Need help with virus/spyware

Malabanana · 03-31-2007, 04:47 AM

Right im in a bit of trouble here, im not much of a computer expert and ive got some issues concerning virus/spyware. Im getting popups constantly and i recently ran a scan which told me i had several viruses. So heres the log, hope you can help! Cheers.

Logfile of HijackThis v1.99.1
Scan saved at 12:39:30, on 31-03-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Video Access ActiveX Object\isamntr.exe
C:\Programmer\Video Access ActiveX Object\pmsnrr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmer\Video Access ActiveX Object\isamini.exe
C:\Programmer\Video Access ActiveX Object\pmmnt.exe
C:\WINDOWS\system32\WinSys.exe
C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe
C:\programmer\zango\zango.exe
C:\Programmer\SurfAccuracy\SAcc.exe
C:\WINDOWS\ojdovky.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Xfire\xfire.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\DOCUME~1\Pedersen\LOKALE~1\Temp\Rar$EX00.047\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Programmer\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E2DF7B5E7841293BCE - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programmer\zango\zangohook.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Programmer\Video Access ActiveX Object\isadd.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Programmer\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinSys] C:\WINDOWS\system32\WinSys.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SurfAccuracy] C:\Programmer\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\ojdovky.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Programmer\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157456067048
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Malabanana · 03-31-2007, 09:03 AM

Im desperate, help please

Sempurna · 04-01-2007, 08:03 PM

Hi Malabanana,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s we do first.

First of all, you didn't unzip/extract HijackThis. I strongly advise you to unzip/extract HijackThis because HijackThis will not be able to make backups when it is run from the zip folder.

How to unzip HijackThis:

Right-click on the HijackThis zip folder and choose "Extract All".
An extraction wizard window will now open. Click "Next".
In the "Files will be extracted to this directory:" field, type C:\HijackThis. Then click "Next".
Click "Finish" to show your unzipped/extracted HijackThis folder. Run HijackThis.exe from here, or add a shortcut to your desktop.

NEXT:

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

1. Please download SmitfraudFix (by S!Ri):

NOTE: In the event you already have SmitfraudFix, this is a new version that I need you to download.

Extract the content (a folder named SmitfraudFix) to your desktop.
Please do NOT run a scan with SmitfraudFix yet!

NOTE : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

2. Please download CCleaner and save it to your desktop:

Run the CCleaner installer.
During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
Please do NOT run a scan with CCleaner yet!

3. Please download and install SUPERAntiSpyware:

Load SUPERAntiSpyware and click the Check for Updates button.
Once the update has finished, exit SUPERAntiSpyware.
Please do NOT run a scan with SUPERAntiSpyware yet!

4. Please reboot your computer into Safe Mode by doing the following:

Reboot your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Instead of Windows loading as normal, a menu should appear.
Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".

5. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd:

Select Option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process (if a reboot is required, please boot BACK into Safe Mode). A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

WARNING: Running Option #2 on a non-infected computer will remove your desktop background.

6. AFTER SmitfraudFix finishes (and after a reboot if required), please run CCleaner. (If a reboot is required, please boot BACK into Safe Mode)

Click the Windows tab.
Select the following:
- Check everything under the Internet Explorer section.
- Check everything under the Windows Explorer section.
- Check everything under the System section.
- Check ONLY Old Prefetch data under the Advanced section.
Then, click the Applications tab:
- UNCHECK everything there.
Next, click the Options button, then click the Advanced button:
- UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

7. Then please run a scan with SUPERAntiSpyware:

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

Open SUPERAntiSpyware and click the Scan your Computer button.
Check Perform Complete Scan and then click Next.
SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
Make sure that they all have a check next to them, and then click Next.
Click Finish and you will be taken back to the main interface.
It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
I'll need a log afterwards of what has been found.
To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
Please post the results of the SUPERAntiSpyware log in your next reply.

NEXT:

Go to the Start menu, and click on Control Panel. Choose Add/Remove Programs and remove any of the following that are listed:

Lycos SideSearch
MyGlobalSearch
MySearch
MyWay
MyWay Search
MyWay Search Assistant
MyWay Speed Bar
MyWebSearch
MyWebSearch Bar
Search Assistant – MySearch
Search Assistant – MyWebSearch
SideSearch
SurfAccuracy
Zango
Zango Search Assistant

NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Programmer\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E2DF7B5E7841293BCE - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programmer\zango\zangohook.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Programmer\Video Access ActiveX Object\isadd.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Programmer\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinSys] C:\WINDOWS\system32\WinSys.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Programmer\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\ojdovky.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.

NEXT:

Please download OTMoveIt by OldTimer:

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\ojdovky.exe
C:\WINDOWS\system32\WinSys.exe
C:\Programmer\Video Access ActiveX Object
C:\programmer\zango
C:\Programmer\SurfAccuracy
C:\Programmer\MyGlobalSearch
Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
Click the red MoveIt! button.
Copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it in your next reply.
Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

The log from the SmitfraudFix scan located at C:\rapport.txt.
The log from the SUPERAntiSpyware scan.
The results report from OTMoveIt.
A new HijackThis log.

How are things running now? Please let me know of any problems that still persist.

03-31-2007, 04:47 AM	#1 (permalink)
Malabanana Registered User Join Date: Mar 2007 Posts: 2 OS: Windows XP	Need help with virus/spyware Right im in a bit of trouble here, im not much of a computer expert and ive got some issues concerning virus/spyware. Im getting popups constantly and i recently ran a scan which told me i had several viruses. So heres the log, hope you can help! Cheers. Logfile of HijackThis v1.99.1 Scan saved at 12:39:30, on 31-03-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programmer\Video Access ActiveX Object\isamntr.exe C:\Programmer\Video Access ActiveX Object\pmsnrr.exe C:\WINDOWS\RTHDCPL.EXE C:\Programmer\Video Access ActiveX Object\isamini.exe C:\Programmer\Video Access ActiveX Object\pmmnt.exe C:\WINDOWS\system32\WinSys.exe C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe C:\programmer\zango\zango.exe C:\Programmer\SurfAccuracy\SAcc.exe C:\WINDOWS\ojdovky.exe C:\Programmer\MSN Messenger\MsnMsgr.Exe C:\Programmer\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmer\Xfire\xfire.exe C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe C:\Programmer\Alwil Software\Avast4\ashServ.exe C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe C:\Programmer\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\svchost.exe C:\Programmer\Internet Explorer\iexplore.exe C:\DOCUME~1\Pedersen\LOKALE~1\Temp\Rar$EX00.047\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Programmer\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E2DF7B5E7841293BCE - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programmer\zango\zangohook.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Programmer\Video Access ActiveX Object\isadd.dll O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Programmer\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WinSys] C:\WINDOWS\system32\WinSys.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [SurfAccuracy] C:\Programmer\SurfAccuracy\SAcc.exe O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\ojdovky.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Xfire.lnk = C:\Programmer\Xfire\xfire.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157456067048 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

03-31-2007, 09:03 AM	#2 (permalink)
Malabanana Registered User Join Date: Mar 2007 Posts: 2 OS: Windows XP	Re: Need help with virus/spyware Im desperate, help please

04-01-2007, 08:03 PM	#3 (permalink)
Sempurna Analyst, Security Team; Assistant Rangemaster, TSF Academy Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: Need help with virus/spyware Hi Malabanana, Welcome to Tech Support Forum! I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help. OK, here’s we do first. First of all, you didn't unzip/extract HijackThis. I strongly advise you to unzip/extract HijackThis because HijackThis will not be able to make backups when it is run from the zip folder. How to unzip HijackThis: Right-click on the HijackThis zip folder and choose "Extract All". An extraction wizard window will now open. Click "Next". In the "Files will be extracted to this directory:" field, type C:\HijackThis. Then click "Next". Click "Finish" to show your unzipped/extracted HijackThis folder. Run HijackThis.exe from here, or add a shortcut to your desktop. NEXT: BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions. 1. Please download SmitfraudFix (by S!Ri): NOTE: In the event you already have SmitfraudFix, this is a new version that I need you to download. Extract the content (a folder named SmitfraudFix) to your desktop. Please do NOT run a scan with SmitfraudFix yet! NOTE : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm 2. Please download CCleaner and save it to your desktop: Run the CCleaner installer. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar". Please do NOT run a scan with CCleaner yet! 3. Please download and install SUPERAntiSpyware: Load SUPERAntiSpyware and click the Check for Updates button. Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan with SUPERAntiSpyware yet! 4. Please reboot your computer into Safe Mode by doing the following: Reboot your computer. After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Instead of Windows loading as normal, a menu should appear. Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter". 5. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd: Select Option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process (if a reboot is required, please boot BACK into Safe Mode). A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. WARNING: Running Option #2 on a non-infected computer will remove your desktop background. 6. AFTER SmitfraudFix finishes (and after a reboot if required), please run CCleaner. (If a reboot is required, please boot BACK into Safe Mode) Click the Windows tab. Select the following: Check everything under the Internet Explorer section. Check everything under the Windows Explorer section. Check everything under the System section. Check ONLY Old Prefetch data under the Advanced section. Then, click the Applications tab: UNCHECK everything there. Next, click the Options button, then click the Advanced button: UNCHECK : "Only delete files in Windows Temp folders older than 48 hours". Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit. CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system. 7. Then please run a scan with SUPERAntiSpyware: IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process. Open SUPERAntiSpyware and click the Scan your Computer button. Check Perform Complete Scan and then click Next. SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found. Make sure that they all have a check next to them, and then click Next. Click Finish and you will be taken back to the main interface. It could be possible that it will ask you to reboot your computer in order to delete some files after reboot. I'll need a log afterwards of what has been found. To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear. Please post the results of the SUPERAntiSpyware log in your next reply. NEXT: Go to the Start menu, and click on Control Panel. Choose Add/Remove Programs and remove any of the following that are listed: Lycos SideSearch MyGlobalSearch MySearch MyWay MyWay Search MyWay Search Assistant MyWay Speed Bar MyWebSearch MyWebSearch Bar Search Assistant – MySearch Search Assistant – MyWebSearch SideSearch SurfAccuracy Zango Zango Search Assistant NEXT: Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present): O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Programmer\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E2DF7B5E7841293BCE - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\programmer\zango\zangohook.dll O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Programmer\Video Access ActiveX Object\isadd.dll O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Programmer\MyGlobalSearch\bar\1.bin\MGSBAR.DLL O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [WinSys] C:\WINDOWS\system32\WinSys.exe O4 - HKLM\..\Run: [SurfAccuracy] C:\Programmer\SurfAccuracy\SAcc.exe O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\ojdovky.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked". Then please exit HijackThis. NEXT: Please download OTMoveIt by OldTimer: Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): C:\WINDOWS\ojdovky.exe C:\WINDOWS\system32\WinSys.exe C:\Programmer\Video Access ActiveX Object C:\programmer\zango C:\Programmer\SurfAccuracy C:\Programmer\MyGlobalSearch Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste. Click the red MoveIt! button. Copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it in your next reply. Close OTMoveIt. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see. NEXT: Please REBOOT your computer normally into Windows and post these logs in your next reply: The log from the SmitfraudFix scan located at C:\rapport.txt. The log from the SUPERAntiSpyware scan. The results report from OTMoveIt. A new HijackThis log. How are things running now? Please let me know of any problems that still persist. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum Last edited by Sempurna : 04-01-2007 at 08:06 PM.