Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

spyware strike

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

spyware strike

Unread postby scared » January 24th, 2006, 4:32 pm

Hi

I have been infected with this new malware. I am not a comouter expert so I read the threads here but would prefer to use the help of an expert to help me thru this.

here is my log;

Logfile of HijackThis v1.99.1
Scan saved at 10:19:48 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\012Net\012Net-Cable dialer\fts.exe
C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe"
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~2\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3860500938
O16 - DPF: {6F0C8A3E-8B0D-11D2-801B-00105AA78F4A} (CobAgent Class) - http://ecare2.netopia.com/modusys/agent ... bAgent.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46371F4A-80FC-410B-81BF-D226D5689A43}: NameServer = 84.95.14.250 212.116.161.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{46371F4A-80FC-410B-81BF-D226D5689A43}: NameServer = 84.95.14.250 212.116.161.37
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~2\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe

HELP ME PLEASE!
scared
Active Member
 
Posts: 8
Joined: January 24th, 2006, 4:23 pm
Advertisement
Register to Remove

Unread postby AndyAtHull » January 24th, 2006, 4:37 pm

Hi scared,

I will be happy to help you. I will review your log and get back to you as soon as possible as I have to get a teacher to double check my fix
And problems or questions please reply to this thread only

Andy :)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

all good now

Unread postby scared » January 24th, 2006, 6:21 pm

hey
I followed instructions that were given to someone in the forum regarding the spyware and it seemed to work.

I didnt save all the logs but here is the one from ewido:
-------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:03:21 AM, 1/25/2006
+ Report-Checksum: 5F4326EC

+ Scan result:

HKU\S-1-5-21-2025429265-484763869-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-2025429265-484763869-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-2025429265-484763869-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-2025429265-484763869-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@data2.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@microsoftwga.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\123[1].wmftzhqbykl -> Exploit.MS05-053-WMF : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\F3CJPEG.DLLmtwxwryx -> Spyware.FunWeb : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\F3HISTSW.DLLirohstqi -> Spyware.MyWebSearch : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\f3pssavr.scrpgdlosik -> Spyware.MyWebSearch : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\F3PSSAVR.SCRvnwydkff -> Spyware.MyWebSearch : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\F3RESTUB.DLLwolmshrq -> Spyware.MyWebSearch : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\F3SCHMON.EXEqmacjxby -> Spyware.MyWebSearch : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\F3WPHOOK.DLLkshrbnkx -> Spyware.Wesbar : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\M3OUTLCN.DLLxowhelzu -> Spyware.MyWebSearch : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\mwsoemon.exeuvdbenvo -> Spyware.Wesbar : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\riched20.dlluxgcocbm -> Spyware.MyWebSearch : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\SmileyCentralFWBInitialSetup1.0.0.15[1].cabzpmbvopz/f3Setup1.exe -> Spyware.FunWeb : Cleaned with backup


::Report End



IS THIS GOOD OR WHAT? HOPE THIS IS THE END OF IT. THANKS FOR HELPING ME FIGHT THE VIRUS!
scared
Active Member
 
Posts: 8
Joined: January 24th, 2006, 4:23 pm

Unread postby AndyAtHull » January 24th, 2006, 6:27 pm

Hi scared,

Firstly these logs, Ewido and HijackThis log, you posted above. Are these the latest logs? As in; taken after you followed someone elses instructions?

If so you are still infected with SpywareStrike. Then please wait till my answer has been reviewed for me to post. And delete smitrem that you may have downloaded before.

Because every instruction regarding malware are for that computer only. It may contain slighty different options you may not need to do.

Please clarify on this.

Andy :)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby scared » January 24th, 2006, 7:06 pm

hi

Yes, I posted the latest log entries. I thought it was all gone(the spyware), but now my computer is soooooo slow, I am scared again. I will remove smitrem but I did do all that was written in someone elses instructions. So now I had adaware and ewido clear all that was found, but somehow my computer is slower than ever

thanks, waiting for your instructions~
scared
Active Member
 
Posts: 8
Joined: January 24th, 2006, 4:23 pm

Unread postby AndyAtHull » January 24th, 2006, 7:09 pm

Hi scared and welcome to the forum,

You have a bit going on in your log but let us start with spywarestrike first. Delete anything you had before to help you with this apart from Ewido. Keep that.

Please follow the instructions from this blog of Nick's.

http://malwareremoval.com/plog/index.ph ... 8&blogId=3

1. Then return here with a fresh HJT taken after a reboot of the computer.
2. An Ewido log
3. And the Smitrem log.

Note - If the logs are long, please post the logs seperatly as important info may get cut off

Andy :)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby scared » January 24th, 2006, 9:04 pm

Hi andy

Ok, all is done. I think the worst is behind me now. I have the reports except the one of hijack since it seems I have to reinstall the program so how do i do that?
here goes:
wido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:43:02 AM, 1/25/2006
+ Report-Checksum: BEB01EBC

+ Scan result:

C:\Documents and Settings\Michal\Cookies\michal@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Michal\Cookies\michal@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\ld5D7.tmplsowukul -> Downloader.Zlob.dd : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\ld862D.tmpzwkibldc -> Downloader.Zlob.fb : Cleaned with backup
C:\WinAntiVirus Pro 2006\Quarantine\mssearchnet.exepwpeznwr -> Downloader.Zlob.fa : Cleaned with backup


::Report End





and the other report:smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 01/25/2006
The current time is: 1:35:33.66

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)



Is this all? the computer seems to be better now. Do I need to keep all these programs on or can I remove them now?

thanks!
scared
Active Member
 
Posts: 8
Joined: January 24th, 2006, 4:23 pm

Unread postby scared » January 24th, 2006, 9:09 pm

ok, hjt report:

Logfile of HijackThis v1.99.1
Scan saved at 3:07:18 AM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\012Net\012Net-Cable dialer\fts.exe
C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~2\PANICW~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Michal\Desktop\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe"
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~2\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3860500938
O16 - DPF: {6F0C8A3E-8B0D-11D2-801B-00105AA78F4A} (CobAgent Class) - http://ecare2.netopia.com/modusys/agent ... bAgent.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46371F4A-80FC-410B-81BF-D226D5689A43}: NameServer = 84.95.14.250 212.116.161.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{46371F4A-80FC-410B-81BF-D226D5689A43}: NameServer = 84.95.14.250 212.116.161.38
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~2\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe

IS all ok now?
scared
Active Member
 
Posts: 8
Joined: January 24th, 2006, 4:23 pm

Unread postby AndyAtHull » January 24th, 2006, 9:10 pm

Thanks scared for the logs. I will research these and report back with a fix asap. Because you are not clean yet.

Andy :)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby scared » January 25th, 2006, 5:40 am

Hi anydy

still waiting on those results regarging my reports...
thanks
scared
Active Member
 
Posts: 8
Joined: January 24th, 2006, 4:23 pm

Unread postby AndyAtHull » January 25th, 2006, 6:41 am

Hi scared,

Because I am an undergrad here at MRU all my answers have to get checked by teachers here. This will delay my reply sometimes. I hope you understand.

I have a question. What is your DNS server? What Internet Service Provider do you use? Please tell me what all if this should be. As you may have a DNS hijack.

----------

Spywarestrike seems to be gone. Great :D . Now let us tidy it up a bit.

You have WinAntiVirus Pro 2006 installed. WinAntiVirus is a rogue application. See SpywareWarriors Rogue/Suspect Anti-Spyware Products.

aggressive advertising (1, 2, 3, 4); false positives work as goad to purchase; inappropriate collection of Personally Identifiable Information; same company as WinAntiSpy 2005, WinAntiSpyware 2005, & WinFixer [A: 5-21-05 / U: 9-4-05]


For this reason I strongly suggest you uninstall WinAntiVirus Pro 2006 via Start>Control Panel>Add/Remove. Please carry this out before you continue.

----------

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Or your internet connection may fail and you need to run the LSP fix. Read this instructions carefully and feel free to ask if you're unsure about something

----------

Please download ATF Cleaner by Atribune©

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox and/or Opera browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

----------

Please download LSPFix from here http://cexx.org/LSPFix.exe .

If you cannot connect to the Internet after fixing a few entries in HijackThis (below), please run the LSP-Fix program, and click on the finish button. Reboot and you should be able to get back on.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  1. Check the I know what I'm doing box.
  2. In the Keep box you should see one or more instances of mailscan.dll.
  3. Select every instance of mailscan.dll and move each one to the Remove box by clicking the >> button.
  4. When you are done click Finish>>.
----------

Get a copy of winsockxpfix.exe. Save it to your desktop. But do not use.

http://www.snapfiles.com/get/winsockxpfix.html

----------

Open up HijackThis and click on Do a system scan only. Put a check mark next to the following, if present:

O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe"
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe


With no other windows or broswers open other than HijackThis. Click on Fix

----------

Reveal Hidden Files

  1. Click Start.
  2. Open My Computer.
  3. SelectTools menu
  4. Click Folder Options.
  5. Select the View Tab.
  6. Select Show hidden files and foldersin the Hidden files and folders section.
  7. Uncheck Hide protected operating system files (recommended) option.
  8. Uncheck the Hide file extensions for known file types option.
  9. Click Yes.
  10. Click OK.


----------

Then, using Windows Explorer, search for and DELETE the following file(s)/folder(s) in RED, IF STILL PRESENT:

Programs...

C:\Program Files\ WinAntiVirus Pro 2006

If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the filename is in there, click End Process, then retry delete.

(Note the name and location of any file you cannot delete.)

----------

If your internet connection does not work use the LSPfix. Please run the LSP-Fix program, and click on the finish button. Reboot and you should be able to get back on.

or if this fails use the following:

Open up winsockxpfix.exe. You just run it and
things should work OK after it reboots your system.

----------

Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Post Panda scan results in your next reply

----------

In your next reply I would like:

A fresh HijackThis log.
Information on your DNS Server/ISP.
And anything Panda Active scan finds
.
Note - Please delete the smitrem file

Andy :D
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby scared » January 25th, 2006, 9:14 am

Hi andy

I totally understand that you need time to check things out. Now, a few things:
How do I check what is my DNS and internet suppliers are?
My main disappointment is that I paid to have antivirus installed( little do I know about computers) and this would mean I am throwing away my money! Is all this really necessary?

I will be gone for a few hours. I will check your answer and accordingly act to remove any more manaces/

Thanks
scared
Active Member
 
Posts: 8
Joined: January 24th, 2006, 4:23 pm

Unread postby AndyAtHull » January 25th, 2006, 10:29 am

Hi scared,

Please advise your ISP's data for the DNS servers. You may have been provided this when they connected you, or you should be able to abtain this from thier support phone/email contact. It looks like they may have been hijacked, but without knowing what they should be we cannot change them.

You have AVG, which is good. But regarding WinAntiVirus Pro 2006. The 2005 version was a rogue program. This program is bundled with many things including WinFixer. Because of this I highly recommend you uninstall this. The exact problems of the 2006 version are not known yet. We cannot insist it has moved on from having these bundles without being 100% sure.

Andy :D
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK

Unread postby scared » January 25th, 2006, 2:19 pm

Hi andy,
Ok, here is he technician report from my net provider:
Subnet Mask . . . . . . . . . . . : 255.255.240.0

Default Gateway . . . . . . . . . : 172.27.96.1

DHCP Server . . . . . . . . . . . : 213.57.35.2

DNS Servers . . . . . . . . . . . : 192.168.101.102

192.168.101.101

Lease Obtained. . . . . . . . . . : Wednesday, January 25, 2006 3:42:20 AM

Lease Expires . . . . . . . . . . : Friday, January 27, 2006 9:33:06 AM



PPP adapter 012 L2TP:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 84.95.82.91

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 84.95.82.91

DNS Servers . . . . . . . . . . . : 212.117.129.5

212.116.161.39

NetBIOS over Tcpip. . . . . . . . : Disabled

DOES THIS HELP? CAN I GET MY MONEY BACK FROM ANTI VIRUS IF I WILL NOT BE USING IT?
LET ME KNOW WHAT TO DO NEXT, I HAVE NOT YET STARTED WHAT YOU SUGGESTED IN THE LAST REPLY.
THANKS
scared
Active Member
 
Posts: 8
Joined: January 24th, 2006, 4:23 pm

Unread postby AndyAtHull » January 25th, 2006, 8:37 pm

Hi Scared,

We know you have an albanian flag in your author part. There is some confusion going on with this DNS. If you do not mind me asking. In which country are you located? This will give us valueble information. If you feel you do not want to post it directly in here. Please PM me only your location, anything else we need to discuss in this thread.

Edit - Do not continue with anythiing untill this.

Andy :)
User avatar
AndyAtHull
Visiting Staff
 
Posts: 1636
Joined: October 6th, 2005, 2:03 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 26 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware