$EX00.922\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...jk1x83abx9kn1dQ

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILE...sSUF9ADMervFCs=

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp1BF8.tmp (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [iMprocess] C:\Program Files\IM Names\IM-svr.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm185YYYU

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E6B2A2F-3046-4633-8CDB-B449261EFD4D}: NameServer = 82.114.64.3,82.114.64.4

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Link to post
Share on other sites

Hi Bujar,

 

Welcome Back, You have more junk now than you did in the first log so let's start this fix again :) , Please do not change the order of these fixes or take any shortcuts... If I ask you to remove something that you wish to keep then please let me know, Im going to suggest removing anything that is Adware or bundled with Adware but if you have read and accepted the agreements when installing those programs then I fully respect its your choice what you have running on your system... If you have any questions of problems please let me know.

 

First of all you may want to print out this post or copy and paste it to notepad and save it to your desktop so you have a hard copy of these instructions as alot of the steps below will be performed in Safe mode (Please do not skip the safe mode steps)

 

You have Hijack This running from your Temporary folder so this needs moving before we start, Hijack This creates backups if anything is fixed so its important that its not left in the Temporary folder as you will lose the backups if you clear the temp files (which we will be doing as part of this fix)

 

Please goto the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs) and remove Hijack This and then download it again from HERE, do not run the program from the download link but save it to your C:\drive first then its in a permanent folder

 

Download Ccleaner if you do not already have it from Here, Install and then close Ccleaner as we will be using again abit later.

 

Next Goto the Add/Remove screen and remove these:

 

Uninstall MySearch, MyWebSearch, MyWay SearchBar / Search Assistant if you did not knowingly install that yourself, If you have read and agreed to the licence agreement and you want it to stay on your system then its ok to ignore. More info on MySearch can be found Here and Here

 

Next Remove Starware , More info on Starware can be found Here

 

Also Remove 2Search and IM Names if they are listed on the Add/Remove screen. More info on them can be found Here and Here

 

 

Next Please delete the SmitFraudFix folder as the infection is constantly updating and there is a newer version of SmitFraudFix available.

 

 

Please then download the latest version of SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

 

Please also download, install, and update the free version of Ewido Anti-Malware:

  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes, the status bar at the bottom will display "Update successful"
  5. Exit Ewido. DO NOT run a scan yet.

Next, reboot your computer into Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

 

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

 

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

 

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

 

AFTER SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)

  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido

Run Hijack This and choose Do A System Scan then place a check next to these entries

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = ht*p://as.starware.com/dp/search?x=wKX1ILE...jk1x83abx9kn1dQ

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://as.starware.com/dp/search?x=wKX1ILE...sSUF9ADMervFCs=

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp1BF8.tmp (file missing)

O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll

O4 - HKLM\..\Run: [iMprocess] C:\Program Files\IM Names\IM-svr.EXE

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ht*p://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab

Close all open browser and other windows except for Hijack This and press the Fix Checked button

 

Optional Fixes

 

If you choose To Remove MySearch/MyWebSearch please fix these entries using Hijack This if they remain in the log :

O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O8 - Extra context menu item: &Search - ht*p://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm185YYYU

 

Next Delete these Files

 

D:\Buci\Programe\Warwsi\New WinZip File.zip/WarezP2P_DLC.exe

D:\Buci\Programe\Warwsi\WarezP2P.exe

 

Then delete these Folders:

 

C:\Program Files\2search

C:\Program Files\IM Names

C:\Program Files\Screensavers.com

C:\Program Files\Starware

 

Optional

 

If you remove MySearch also remove these folders:

 

C:\Program Files\MySearch

C:\Program Files\MyWebSearch

 

Run Ccleaner, if you wish to keep your cookies then uncheck the cookies cleaning option on the menu to the left, Press the Run Cleaner button and when its finished removing Temp files close Ccleaner,

 

Then please restart your PC into Normal Windows mode.

 

Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log.

 

Regards

 

Andy

 

Warning : running option #2 (SmitFraudFix) on a non infected computer will remove your Desktop background.

Link to post
Share on other sites
  • 2 weeks later...

Here are my reports:

 

SmitFraudFix v2.45

 

Scan done at 14:06:57,21, 07-06-2006

Run from C:\unzipped\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600]

 

???????????????????????? Killing process

 

 

???????????????????????? Deleting infected files

 

 

???????????????????????? Deleting Temp Files

 

 

???????????????????????? Registry Cleaning

 

Registry Cleaning done.

 

???????????????????????? End

 

 

Logfile of HijackThis v1.99.1

Scan saved at 2:02:12.MD, on 07-06-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\PROGRA~1\WinZip\winzip32.exe

C:\unzipped\hijackthis\HijackThis.exe

 

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E6B2A2F-3046-4633-8CDB-B449261EFD4D}: NameServer = 82.114.64.3,82.114.64.4

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Link to post
Share on other sites

Hi Bujar

 

Most of the log appears to be missing compared to your first log:

 

 

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONEO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

 

 

 

There is no malware showing in the new log but it doesnt look complete, run Panda Activescan to make sure there is no remaining problems.

 

Run Panda Activescan from Here.

 

Once you are on the Panda site click the Scan your PC button

- A new window will open...click the Check Now button

- Enter your Country

- Enter your State/Province

- Enter your e-mail address and click send

- Select either Home User or Company

- Click the big Scan Now button

- If it wants to install an ActiveX component allow it

- It will start downloading the files it requires for the scan

(Note: It may take a couple of minutes)

- When the download is complete, click on Local Disks to start the scan

- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

 

Please post back the Pandascan log and a New Hijack This log

 

Thanks

 

Andy

Link to post
Share on other sites

Panda:

 

 

Incident Status Location

 

Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[data.coremetrics.com/]

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.com.com/]

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.microsofteup.112.2o7.net/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.hotlog.ru/]

Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Sami\Application Data\Mozilla\Firefox\Profiles\wwsvb58v.default\cookies.txt[.spylog.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sami\Cookies\sami@atdmt[2].txt

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sami\desctops\SmitfraudFix\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sami\My Documents\SmitfraudFix\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sami\My Documents\SmitfraudFix.zip[smitfraudFix/Process.exe]

Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\Companion Wizard\WapCHK.dll

Potentially unwanted tool:Application/Processor Not disinfected C:\unzipped\SmitfraudFix\SmitfraudFix\Process.exe

 

 

Logfile of HijackThis v1.99.1

Scan saved at 4:20:04.MD, on 09-06-2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Hijacthis\HijackThis.exe

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7E6B2A2F-3046-4633-8CDB-B449261EFD4D}: NameServer = 82.114.64.3,82.114.64.4

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Link to post
Share on other sites

Hi Bujar

 

Thats looking fine :)

 

Run Ccleaner to remove the cookies, Its detected SmitfraudFix as a Potentially unwanted tool but that is just because its using a utility called Process.exe which is very common in fixtools as it allows them to stop system processes before cleaning the malware but as the tool isnt required now it can be removed from your PC.

 

Delete these folders :

 

C:\Documents and Settings\Sami\desctops\SmitfraudFix

C:\Documents and Settings\Sami\My Documents\SmitfraudFix

C:\Documents and Settings\Sami\My Documents\SmitfraudFix.zip

C:\unzipped\SmitfraudFix

 

 

Pandascan is also showing there is a component of WinAntiVirus 2006 on your system, WinSoftware which make WinAntiVirus is a rogue company who may have close links to infections like Trojan Vundo so I wouldnt trust their products to provide adequate protection. Its on Spyware Warrior's Rogue list here:

 

http://spywarewarrior.com/rogue_anti-spyware.htm

 

If it is on your system Id suggest it being removed using the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs)

 

Then delete this file:

 

C:\Program Files\Common Files\Companion Wizard\WapCHK.dll

 

 

I have included afew recommended steps below to help prevent future malware infections.

 

Please navigate to http://windowsupdate.microsoft.com and upgrade your system to Service Pack 2. Download all the critical updates for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. This may require you to Reboot and revisit Windows Updates again to get the remaining updates. Please follow the prompts on the Windows Updates site and keep re-visiting untill there is no more updates available.

Your current version is outdated. I cannot stress enough how important this is.

 

Keep Ewido on the system as shows its a 14 day trial but it works fine after that has expired as a "On-Demand" scanner and remover which you can manually update and use anytime.

 

In order to protect yourself against spyware, you should consider installing and running the following free programs:

 

Ad-Aware

A tutorial on using Ad-Aware to remove spyware from your computer may be found Here

 

Spybot Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found Here Please also enable Spybots Immunize feature.

 

SpywareBlaster

A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found Here

 

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

 

* Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups or messenger programs.

* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.

* Download free software only from sites you know and trust as alot of free software can bundle other software, including spyware.

 

Please make sure to run your Antivirus software regularly, and to keep it up-to-date.

 

More information on how to prevent malware and to explain how you got infected can be found Here (By Tony Klein) and Here

 

 

By following these steps it will lower the chances of getting any more malware issues but let us know if you have any questions or problems anytime.

 

All The Best

 

Andy

Link to post
Share on other sites

I'm glad my machine is finnaly cleaned.And i thank you so much for your great assistance.

I will follow all the steps you mentioned,so i can prevent my machine from getting infected.

 

Again,thanks very much.

 

Whish you all the best.

 

:D:D

 

Bujar

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...