Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Winfixer french version need help!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Winfixer french version need help!!!

Unread postby mibi » October 15th, 2005, 6:37 am

I think i have a nasty version of winfix because i find no similar files on all the posts I have gone thru.
thanks for the help heres my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:34:46 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\anvshell.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Labtec\LABTEC~1\Keyboard.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2_06\bin\javaw.exe
C:\PROGRA~1\ICQLite\ICQLite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:80
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [KeyBoard] C:\PROGRA~1\Labtec\LABTEC~1\Keyboard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NVMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\PROGRA~1\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
mibi
Active Member
 
Posts: 6
Joined: October 15th, 2005, 6:30 am
Advertisement
Register to Remove

Unread postby Kimberly » October 17th, 2005, 12:19 am

Hello mibi and welcome,

If you feel more comfortable to write in French, please let me know. For now I'll post in English. :)

I can't see anything related to Winfixer in your Hijackthis log which is clean. Which program did alert you about winfixer ? If you did a scan with Ewido, can you post the log if you did save it please.

We will check your PC and see if we can find something. I would like to see a list of the installed programs, follow the steps below to perform this.

Run HijackThis, click on Open the Misc Tools Section, click on Open Uninstall Manager. Click on Save List and save uninstall_list.txt to your Desktop. Open this file in Notepad and copy/past the content in your reply.
Click back (the one located at the right side of the save list button)
______________________________

Let's see if we find something by performing 2 scans. :)

Run Panda's ActiveScan and perform a full system scan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the big Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan. This will take a couple of minutes.
  • Click on Local Disks to start the scan
Post the Panda scan results in your next reply.
______________________________

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
______________________________

I'm expecting :
  1. uninstall_list.txt
  2. Results of the Panda Scan
  3. Results of the Kaspersky Scan
You may need several replies to post the logs, otherwise they might get cut off.

btw, do you still have Spyware Sweeper installed ? (I see an orphan entry in your HijackThis log)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby mibi » October 17th, 2005, 5:48 am

HI Kimberly,
I'm not sure if my reply went thru so here it is again.
I'm an ex New Yorker living in paris so english is my preferred language.
To be more exact I get a pop_up while using mozilla that is in french that when closed sends me to a winfixer pop_up. Spy bot says there is a winfixer tracking cookie.

heres what you asked for:

HJT uninstall list

-(/'|'\)- DivX Codec 3.11a Codec -(/'|'\)-
3ivx D4 4.5.1 (remove only)
ABC (remove only)
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe After Effects 6.5
Adobe Photoshop CS
Adobe Reader 6.0.1 - Français
Antares Tube v1.0
ASIO4ALL v2
ASUS Digital VCR
ASUS Display Drivers
Azureus
BitLord 1.1
BitTornado 0.3.7
BLM 2.5.1
Bome's Mouse Keyboard 2.0beta6
Cakewalk VST Adapter 4
CleanUp!
Cossacks - European Wars
Crazy Taxi
DAEMON Tools
Digidesign ASIO Driver
Direct Show Ogg Vorbis Filter (remove only)
DivX Player
DreamStation DXi2
DVD-lab PRO 1.00
eMule
ewido security suite
ffdshow (remove only)
Free - Kit de connexion
GiPo@MoveOnBoot 1.9.5
GLOBEtrotter FLEXid Drivers
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Huffyuv AVI lossless video codec (Remove Only)
Hyperprism 2.5.0
ICQ Toolbar
IK Multimedia Amplitube DX/VST/RTAS v2.0
IrfanView (remove only)
iTunes
Java 2 Runtime Environment, SE v1.4.2_06
Labtec Keyboard-Desktop Software
Live 4.1.1
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
MainConcept MPEG Encoder
Maya 6.0
Maya 6.0 Documentation Server
Maya Shader Library for Maya
Microsoft Data Access Components KB870669
Microsoft Office Excel Viewer 2003
Microsoft Reader
MIDI Yoke
Morgan Stream Switcher
Mozilla Firefox (1.0)
MUSK Codec Pack v5
Nero Suite
Norton AntiVirus 2003 Professional Edition
Norton WMI Update
NVIDIA Drivers
NVIDIA WDM Drivers
NvMixer
On2 VP3 Video for Windows Codec
Picasa 2
PowerDirector Pro
PowerDVD
QuickTime
ReaderWorks Standard
RealPlayer
REALVIZ Stitcher 4.0
Reason 3.0
RegistryFix v3.0
Rramm Drrumm 1.0
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Sentinel System Driver
SONAR 4 Producer Edition
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
Starsky&Hutch
Steinberg Cubase SX v2.2.0.33
Steinberg WaveLab 5.01a
Sygate Personal Firewall
Syncrosoft's License Control
Tablet
The Cleaner
TrojanHunter 4.2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
VideoLAN VLC media player 0.8.0
VobSub v2.23 (Remove Only)
VOCALOID Editor V1.0.5.12
VOCALOID Expression DB (Lola)
VOCALOID Expression DB (Standard)
VOCALOID SKIN (Zero-G LOLA)
VOCALOID Voice DB (Lola)
VOCALOID VSTi V1.0.5.12
VP6 VFW Codec
Wavemachine Labs Drumagog Pro DX Plugin v3.02
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
X-NetStat Professional 5.12
XviD Decoder 1.0-Beta3
XviD MPEG-4 Codec
XviD MPEG-4 Video Codec
XVid;-)
Yahoo! Toolbar


Panda scan



Incident Status Location

Spyware:spyware/clearsearch No disinfected C:\WINDOWS\system32\IETie.dll
Kaspersky scan:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 17, 2005 11:39:08
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/10/2005
Kaspersky Anti-Virus database records: 154531
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 95224
Number of viruses found: 14
Number of infected objects: 127
Number of suspicious objects: 0
Duration of the scan process: 3248 sec

Infected Object Name - Virus Name
C:\Documents and Settings\michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-528f6e04-405bb36d.zip/Beyond.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-528f6e04-405bb36d.zip/BlackBox.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-528f6e04-405bb36d.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\michael\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-528f6e04-405bb36d.zip Infected: Trojan.Java.ClassLoader.ai
C:\Program Files\MUSK Codec Pack v5\5.1\5.1.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\Program Files\MUSK Codec Pack v5\5.1\5.1.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\Program Files\MUSK Codec Pack v5\5.1\5.1.exe Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\Program Files\Norton AntiVirus\Quarantine\091B666B/[From hostmaster@gcmci005.cdm.cm-cic.fr][Date Fri, 06 May 2005 16:53:22 UTC]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\091B666B Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\096D0011/[From steph.gre38@free.fr][Date Fri, 06 May 2005 17:08:09 GMT]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\096D0011 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\09817BFB/[From register@netcourrier.com][Date Fri, 06 May 2005 17:48:59 GMT]/account_info-text.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\09817BFB Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\098E23ED/[From 4222EE07.FBD8CAFA@st.com][Date Fri, 06 May 2005 19:09:24 GMT]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\098E23ED Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\099477E6/[From info@hotmail.com][Date Fri, 06 May 2005 19:35:14 GMT]/account_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\099477E6 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\099B4BDE/[From hostmaster@neuf.fr][Date Fri, 06 May 2005 21:25:34 GMT]/mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\099B4BDE Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\099E75DB/[From info@libertysurf.fr][Date Fri, 06 May 2005 22:13:45 UTC]/account_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\099E75DB Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\09A549D4/[From hostmaster@yahoo.fr][Date Fri, 06 May 2005 23:40:26 UTC]/account_info-text.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\09A549D4 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\09A873D0/[From 3Dvpeillot@lmde.com][Date Sat, 07 May 2005 00:05:15 UTC]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\09A873D0 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0DAB448A/[From service@club-internet.fr][Date Sat, 07 May 2005 03:14:18 UTC]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0DAB448A Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0DD91057/[From service@netcourrier.com][Date Sat, 07 May 2005 03:34:11 GMT]/account_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0DD91057 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0DDC3A54/[From webmaster@hotmail.com][Date Sat, 07 May 2005 04:07:19 UTC]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0DDC3A54 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\0F676BFD Infected: Email-Worm.Win32.NetSky.y
C:\Program Files\Norton AntiVirus\Quarantine\10936CF6 Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Norton AntiVirus\Quarantine\11DB3DCF.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\1A090E8D.class Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\1A090E8D.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\1A090E8D.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1A090E8D.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\1A090E8D.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1A090E8D.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\1A0F6286.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1A16367F.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\1A293269.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1C6B352A/[From o.delphine@wanadoo.fr][Date Sat, 07 May 2005 01:46:00 GMT]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\1C6B352A Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\316A2CD9 Infected: Trojan-Downloader.Java.OpenStream.t
C:\Program Files\Norton AntiVirus\Quarantine\378B7B07/[From 3Danne_marie_br@yahoo.fr][Date Sat, 07 May 2005 06:25:10 GMT]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\378B7B07 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\379578FC/[From Admin@iut2.upmf-grenoble.fr][Date Sat, 07 May 2005 05:20:50 UTC]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\379578FC Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\379822F9/[From rafg@yahoo.com][Date Sat, 07 May 2005 07:28:28 UTC]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\379822F9 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\379B4CF5/[From webmaster@tele2.fr][Date Sat, 07 May 2005 08:18:08 UTC]/account_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\379B4CF5 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37A220EE/[From webmaster@yahoo.fr][Date Sat, 07 May 2005 10:54:20 GMT]/account_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37A220EE Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37A54AEA/[From marco.lambert@m6net.fr][Date Sat, 07 May 2005 11:57:21 UTC]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37A54AEA Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37AB1EE3/[From 3Dsebastien.martinet@bnpparibas.com][Date Sat, 07 May 2005 13:34:14 UTC]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37AB1EE3 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37AF48E0/[From m.menduni@iv2.bluestreak.com][Date Sat, 07 May 2005 13:57:14 UTC]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37AF48E0 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37B272DC/[From Admin@laposte.net][Date Sat, 07 May 2005 15:08:33 GMT]/account_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37B272DC Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37B51CD8/[From hostmaster@nero.com][Date Sat, 07 May 2005 15:38:35 UTC]/mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\37B51CD8 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\40753EA5/[From info@airfrance.fr][Date Sat, 07 May 2005 16:56:57 GMT]/account_info-text.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\40753EA5 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\407F3C9A/[From register@aol.com][Date Sat, 07 May 2005 18:02:22 GMT]/mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\407F3C9A Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\45836D4E Infected: Email-Worm.Win32.NetSky.y
C:\Program Files\Norton AntiVirus\Quarantine\45901540 Infected: Email-Worm.Win32.NetSky.y
C:\Program Files\Norton AntiVirus\Quarantine\4F0A7804.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\5A4D4DD5 Infected: Email-Worm.Win32.NetSky.y
C:\Program Files\Norton AntiVirus\Quarantine\65BD3823 Infected: Email-Worm.Win32.NetSky.y
C:\Program Files\Norton AntiVirus\Quarantine\65C34FE3/[From hostmaster@club-internet.fr][Date Thu, 05 May 2005 19:09:15 GMT]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\65C34FE3 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\65D45E0A Infected: Email-Worm.Win32.NetSky.y
C:\Program Files\Norton AntiVirus\Quarantine\66181386/[From register@clausetezier.com][Date Thu, 05 May 2005 19:18:03 UTC]/mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66181386 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\664F5D48/[From webmaster@neuf.fr][Date Thu, 05 May 2005 20:19:20 GMT]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\664F5D48 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66692D2C/[From fabrice.celli@roche.com][Date Thu, 05 May 2005 21:32:48 GMT]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66692D2C Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66902501/[From register@yahoo.com][Date Thu, 05 May 2005 22:14:27 UTC]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66902501 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66A176EF/[From service@hotmail.com][Date Thu, 05 May 2005 23:33:53 UTC]/mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66A176EF Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66A74AE7/[From service@aol.com][Date Fri, 06 May 2005 01:05:19 UTC]/account_info-text.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66A74AE7 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66AB74E4/[From service@mail.pf][Date Fri, 06 May 2005 02:09:21 GMT]/account_info-text.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66AB74E4 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66AE1EE0/[From 3Dc.bret@laposte.net][Date Fri, 06 May 2005 03:10:51 GMT]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66AE1EE0 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66B148DD/[From service@wanadoo.fr][Date Fri, 06 May 2005 04:01:53 GMT]/account_info-text.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66B148DD Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66B81CD5/[From service@laposte.net][Date Fri, 06 May 2005 05:38:34 GMT]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66B81CD5 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66BE70CE/[From register@imap.free.fr][Date Fri, 06 May 2005 06:19:12 UTC]/account_info-text.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66BE70CE Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66C11ACB/[From lebreton@numericable.com][Date Fri, 06 May 2005 06:32:24 UTC]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66C11ACB Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66C544C7/[From 3Dcampillo@chez.com][Date Fri, 06 May 2005 07:44:43 UTC]/our_secret.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66C544C7 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66C86EC3/[From webmaster@yahoo.com][Date Fri, 06 May 2005 08:58:04 UTC]/account_info-text.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\66C86EC3 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\67036283/[From info@laposte.net][Date Fri, 06 May 2005 09:37:41 UTC]/account_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\67036283 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\671A086A/[From hostmaster@chemie.uni-erlangen.de][Date Fri, 06 May 2005 11:02:27 UTC]/error-mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\671A086A Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\67205C62/[From service@wanadoo.fr][Date Fri, 06 May 2005 12:08:50 UTC]/mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\67205C62 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\6761241B/[From info@wanadoo.fr][Date Fri, 06 May 2005 13:33:22 GMT]/mail_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\6761241B Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\67687813/[From hostmaster@hotmail.com][Date Fri, 06 May 2005 13:51:40 GMT]/account_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\67687813 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\676B2210/[From hostmaster@freesbee.fr][Date Fri, 06 May 2005 15:44:53 GMT]/account_info.zip Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\676B2210 Infected: Email-Worm.Win32.Sober.p
C:\Program Files\Norton AntiVirus\Quarantine\6AB139B2.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\6AB139B2.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\6AB139B2.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\6AB139B2.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\6AB139B2.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\720F384E Infected: Email-Worm.Win32.NetSky.y
C:\Program Files\Norton AntiVirus\Quarantine\77631AB4.class Infected: Trojan-Downloader.Java.OpenStream.t
C:\System Volume Information\_restore{F6418E60-3A9D-4C0C-86C5-CBBD0542EB5C}\RP407\A0164634.dll Infected: not-a-virus:AdWare.Win32.WinAD.b
C:\System Volume Information\_restore{F6418E60-3A9D-4C0C-86C5-CBBD0542EB5C}\RP407\A0164635.exe Infected: not-a-virus:AdWare.Win32.WinAD

Scan process completed.


thanks again
mibi
mibi
Active Member
 
Posts: 6
Joined: October 15th, 2005, 6:30 am

Unread postby Kimberly » October 17th, 2005, 11:58 am

Hi mibi,

np, we'll move on in english then. :)

Your system is rather clean, a few details to fix (more a general cleanup), the scans didn't reveal the presence of any file related to winfixer... so maybe after the things below, it will have disappeared.

Please reset System Restore to remove eventual backups of the spyware and trojans.

Turn off System Restore
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
  4. Click Yes when you receive the prompt to the turn off System Restore.
Reboot your computer.

Turn System Restore back on
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
A new restore point will be created automatically.
______________________________

Make sure that you can see hidden files.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading select Show hidden files and folders.
  6. Uncheck the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
______________________________

Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

MUSK Codec Pack v5

During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
______________________________

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\MUSK Codec Pack v5

Using Windows Explorer, Search and Delete these Files if listed:

C:\WINDOWS\system32\IETie.dll

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
______________________________

Open Norton Antivirus, go to the Quarantaine section and empty the quarantained files.
______________________________

Keep all browsers closed, Click on Start, Control Panel
Double click on the java plug-in icon (there may be more than one)
Click on cache tab
click the "clear" or "clear cache" button
Click ok if prompted.
If there are other java plug-in icons...do the same to them all. That should clean out the infected files.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Procede like this: (I know you use firefox, but please perform it)
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Use CleanUp to clean up everything related to firefox (cookies, offline pages, internet cache ....), but don't let it clean your temp files (it borks XP themes from time to time)
______________________________

If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.

Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.

Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.

Click on the General Button on the left and select in green
  • Under Safety
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Under Definitions
    • Prompt to udate outdated definitions - set to 7 days
Click on the Scanning Button of the left and select in green
  • Under Driver, Folders & Files
    • Scan Within Archives
  • Under Select drives & folders to scan
    • choose all hard drives
  • Under Memory & Registry
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
Click on the Advanced Button on the left and select in green
  • Under Shell Integration
    • Move deleted files to Recycle Bin
  • Under Logfile Detail Level
    • Include addtional object information
    • DESELECT - Include negligible objects information (make it show a red X)
    • Include environment information
  • Under Alternate Data Streams
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak Button and select in green
  • Under the Scanning Engine (Click on the + sign to expand)
    • DESELECT Unload recognized processes & modules during scan (make it show a red X)
    • Scan registry for all users instead of current user only
  • Under the Cleaning Engine (Click on the + sign to expand)
    • Always try to unload modules before deletion
    • During Removal, unload Explorer and IE if necessary
    • Let Windows remove files in use at next reboot
  • Under the Log Files (Click on the + sign to expand)
    • Include basic Ad-aware SE settings in logfile
    • Include additional Ad-aware SE settings in logfile
    • Include reference summarry in log file
    • Include alternate data stream details in log file
Click on Proceed to save the settings and close the program.
______________________________

Update Spybot - S&D before using it

Click on the Search for Updates button. If there are available updates, they will be listed. Click on the Download Updates button and Spybot - S&D will download the updates and install them. Close the program.
______________________________

Launch and update Ewido
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

Run Ad-Aware and Click on the Scan Now Button
  • Choose Perform Full System Scan
  • DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.

Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.

Reboot to complete the removal of what Ad-Aware SE found.
______________________________

Run Spybot - S&D

Click the button Check for Problems
When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
Make sure that there is a check mark beside all of the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.

If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.

At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows.

Let it fix the cookies if found.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido.
______________________________

Post the Ewido log and let me know if you still have problems. Run a Kaspersky scan to see if everything got cleaned up.

About this entry : O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
Normally it belongs to Spyware Sweeper from Webroot. It does not show up in your uninstall list, so I presume you did remove the program ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby mibi » October 17th, 2005, 2:58 pm

Hi kim,
The only thing strange was i didn't find C:\Program Files\MUSK Codec Pack v5, but I remember it being there. I let a musician watch my house for the summer and he downloaded all kinds of stuff. also I did remove spy sweeper because winfixer got me so paranoid . here is the last ewido report. This winfixer window pops up around every ten minutes of surfing and so far nothing.
So thanks so much!
heres the report

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:47:21 PM, 10/17/2005
+ Report-Checksum: 9E23F895

+ Scan result:

:mozilla.11:C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\egvy5fpm.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.12:C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\egvy5fpm.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.17:C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\egvy5fpm.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup


::Report End

I'll touch base again later because I have to run out. Just to confirm all's clear
thanks michael
mibi
Active Member
 
Posts: 6
Joined: October 15th, 2005, 6:30 am

Unread postby Kimberly » October 17th, 2005, 5:18 pm

Hi michael,

It looks like we may have nailed the popup then, that's cool. :)

If Add/Remove did work correctly for MUSK Codec Pack v5, it is normal that you don't have to delete the folder yourself. But sometimes uninstallers are so badly written that you have to remove lot's of things manually. :(
______________________________

Since you did remove Spyware Sweeper, let's fix this orphan entry with HijackThis:

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Close ALL windows and browsers except HijackThis and click Fix Checked

If you have trouble removing it, lemme know and we'll put together a small regfix. :)
______________________________

Hide your system files again.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading uncheck Show hidden files and folders.
  6. Check the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Click OK.
______________________________

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

Make your Internet Explorer more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click on the Security tab
  3. Click the Internet icon so it becomes highlighted.
  4. Click on Default Level and click Ok
  5. Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
Additional information is available in the following KB article:
Resources for using Internet Explorer 6

Download and install the following free programs
  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial tutorial can be found here
    • MVPS Hosts File
      You can download the MVPS Hosts File here
      Furthermore the website contains useful tips and links to other resources and utilities.
    • Bluetack's Hosts File and Hosts Manager
      Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
      Download Bluetack's Hosts file here
      Download Bluetack's Hosts Manager here
Install Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

Happy surf and don't hesitate to post back if something is popping up again in the next hours / days. :)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby mibi » October 18th, 2005, 4:55 am

Hello Kimberly,
I just wanted to say everythings running fine now. Knock on wood. I find it hard to put up with this kind of nonsence , How is it legal a company like winfixer can do stuff like this? False advertising is one of the many infractions, at least I didn't download the program by clicking "no" like the others. Hey i see a french flag by your name, are you french or just live here, your english is flawless
well thanks for all your help
you will be rewarded with lots of good karma i'm sure
mibi
mibi
Active Member
 
Posts: 6
Joined: October 15th, 2005, 6:30 am

Unread postby Kimberly » October 18th, 2005, 11:03 am

Hello michael,

Great to hear that everything runs smootly now. :)

The U.S. Federal Trade Commission has already performed some actions against similar companies, but you see some new ones popping up almost every day. :( The battle only begins like they say ...

Yes I'm from France and let's say that English is essential when you play around with computers. :) I hope you enjoy Paris, it has to be a big difference compared to New-York.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby mibi » October 19th, 2005, 2:56 pm

well kim,
I've been living in paris for the last 5 years and I find it the best place in the world. It's strange that the french have a snob reputation in america because I have never seen a more polite people in all my life. Nothing goes by with out a please , thank you or excuse me. Have a nice day is also quite common. I'm guessing you have spent time in some english speaking country because every fluent french person I've met seems to have done that or they
have a parent who is a native angalophone. I've personally never heard them say"the battle only begins" but I miss lots of things when I get tired and the nights grow long...
"have fun and don't get any on ya" as they say, and really thanks,
michael
mibi
Active Member
 
Posts: 6
Joined: October 15th, 2005, 6:30 am

Unread postby Kimberly » October 19th, 2005, 5:21 pm

I've been moving around a lot in europe and I always liked languages... guess that explains a lot.

Glad to see that we were able to assist you in solving your PC trouble michael, happy surf and ... yeah apply that lovely saying ... "have fun and don't get any on ya" :)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby mibi » October 20th, 2005, 11:55 am

still no pop ups how wonderful
mibi
mibi
Active Member
 
Posts: 6
Joined: October 15th, 2005, 6:30 am

Unread postby NonSuch » October 27th, 2005, 5:14 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 62 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware