Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please read my hijack this log file

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

please read my hijack this log file

Unread postby shoot1966 » August 27th, 2006, 4:24 pm

here is my hijack this log file please advise me if there is anything wrong.

Logfile of HijackThis v1.99.1
Scan saved at 21:21:08, on 27/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Media-Codec\isamonitor.exe
C:\Program Files\Media-Codec\pmsngr.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Media-Codec\pmmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Media-Codec\isamini.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Generic\USB Card Reader Driver v2.2\Disk_Monitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\twain_32\A4CIS\WATCH.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {44528C38-0A0D-3DF4-6247-070E9315D582} - C:\WINDOWS\system32\ezigfvn.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Protection Bar - {860c2f6b-ca82-4282-9187-beccbb66f0af} - C:\Program Files\Media-Codec\iesplugin.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Jiljwi] C:\Program Files\Ygiq\Oabd.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2\Disk_Monitor.exe
O4 - HKLM\..\Run: [nwrdlpc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nwrdlpc.dll,fcqusod
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS\WATCH.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h ... xdm185YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5167167621
O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: hubbsi - {7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885} - C:\WINDOWS\system32\vwlummc.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Many thanks in advance
shoot1966
Active Member
 
Posts: 5
Joined: August 27th, 2006, 4:17 pm
Advertisement
Register to Remove

Unread postby Navigator » August 27th, 2006, 6:06 pm

Hello Welcome to Malware Removal. You actually have a few infections in that log...

1. Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

2. Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

3. Post back with the Smitfraud log and the HJT uninstall list and we can get started...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby shoot1966 » August 28th, 2006, 3:14 pm

SmitFraudFix v2.81

Scan done at 20:10:51.09, 28/08/2006
Run from C:\Documents and Settings\steve\Desktop\Smitfraud
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\vwlummc.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\steve\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\steve\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Media-Codec\ FOUND !
C:\Program Files\SpyHeal\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"hubbsi"="{7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885}"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Uninstall list>>>>

A4 CIS Scanner v1.22
Ad-Aware SE Personal
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.5
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
BitTorrent 3.2.1
broadband medic
Cypress USB Mass Storage Driver Installation
Generic USB Card Reader Driver v2.2
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Internet Connection Control
Internet Explorer Security Plugin 2006
Internet Security Add-On
iPhoto Plus 4
Macromedia Shockwave Player
Media-Codec 4.0
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Small Business
Microsoft PowerPoint Viewer 97
Napster
Nero Suite
Nokia Multimedia Player
ntl Netguard Security
Photo Manager
PL-2303 USB-to-Serial
Power Scan
Public Messenger ver 2.03
Roxio Burn Engine
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Surf Accuracy
TextBridge Classic
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
USB Storage Adapter FX (SM1)
WIDCOMM Bluetooth Software
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
Yahoo! Toolbar
shoot1966
Active Member
 
Posts: 5
Joined: August 27th, 2006, 4:17 pm

Unread postby Navigator » August 28th, 2006, 6:07 pm

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt.

Post the contents of C:\rapport.txt and a NEW HJT log and then we can continue....
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby shoot1966 » August 29th, 2006, 1:09 pm

here are my HJT log and my rapport.

SmitFraudFix v2.81

Scan done at 17:54:21.96, 29/08/2006
Run from C:\Documents and Settings\steve\Desktop\Smitfraud
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"hubbsi"="{7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\vwlummc.dll -> Hoax.Win32.Renos.gen.bHoax.Win32.Renos.gen.c
C:\WINDOWS\system32\vwlummc.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\Media-Codec\ Deleted
C:\Program Files\SpyHeal\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 17:56:57, on 29/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll (file missing)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {44528C38-0A0D-3DF4-6247-070E9315D582} - C:\WINDOWS\system32\ezigfvn.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Protection Bar - {860c2f6b-ca82-4282-9187-beccbb66f0af} - C:\Program Files\Media-Codec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Jiljwi] C:\Program Files\Ygiq\Oabd.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2\Disk_Monitor.exe
O4 - HKLM\..\Run: [nwrdlpc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nwrdlpc.dll,fcqusod
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS\WATCH.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h ... xdm185YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5167167621
O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
shoot1966
Active Member
 
Posts: 5
Joined: August 27th, 2006, 4:17 pm

Unread postby Navigator » August 29th, 2006, 10:58 pm

Hello shoot1966...let's keep cleaning!

1. Next, download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Save it to your desktop.

3. Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.

4. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll (file missing)
O2 - BHO: (no name) - {44528C38-0A0D-3DF4-6247-070E9315D582} - C:\WINDOWS\system32\ezigfvn.dll
O3 - Toolbar: Protection Bar - {860c2f6b-ca82-4282-9187-beccbb66f0af} - C:\Program Files\Media-Codec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [Jiljwi] C:\Program Files\Ygiq\Oabd.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKLM\..\Run: [nwrdlpc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nwrdlpc.dll,fcqusod
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe


Now close all windows other than HiJackThis, then click Fix Checked.

5. Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\ezigfvn.dll
    C:\Program Files\Ygiq\Oabd.exe
    C:\WINDOWS\iccontrol.exe
    C:\WINDOWS\system32\nwrdlpc.dll

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

6. When your computer reboots, reboot your computer into SafeMode. You can do this by continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. Log into your usual account.

7. Please remove these entries from Add/Remove Programs in the Control Panel (if present). Click start>>control panel>>add/remove programs:

Surf Accuracy
Power Scan


8. Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

9. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode.

10. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


11. Post the results of the ewido report scan, the Panda ActiveScan report and a new HJT log for me to review....
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby shoot1966 » August 31st, 2006, 12:12 pm

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:03:08 30/08/2006

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.IntCodec : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On -> Adware.IntCodec : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.IntCodec : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\SurfAccuracy -> Adware.SurfAccuracy : Cleaned with backup (quarantined).
C:\Program Files\SurfAccuracy\SAcc.cfg -> Adware.SurfAccuracy : Cleaned with backup (quarantined).


::Report end

Incident Status Location

Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\program files\common files\WinSoftware
Potentially unwanted tool:application/funweb Not disinfected c:\program files\FunWebProducts
Potentially unwanted tool:application/errorguard Not disinfected hkey_classes_root\clsid\{205FF73B-CA67-11D5-99DD-444553540006}
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\steve\Desktop\Smitfraud\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\steve\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\Common Files\WinSoftware\PrCheck.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\HijackThis\backups\backup-20060830-201118-360.inf
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Logfile of HijackThis v1.99.1
Scan saved at 17:07:14, on 31/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Generic\USB Card Reader Driver v2.2\Disk_Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\twain_32\A4CIS\WATCH.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll (file missing)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card Reader Driver v2.2\Disk_Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS\WATCH.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h ... xdm185YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5167167621
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

there we go. cheers
shoot1966
Active Member
 
Posts: 5
Joined: August 27th, 2006, 4:17 pm

Unread postby Navigator » August 31st, 2006, 2:33 pm

Hello shooter1966...there are some entries that did not appear to be 'fixed' with HJT, we'll need to do those again, and let's get rid of the MyWebSearch entries too:

1. Please do this:
  • Copy the contents of the Quote Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{205FF73B-CA67-11D5-99DD-444553540006}]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Then double-click on the fix.reg file, and when it prompts to merge say yes.

2. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll (file missing)
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.h ... xdm185YYGB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab


Now close all windows other than HiJackThis, then click Fix Checked.

Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

3. Please delete these folders using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders, then right-click to select them and click delete


C:\Program Files\MyWebSearch
c:\program files\common files\WinSoftware
c:\program files\FunWebProducts


Please delete these files using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files, then right-click to select them and click delete:


c:\windows\system32\f3PSSavr.scr


4. Reboot into Windows normally and post another HJT log for me to review. Also, let me know how your computer is running and if you are having any issues...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby shoot1966 » September 1st, 2006, 4:01 pm

Logfile of HijackThis v1.99.1
Scan saved at 20:57:27, on 01/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Generic\USB Card Reader Driver v2.2\Disk_Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\twain_32\A4CIS\WATCH.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670}

- C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} -

C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} -

C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88}

- C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Motive SmartBridge]

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program

Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl

Netguard\RPS.exe"
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\USB Card

Reader Driver v2.2\Disk_Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS\WATCH.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program

Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program

Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -

res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftup ... x86/client

/muweb_site.cab?1125167167621
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. -

C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development

a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. -

C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

heres a new HJT log, the computer is running better and the pop ups i was getting have now stopped. many thanks for your help and is there any thing else that needs doing?
Steve
shoot1966
Active Member
 
Posts: 5
Joined: August 27th, 2006, 4:17 pm

Unread postby Navigator » September 1st, 2006, 9:47 pm

Good job shoot1966....!

You are welcome!

Your HJT appears clean and I'm glad your system is running well with out problems! Please do the resetting system restore instructions below and consider the other things to try and keep your system clean and secure! Let me know if you have any other issues....

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • THIS IS IMPORTANT! - If you are using Windows XP then you should reset system restore to make sure there are no infected files found in a restore point and that you have a clean restore point should you need one!

    Now let's reset your restore points.

    Click Start Menu >> All Programs >> Accessories >> System Tools >> SystemRestore

    Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'.

    Next go to Start Menu >> Run, then type:

    cleanmgr


    click OK, when Disk Cleanup opens go to the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner by Atribune. This program is for XP and Windows 2000 only. ATF is a new, freeware, temporary file cleaner for Windows, IE, Firefox and Opera with a simple, easy-to-use interface. The main screen allows the user to either clean all temporary files, or select files for cleaning. The program also knows if Firefox and or Opera is being used, and gives the option of cleaning the temporary files associated with those applications.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein. These are excellent reads too: I'm not pulling your leg and Malware: Preventing the Infection



Remember...be careful out there!
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby agrarianmonk » September 15th, 2006, 1:56 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware