Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please examine hijackthis log/ popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

please examine hijackthis log/ popups

Unread postby heat123 » July 1st, 2008, 11:22 am

I got quite a few popups on my computer. Here is my hjt log below. This is not the same computer as my other post.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:05 AM, on 7/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: LevelOne Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn ... taller.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8485445937
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6063 bytes
heat123
Regular Member
 
Posts: 26
Joined: June 26th, 2008, 10:41 am
Advertisement
Register to Remove

Re: please examine hijackthis log/ popups

Unread postby peku006 » July 3rd, 2008, 2:31 am

Welcome to the MWR forums. My name is peku006. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic. Please stay at one forum for help.
3. Please continue reading posts until I give the All Clear. It is important to note this, as a clean looking HijackThis is not always a sign your system is clean.

Note: I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: please examine hijackthis log/ popups

Unread postby heat123 » July 3rd, 2008, 8:22 am

Thank you for looking at my hjt log. I will be waiting for a reply on what to do. Thanks again.
heat123
Regular Member
 
Posts: 26
Joined: June 26th, 2008, 10:41 am

Re: please examine hijackthis log/ popups

Unread postby peku006 » July 4th, 2008, 2:30 am

Hi heat123

Can you tell me what the popups are advertising?

1- Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

2 - Download and Run DSS
Please download Deckard's System Scanner (DSS) and save to your Desktop.

DSS will do the following:

  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open in Notepad:
  • main.txt <- this one will be maximized
  • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


3 - Status Check
Please reply with

1. the Malwarebytes' Anti-Malware Log
2. Deckard's System Scanner main.txt and extra.txt

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: please examine hijackthis log/ popups

Unread postby heat123 » July 4th, 2008, 8:22 am

Only main.txt displays also checked in c drive etc. Anyway here is the main.txt and mbam log. Followed directions on the deckard system scanner twice and still did not work.




Malwarebytes' Anti-Malware 1.19
Database version: 920
Windows 5.1.2600 Service Pack 3

8:04:28 AM 7/4/2008
mbam-log-7-4-2008 (08-04-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 77385
Time elapsed: 31 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Deckard's System Scanner v20071014.68
Run by troy on 2008-07-04 08:14:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as troy.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:58 AM, on 7/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\troy\Local Settings\Temporary Internet Files\Content.IE5\3MTHPE8Q\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\troy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: LevelOne Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn ... taller.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8485445937
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6125 bytes

-- Files created between 2008-06-04 and 2008-07-04 -----------------------------

2008-07-03 19:51:41 0 dr-h---c- C:\Documents and Settings\troy\Recent
2008-07-02 19:57:02 0 d------c- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 08:58:10 0 d------c- C:\Program Files\Yamicsoft
2008-06-25 19:39:38 0 d------c- C:\Documents and Settings\troy\Application Data\Pointstone
2008-06-25 19:38:12 0 d------c- C:\Program Files\Pointstone
2008-06-25 19:38:11 0 d------c- C:\Program Files\Common Files\Pointstone
2008-06-23 08:23:40 0 d--h---c- C:\$AVG8.VAULT$
2008-06-21 12:53:05 0 d------c- C:\Documents and Settings\troy\Application Data\Malwarebytes
2008-06-21 12:52:52 0 d------c- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 09:13:21 0 d------c- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-20 10:27:54 0 d------c- C:\Documents and Settings\troy\.housecall6.6
2008-06-19 17:55:09 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 08:28:00 0 d------c- C:\Program Files\Trend Micro
2008-06-15 18:43:23 0 d------c- C:\WINDOWS\PC Check-up
2008-06-04 21:14:05 0 d------c- C:\WINDOWS\system32\drivers\Avg
2008-06-04 21:13:41 0 d------c- C:\Program Files\AVG
2008-06-04 21:13:39 0 d------c- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-04 18:14:32 0 d------c- C:\Documents and Settings\All Users\Application Data\McAfee


-- Find3M Report ---------------------------------------------------------------

2008-07-02 21:48:16 0 d------c- C:\Program Files\Viewpoint
2008-07-01 15:00:39 0 d------c- C:\Documents and Settings\troy\Application Data\Macromedia
2008-07-01 13:20:33 0 d------c- C:\Program Files\Incomplete
2008-06-27 16:28:15 0 d------c- C:\Program Files\SUPERAntiSpyware
2008-06-27 14:13:12 0 d------c- C:\Program Files\Java
2008-06-25 19:39:38 0 d------c- C:\Documents and Settings\troy\Application Data\iolo
2008-06-23 08:21:14 0 d------c- C:\Documents and Settings\troy\Application Data\GlarySoft
2008-06-21 08:50:29 0 d------c- C:\Documents and Settings\troy\Application Data\Adobe
2008-06-21 08:46:51 0 d------c- C:\Program Files\QuickTime
2008-06-21 08:46:51 0 d------c- C:\Program Files\Modem Helper
2008-06-21 08:46:50 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-06-21 08:46:49 0 d------c- C:\Documents and Settings\troy\Application Data\ErrorSmart
2008-06-21 08:46:49 0 d------c- C:\Documents and Settings\troy\Application Data\Apple Computer
2008-06-20 07:39:14 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 07:39:08 0 d------c- C:\Program Files\Lavasoft
2008-06-19 08:15:13 0 d------c- C:\Documents and Settings\troy\Application Data\Uniblue
2008-06-15 17:14:03 0 d------c- C:\Documents and Settings\troy\Application Data\Smart PC Solutions
2008-06-13 12:10:31 0 d------c- C:\Program Files\Common Files
2008-06-07 16:45:32 0 d------c- C:\Program Files\Glary Utilities
2008-05-26 21:33:50 0 d------c- C:\Program Files\Messenger
2008-05-26 21:32:40 0 d------c- C:\Program Files\Movie Maker
2008-05-21 20:07:25 0 d------c- C:\Program Files\Microsoft Silverlight
2008-05-10 18:00:14 0 d------c- C:\Program Files\Abexo
2008-05-10 07:01:17 206 --a----c- C:\WINDOWS\system32\cbcaefb_z.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 07:12 PM]

C:\Documents and Settings\troy\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
LevelOne Wireless Utility.lnk - C:\Program Files\LevelOne\Common\RaUI.exe [8/27/2007 3:57:05 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCAutoLiveUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystemTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
? 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemGuardAlerter]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-04 08:17:53 ------------
heat123
Regular Member
 
Posts: 26
Joined: June 26th, 2008, 10:41 am

Re: please examine hijackthis log/ popups

Unread postby peku006 » July 5th, 2008, 6:58 am

Hi heat123
Only main.txt displays also checked in c drive


It´s because your dss.exe currently located at
C:\Documents and Settings\troy\Local Settings\Temporary Internet Files\Content.IE5\3MTHPE8Q\dss[1].exe

Please move dss.exe to your desktop

1 - Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

2 - Check files for Viruses.

C:\WINDOWS\system32\cbcaefb_z.dll

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.

3 - Clean temp files

    Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

    Under Main choose:
      Windows Temp
      Current User Temp
      All Users Temp
      Temporary Internet Files
      Prefetch
      Java Cache

      *The other boxes are optional*
      Then click the Empty Selected button.
    if you use Firefox:
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    if you use Opera:
      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program

4 - Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

5 - uninstall list

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

6 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

7 - Status Check
Please reply with

1. the Jotti/Virustotal results
2. the the Kaspersky online scanner report
3. the uninstall list
4. a fresh HijackThis log
Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: please examine hijackthis log/ popups

Unread postby heat123 » July 5th, 2008, 10:47 am

The popups are wanting me to buy certain things. Removed bad hijackthis entries. Only main.txt displays dss.exe is on desktop. Used ATF cleaner. Kasperky link did not work said can't display this webpage. Tried google link and said same thing. Here is the scan results for the file. Virustotal found nothing. Jotti scan results below.

File: cbcaefb_z.dll
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b14734c2b2e071356f9d0dee37e7cdbd
Packers detected: -

Scanner results
Scan taken on 05 Jul 2008 14:38:50 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Here is the uninstall list below.


Adobe Flash Player ActiveX
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Bonjour
Broadcom Management Programs
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
DA920EN
Defraggler (remove only)
Dell Media Experience
Dell Solution Center
Dell Support
Dell Support 5.0.0 (766)
DellSupport
Digital Line Detect
DS21Patch
Get Connected CD
getPlus(R)_ocx
Glary Utilities 2.5.2
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
HyperLoad
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
iTunes
Java(TM) 6 Update 6
LevelOne WNC-0301USB Wireless Adapter
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Modem Helper
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NetWaiting
PropLogic
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Sonic DLA
Sonic RecordNow!
SUPERAntiSpyware Free Edition
Windows Media Format Runtime
Windows Presentation Foundation
WinPcap 3.0
WordPerfect Office 11


Here is a hijackthis log below.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:05 AM, on 7/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: LevelOne Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8485445937
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5869 bytes


Hope you are doing well. Thanks for all your help so far.
heat123
Regular Member
 
Posts: 26
Joined: June 26th, 2008, 10:41 am

Re: please examine hijackthis log/ popups

Unread postby peku006 » July 6th, 2008, 2:43 am

Hi heat123
Only main.txt displays

Don´t worry about that extra.txt we don't need that..
Kasperky link did not work said can't display this webpage

When I was trying it worked.
we can try another scanner.......

PANDA ONLINE SCAN
Place a shortcut to Panda ActiveScan on your desktop.

Reboot back into Windows and click the Panda ActiveScan shortcut.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log.
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: please examine hijackthis log/ popups

Unread postby heat123 » July 6th, 2008, 10:33 am

Could not find folder but it showed the results on the website and here they are. I have some infections. Thanks for all your help so far. Hijackthis log is after the results from Panda.


At a glance

Common name: SaveNow
Technical name: Adware/SaveNow
Threat level: Low
Type: Spyware
Subtype: Adware
Effects: It provides information about the weather forecast and displays advertising pop-up windows.

Affected platforms: Windows 2003/XP/2000/NT/ME/98/95

First detected on: Sept. 11, 2003
Detection updated on: May 31, 2008
Statistics Yes
Proactive protection: Yes, using TruPrevent Technologies
Brief Description
SaveNow is a spyware program, which is usually included in applications that can be downloaded from the Internet.

SaveNow provides information about the weather forecast and displays advertising pop-up windows.

Visible Symptoms
SaveNow is easy to recognize, as it displays advertising pop-up windows.

Tech details

Effects
SaveNow carries out the following actions:

It provides information about the weather forecast.
It displays advertising pop-up windows.
Infection strategy
SaveNow creates the following files in the subfolder SAVE, which is in the Program files directory:

SAVE.EXE, SAVE.HTML, README.TXT and SAVEUNINST.EXE.


SaveNow creates the following entries in the Windows Registry:

HKEY_LOCAL_MACHINE\ Software\ WhenUSave
HKEY_CLASSES_ROOT\ WUSN.1
Means of transmission
Spyware programs are usually included in free applications downloaded from the Internet. These programs are installed on the affected computer, sometimes without user consent, without warning users that these programs will collect user details.

SaveNow is usually included in third-party software, such as BearShare and other peer-to-peer (P2P) file sharing programs, RadLight Video Player, etc. It can also reach the computer by accessing certain web pages, which ask for confirmation to install an ActiveX control.

Further Details
SaveNow is written in the programming language Visual C++ v6.0 and it is 281,088 bytes in size.


Solution

Is my computer infected by SaveNow?
Panda Software offers various solutions to safeguard your computer from spyware, as well as from other threats like viruses, hackers or phishing.

Visit our online store to purchase the Panda solution that best suit your needs.
Download a trial version of our products so you can evaluate them before your purchase.
Check the computer with Panda ActiveScan, Panda Software's free, online scanner, which will quickly detect any possible threats.
How to remove SaveNow?
In order to repair any damage that SaveNow may have caused in your computer, run our free utility Panda QuickRemover. In order to do this, follow these instructions:

If you have a computer network, you should disconnect the network cable from all the servers and workstations in order to prevent them from being infected again during the disinfection process.
Carry out the following disinfection steps in each computer in your network.

1. Download the free utility Panda QuickRemover by clicking on the icon below:



Save the file in any folder you want in your computer.

2. Run Panda QuickRemover by double-clicking on the file and follow the instructions.

Even if Panda QuickRemover indicates that it hasn't detected any active viruses, click on Continue in order to perform a full scan.

3. Restart your computer.

4. Carry out a full scan of your computer using your Panda solution.
Additional notes:

After deleting this malware by following the specified steps, if your computer runs Windows Millenium, click here to find out how to eliminate it from the _Restore folder.
After deleting this malware by following the specified steps, if your computer runs Windows XP, click here to find out how to eliminate it from the _Restore folder.
How can I protect my computer from SaveNow?
In order to keep your computer protected, bear the following tips in mind:

Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
Keep your permanent antivirus protection enabled at all times.
For more detailed information about how to protect your computer against viruses and other threats, click here.



At a glance

Common name: MyWay
Technical name: Application/MyWay
Threat level: Low
Alias: MyBar, My Search Bar, Speedbar,
Type: Potentially Unwanted Program (PUP)
Effects: It is an Internet Explorer toolbar that returns results provided by certain search engines.

Affected platforms: Windows 2003/XP/2000/NT/ME/98/95

First detected on: Sept. 11, 2003
Detection updated on: Nov. 4, 2007
Statistics Yes
Proactive protection: Yes, using TruPrevent Technologies
Brief Description
MyWay belongs to the category of Potentially Unwanted Programs, also known as PUPs. It is an Internet Explorer search toolbar that returns results provided by the following search engines:

Ask Jeeves
LookSmart
MySearch
Yahoo!

Tech details

MyWay is a PUP (Potentially Unwanted Program) that adds the following search toolbar to Internet Explorer:



which only returns results provided by the following search engines:

Ask Jeeves
LookSmart
MySearch
Yahoo!
Further Details

MyWay is written in the programming language Visual C++ v6. This PUP is 221,184 bytes in size.


Solution

How to remove MyWay?
Panda Software informs the user of the presence of PUPs in order to ensure that users are aware and agree to the installation and behavior of these programs. These are essential conditions to ensures that they decide whether to leave this software on their computers or not.

The evaluation criteria adopted are based on the characteristics specified in the risk model evaluation proposed by the Anti-Spyware Coalition, organization of which Panda Software is a member.



It is very important to carefully assess the information available about MyWay, in order to determine how this program reached your computer, if you want to keep it and its implication.

If you decide to delete it, uninstall it through the Add or Remove Programs option in the Control Panel.

Finally, in order to delete any posible trace of MyWay from your computer, carry out a full analysis using Panda Antivirus or Panda ActiveScan, and follow its instructions.



Additional notes:

If you have deleted this PUP by following the specified steps and your computer runs Windows Millenium, click here to find out how to eliminate it from the _Restore folder.
If you have deleted this PUP by following the specified steps and your computer runs Windows XP, click here to find out how to eliminate it from the _Restore folder.
How can I protect my computer from MyWay?
In order to keep your computer protected, bear the following tips in mind:

Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
Keep your permanent antivirus protection enabled at all times.
For more detailed information about how to protect your computer against viruses and other threats, click here.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:04 AM, on 7/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: LevelOne Wireless Utility.lnk = C:\Program Files\LevelOne\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8485445937
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6039 bytes
heat123
Regular Member
 
Posts: 26
Joined: June 26th, 2008, 10:41 am

Re: please examine hijackthis log/ popups

Unread postby peku006 » July 7th, 2008, 1:25 am

Hi heat123
I'm not seeing anything malicious in your logs,you computer is clean
everything is all right except this:
Total Physical Memory 254 MiB (512 MiB recommended). You need to increase the memory.

Time for some housekeeping

remove tools
    Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.


    Please download OTMoveIt and save it to desktop.
    • Double click OTMoveIt.exe to launch the programme.
    • Click on the CleanUp! button.
    • OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • When finished exit out of OTMoveIt
    • The tool will delete itself once it finishes, if not delete it by yourself.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Note:"Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com


Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy safe surfing!
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: please examine hijackthis log/ popups

Unread postby heat123 » July 7th, 2008, 7:12 am

The long list of things before the hijack this in my last reply were detected by the Panda scan but does not remove them because you have to pay for it. Should I do anything about that.
heat123
Regular Member
 
Posts: 26
Joined: June 26th, 2008, 10:41 am

Re: please examine hijackthis log/ popups

Unread postby peku006 » July 8th, 2008, 12:47 am

Hi heat123

please do the following...

After that, everything is alright

1 - Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: please examine hijackthis log/ popups

Unread postby heat123 » July 11th, 2008, 8:09 am

thanks for all your help. removed bad hijackthis entries.
heat123
Regular Member
 
Posts: 26
Joined: June 26th, 2008, 10:41 am

Re: please examine hijackthis log/ popups

Unread postby askey127 » July 12th, 2008, 6:55 am

heat123, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware