2nd computer, trojans? malware?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs already - Ad-aware, Spybot and Microsoft AntiSpyware. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm

First, download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Please download Ewido Security Suite (do NOT run it yet!)

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen
• You will need to update ewido to the latest definition files.
• On the left hand side of the main screen click update
• Click on Start
• The update will start and a progress bar will show the updates being installed
• After the updates are installed, exit Ewido

Please download dsrfix.zip from Atribune and save it to your desktop.

• Double-Click on dsrfix.zip and extract it to your desktop.
• This will create a new folder on your desktop named dsrfix.
• Do Not open that folder yet.

Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {00000000-0000-4D52-B11F-3D6A08268744} - C:\Program Files\ProSiteFinder\ProSiteFinder.dll (file missing)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINNT\tct101.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll
O2 - BHO: (no name) - {F5669A41-7B0C-2390-D24B-66093072CBD2} - C:\WINNT\cdmweb\wfolqgvlii.dll
O4 - HKLM\..\Run: [Fezeuyhm] C:\Program Files\Svyfyhy\Wbpzt.exe
O4 - HKLM\..\Run: [:C=e] C:\WINNT\exe82.exe
O4 - HKLM\..\Run: [nbbeped] c:\winnt\system32\gmewpre.exe r
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com


Close all browsers and open windows except HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.

• Double-Click on dsrfix.bat
• A window will pop up briefly then close, this is normal.

Now reboot your system.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

If Cleanup! asks if you want to reboot, click NO

Open Ewido

• Click on scanner
• Click Complete System Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop
• Exit Ewido

Please repost with the ewido log and the HJT log.

Followed all of your instructions, everything worked without problems. Hopefully that got everything. Thanks for all your help.

Here's the ewido scan log and the HJT scan log.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:14:57 PM, 9/7/2005
+ Report-Checksum: F14B7F82

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\YourSiteBar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historyvariable_search -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historyvariable_search2 -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historyvariable_search3 -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historyvariable_search4 -> Spyware.ISTBar : Error during cleaning
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\ProSiteFinder\ProSiteFinder1\prositefinder1.dll -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ProSiteFinder\ProSiteFinder1\prositefinder1.exe -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{0AE2BF94-ACD8-4B26-B603-1D126FA27512}\{7390E4A7-D960-4025-B479-410396AF15A9}.tmp/{7390E4A7-D960-4025-B479-410396AF15A9}.tmp -> Spyware.180Solutions : Error during cleaning
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{0AE2BF94-ACD8-4B26-B603-1D126FA27512}\{A4502B8A-C86D-4C27-BCCB-45FC37C06B69}.tmp/{A4502B8A-C86D-4C27-BCCB-45FC37C06B69}.tmp -> Spyware.180Solutions : Error during cleaning
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{0AE2BF94-ACD8-4B26-B603-1D126FA27512}\{FC145839-DAC7-4441-AB54-C4E8CB9446DE}.tmp/{FC145839-DAC7-4441-AB54-C4E8CB9446DE}.tmp -> Spyware.180Solutions : Error during cleaning
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{0AE2BF94-ACD8-4B26-B603-1D126FA27512}\{1AAD0ACF-5D1F-4262-B723-3F80A8ACE342}.tmp/{1AAD0ACF-5D1F-4262-B723-3F80A8ACE342}.tmp -> Spyware.SurfSide : Error during cleaning
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{0AE2BF94-ACD8-4B26-B603-1D126FA27512}\{4732ABB0-FEA9-44E9-8BD8-12207911AC3C}.tmp/{4732ABB0-FEA9-44E9-8BD8-12207911AC3C}.tmp -> Spyware.180Solutions : Error during cleaning
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{0AE2BF94-ACD8-4B26-B603-1D126FA27512}\{93CC94AE-0694-4942-AE44-E0E56C0F6955}.tmp/{93CC94AE-0694-4942-AE44-E0E56C0F6955}.tmp -> Spyware.180Solutions : Cleaned with backup
C:\WINNT\system32\soun.pif -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\system32\soff.pif -> Backdoor.Rbot.xe : Cleaned with backup
C:\WINNT\system32\mousebm.exe -> Backdoor.IRCBot.es : Cleaned with backup
C:\WINNT\system32\mousecrm.exe -> Backdoor.Agent.mo : Cleaned with backup
C:\WINNT\system32\psecure.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\system32\MsgPlusUp.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\thin-114-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\svcproc.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\cdmweb\wfolqgvlii.exe -> Spyware.SmartPops : Cleaned with backup
C:\WINNT\tyjplieugfj.exe -> Adware.BetterInternet : Cleaned with backup
C:\clearlogs.exe -> Spyware.WinAD : Cleaned with backup
C:\ftplog.exe -> TrojanDownloader.Small.aqt : Cleaned with backup
C:\clogs.exe -> Spyware.WinAD : Cleaned with backup
C:\flog.exe -> TrojanDownloader.Small.aqt : Cleaned with backup
C:\HJT\backups\backup-20050907-164955-746.dll -> TrojanDownloader.Dyfuca.eg : Cleaned with backup
C:\HJT\backups\backup-20050907-165003-552.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\HJT\backups\backup-20050907-165003-546.dll -> Spyware.SmartPops : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 5:20:09 PM, on 9/7/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\HJT\HijackThis1991.exe

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\System32\mousebm.exe (file missing)
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINNT\System32\mousecrm.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Reset hidden/system files and folders

Windows XP
===============

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 2000
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Advanced settings box option.
• Select the Hidden files Folders.
• Deselect the Show all files option.
• Click Yes to confirm.
• Click OK.

Windows ME
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 95/98/98SE
===============

• Open My Computer.
• Select the View
• Select the Folder Options option.
• Select the View tab. option.
• Select the Advance Advanced settings box option.
• Select the Hidden files folder.
• Deselect the Show all files option
• Click Apply to confirm.
• Click OK.

Create a new System Restore point

Windows XP
===============

• Click Start >> Run - type SYSDM.CPL & press Enter
• Select the System Restore Tab
• Tick on the checkbox - "Turn off System Restore on all drives"
• Click Apply
• Then untick the same checkbox & click OK
• This deletes ALL restore points that had the infection and creates a clean one

Windows ME
===============

• Click the Start tab.
• Select the Settings option.
• Select the Control Panel option.
• Double Click the System icon Performance tab option.
• Select File System
• Select the Troubleshooting tab
• Check the Disable System Restore box
• Click Apply to confirm.
• Click OK.

Reboot the PC and repeat the above procedure again
When you get to this option

• Uncheck the Disable System Restore box

For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.

• Click the Start button.
• Point to Programs, point to Accessories, point to System Tools, and then click System Restore.
• Choose Create a restore point, and then click Next.
• In the Restore point description box, type a name for your restore point, and then click Next.
  Click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• Tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.


Recommended Protection Programs

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
• WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Sygate Personal Firewall
• Kerio Personal Firewall
• OutPost Firewall

In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use:

• Grisoft AVG Anti-Virus System
• Alwil Avast 4 Home Edition
• Softwin BitDefender Free Edition Version 7

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place.