Tech Support banner

Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
68 Posts
Discussion Starter #1
I have a problem that I cannot fixed and I have tried all night.

This is what is on my Computer background where the wallpaper is supposed to be.


Security warning
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

* System can not function in normal mode.
* Please check you security settings.
* Scan your PC with any avaliable antivirus / spyware remover program to fix the problem


I have tried using this Guide. http://elamb.blogharbor.com/hacked/removesmithfraud.htm
And the KillBox will not work in Safe mode.

I have Even Tried Adware SE but it didn't get it. What
do I do?
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Download HiJackThis - this program will help us determine if there are any spyware/malware on your computer.
  1. Double-click on the file you just downloaded.
  2. Click on the "Unzip" button to install the newer version.
  3. It will by default install to the directory - C:\Program Files\HiJackThis\
  4. If it gives you an intro screen, just choose - Do a system scan and save a logfile.
  5. If you don't get the intro screen, just hit [Scan] and then click on Save log.
  6. Post the HiJackThis.log file here.
 

·
Registered
Joined
·
68 Posts
Discussion Starter #3
Nevermond... The Adware did get it after all. The power got shut off Accidently and when the computer came back on... the Virus was gone. Thanks so much anyway!


sUBs said:
Download HiJackThis - this program will help us determine if there are any spyware/malware on your computer.
  1. Double-click on the file you just downloaded.
  2. Click on the "Unzip" button to install the newer version.
  3. It will by default install to the directory - C:\Program Files\HiJackThis\
  4. If it gives you an intro screen, just choose - Do a system scan and save a logfile.
  5. If you don't get the intro screen, just hit [Scan] and then click on Save log.
  6. Post the HiJackThis.log file here.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Ad-aware doesnt clean up Smitfraud that well. It's still advisable to have someone look over your system.
 

·
Registered
Joined
·
68 Posts
Alright here are the results. It's Attached.

Logfile of HijackThis v1.99.1
Scan saved at 2:07:24 PM, on 9/13/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\javamv32.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\intel32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\apihp.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\WINNT\explorer.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\josae.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {2D9FDF6B-13F5-C7FB-E2AA-4D8861DF6B08} - C:\WINNT\syshp32.dll
O2 - BHO: Class - {572760E2-7150-F484-DCA0-04D28714CE86} - C:\WINNT\ntyv.dll
O2 - BHO: (no name) - {5F9D5323-A6A1-4C15-98C1-8366DEEE23D1} - C:\WINNT\System32\cagp.dll (file missing)
O2 - BHO: Class - {7CDD4BF9-EE42-184B-3016-A983AC5B23E6} - C:\WINNT\system32\d3yf.dll
O2 - BHO: Class - {A7380079-8A6D-347A-3F04-C52ED9B00648} - C:\WINNT\appxw.dll
O2 - BHO: Class - {BD59560E-9F0F-4B54-A367-C899D2013264} - C:\WINNT\system32\winml.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [ecoblopu] C:\WINNT\System32\gvizis.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [javamv32.exe] C:\WINNT\system32\javamv32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINNT\System32\intel32.exe
O4 - HKLM\..\Run: [icasServ] C:\WINNT\System32\icasServ.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunOnce: [apihp.exe] C:\WINNT\system32\apihp.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSYYYYYYYYUS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple.com/TSWeb/msrdp.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_5us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{58BD22A2-B7CB-4FBB-834D-1EFEC143DE64}: NameServer = 205.188.146.145
O21 - SSODL: systemp - {A9598516-4742-4B1E-98DD-CB6331820371} - systemp.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\System32\dcom_9.dll
O21 - SSODL: soDmXpNinKoA - {27261606-8D8C-BCAC-06EE-1CEC5D290DD5} - C:\WINNT\System32\ueazl.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\msud32.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 

Attachments

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
You have to thank me for asking you to post the log. You are badly infected !!! :5-scared:

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

+++++++++++ +++++++++++ +++++++++++ +++++++++++ +++++++++++ +++++++++++ +++++++++++

Go to http://WindowsUpdate. & install all available Critical Updates. Patch your system with the most current security fixes and plug all known vulnerabilities. Update your system to Windows 2000 Service Pack 4

+++++++++++ +++++++++++ +++++++++++ +++++++++++ +++++++++++ +++++++++++ +++++++++++


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

smitRem.exe - extract it to it's own folder.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

CleanUp!.exe - Install

About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed.

CWShredder.exe
  1. Open CWShredder and click - I AGREE
  2. Click - Check For Update
  3. Close CWShredder after updating
HSFix.zip

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

If you have not already installed Ad-Aware SE 1.06, download and update aawsepersonal.exe


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I)
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then right-click & select Copy
  • C:\WINNT\System32\intel32.exe
    C:\WINNT\system32\javamv32.exe
    C:\WINNT\system32\apihp.exe
    C:\WINNT\system32\josae.dll
    C:\WINNT\syshp32.dll
    C:\WINNT\ntyv.dll
    C:\WINNT\System32\cagp.dll
    C:\WINNT\system32\d3yf.dll
    C:\WINNT\appxw.dll
    C:\WINNT\system32\winml.dll
    C:\WINNT\System32\gvizis.exe
    C:\WINNT\system32\javamv32.exe
    C:\WINNT\system32\gxlib.exe
    C:\WINNT\System32\icasServ.exe
    C:\WINNT\system32\apihp.exe
    C:\WINNT\System32\systemp.dll
    C:\WINNT\System32\dcom_9.dll
    C:\WINNT\System32\ueazl.dll
    C:\WINNT\system32\msud32.exe
* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Next, reboot your computer in SafeMode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :
  • My Websearch
    Aquatic Water World Screen Savers
    ViewPoint

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry.

Double-click on ro.REG & answer YES when prompted to merge into the Registry


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Start HijackThis & Go to Config> Misc Tools > Open ADS Spy
  1. Checkmark/tick - "Ignore Safe System Info Streams"
  2. Click the "Scan" button
  3. When it has finished scanning, checkmark/tick all that it found
  4. Click the "remove selected" button


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\josae.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\josae.dll/sp.html#28129

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\josae.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2D9FDF6B-13F5-C7FB-E2AA-4D8861DF6B08} - C:\WINNT\syshp32.dll
O2 - BHO: Class - {572760E2-7150-F484-DCA0-04D28714CE86} - C:\WINNT\ntyv.dll
O2 - BHO: (no name) - {5F9D5323-A6A1-4C15-98C1-8366DEEE23D1} - C:\WINNT\System32\cagp.dll (file missing)
O2 - BHO: Class - {7CDD4BF9-EE42-184B-3016-A983AC5B23E6} - C:\WINNT\system32\d3yf.dll
O2 - BHO: Class - {A7380079-8A6D-347A-3F04-C52ED9B00648} - C:\WINNT\appxw.dll
O2 - BHO: Class - {BD59560E-9F0F-4B54-A367-C899D2013264} - C:\WINNT\system32\winml.dll
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ecoblopu] C:\WINNT\System32\gvizis.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [javamv32.exe] C:\WINNT\system32\javamv32.exe
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [icasServ] C:\WINNT\System32\icasServ.exe
O4 - HKLM\..\RunOnce: [apihp.exe] C:\WINNT\system32\apihp.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSYYYYYYYYUS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O21 - SSODL: systemp - {A9598516-4742-4B1E-98DD-CB6331820371} - systemp.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\System32\dcom_9.dll
O21 - SSODL: soDmXpNinKoA - {27261606-8D8C-BCAC-06EE-1CEC5D290DD5} - C:\WINNT\System32\ueazl.dll



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\MYWEBSEARCH
    C:\Program Files\AQUATI~1\
    C:\Program Files\Viewpoint\

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run CWShredder & click on Fix.

Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Open Ad-aware and close ALL other windows.

1. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
  • In the General window make sure the following are selected in green:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
    • Prompt to update outdated definitions - set the number of days = 7

  • Click on the Scanning button on the left and select in green:
    • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file

  • Click on the Advanced button on the left and select in green:
    • Move deleted files to recycle bin
    • include addtional object information
    • DeSelect - include negligible objects information
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT

  • Click the Tweak button:
    • Under Scanning Engine:
      • Unload recognized processes during scanning
      • Ignore spanned files when scanning cab archives
      • Scan registry for all users instead of current user only
    • Under Cleaning Engine:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Include computer & username in logfile
      • Please DeSelect: Include Module list in logfile
2. Click on Proceed to save the settings.
3. Click Start
4. Choose - Perform Full System Scan
5. DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
6. Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
7. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
8. Right-click on the list and choose Select All
9. Click Next to finish removing the items that were found


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


In your next post, please include fresh copies of:
  • HiJackThis log
    [*] Online scan
    [*] Smitfiles.txt
    [*] Ewido's log
    [*] About Buster's Log
Let us know if any problems persist.
 

·
Registered
Joined
·
68 Posts
Discussion Starter #7
ok I have one problem. I'm on Dial up and this is taking forever... I have only been able to install the first service pack and the second will take over 1,000 minutes and I am not able to get online long enough to do it. Is there anything else I can do? Help please.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
LOL..You dont have to download the service packs progressively. SP1 -> SP2 -> SP3 -> SP4.
Service Pack 4 (SP4) contains all the other service packs. Sorry for not realising that you're on dial-up. It'll take you ages to download any Service Pack.

If you want , you can order a CD from Microsoft but they'll charge you $9.95 for it. Personally, I rather get a friend with a fast connection to download it on your behalf & then transfer it to your PC.

Let's skip the Windows Update & proceed with the fix. You can update later when you're clean.
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top