System Alert Virus/spyware Trouble

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

System Alert Virus/spyware Trouble, Can't get rid of it....

Options

Omega Knight View Member Profile	Dec 27 2006, 11:45 AM Post #1
Member Group: Members Posts: 34 Joined: 7-September 06 Member No.: 84,132	I have run several antivirus scans, adaware SE, smitfraud, and hijack this a couple times. End result is my computer is almost completely clean, with the exception of an apparent spyware calling itself system alert, claiming that my system is viral and I should install anti-vermins to fix it. that is the extent of my knowledge at this point. please help. Also, this is the only log file I was told to post here, please let me know if there are others you need Logfile of HijackThis v1.99.1 Scan saved at 11:38:18 AM, on 12/27/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE D:\Charter\backweb\3528733\Program\SERVIC~1.EXE C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe D:\Charter\Anti-Virus\fsgk32st.exe D:\Charter\backweb\3528733\program\fsbwsys.exe D:\Charter\Anti-Virus\FSGK32.EXE D:\Charter\Common\FSMA32.EXE C:\WINDOWS\system32\nvsvc32.exe D:\Charter\Common\FSMB32.EXE D:\Charter\Anti-Virus\fssm32.exe D:\Charter\Common\FCH32.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe D:\Charter\FSPC\fshttps\fshttps.exe D:\Charter\Common\FAMEH32.EXE C:\WINDOWS\System32\alg.exe D:\Charter\Anti-Virus\fsqh.exe D:\Charter\Anti-Virus\fsrw.exe D:\Charter\FSPC\fspc.exe D:\Charter\FWES\Program\fsdfwd.exe D:\Charter\Anti-Virus\fsav32.exe C:\WINDOWS\Explorer.EXE D:\Charter\FSGUI\ispnews.exe D:\Charter\Common\FSM32.EXE D:\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe D:\Creative\mediasource\Detector\CTDetect.exe D:\Charter\ANTI-S~1\fsaw.exe C:\Program Files\MSN Messenger\msnmsgr.exe D:\Charter\FSGUI\fsguidll.exe C:\Program Files\Logitech\Video\FxSvr2.exe D:\Charter\backweb\3528733\Program\fspex.exe D:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe D:\Ventrilo\Ventrilo.exe D:\Program Files\EQWatcher Advanced\EQWA.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing) O4 - HKLM\..\Run: [News Service] "D:\Charter\FSGUI\ispnews.exe" O4 - HKLM\..\Run: [F-Secure TNB] "D:\Charter\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "D:\Charter\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [F-Secure Manager] "D:\Charter\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [CTSysVol] D:\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [Creative Detector] D:\Creative\mediasource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Charter High-Speed Security Suite.lnk = D:\Charter\backweb\3528733\Program\fspex.exe O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Block this popup - D:\Charter\Anti-Spyware\blockpopups.htm O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000 O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Charter\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Charter\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Charter\FSPC\fspcmsie.dll O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Charter\Anti-Spyware\ieshield.dll O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Charter\Anti-Spyware\ieshield.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156884357637 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156884336137 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - C:\WINDOWS\system32\cthkpcv.dll O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - D:\Charter\backweb\3528733\Program\SERVIC~1.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Charter\Anti-Virus\fsgk32st.exe O23 - Service: FSBWSYS - F-Secure Corp. - D:\Charter\backweb\3528733\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Charter\FWES\Program\fsdfwd.exe O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - D:\Charter\FSPC\fshttps\fshttps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Charter\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

amateur View Member Profile	Dec 27 2006, 12:56 PM Post #2
Malware Fighter Group: HJT Team Posts: 2,730 Joined: 19-November 05 From: Rhode Island Member No.: 41,169	Hello and welcome to BC Please download SmitfraudFix (by S!Ri) to your Desktop. (Delete the previous version you may have already downloaded) Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, double-click on SmitfraudFix.exe Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a fresh HijackThis log. The report can also be found at the root of the system drive, usually at C:\rapport.txt This post has been edited by amateur: Dec 27 2006, 12:57 PM -------------------- Amateur ASAP

Omega Knight View Member Profile	Dec 28 2006, 09:36 AM Post #3
Member Group: Members Posts: 34 Joined: 7-September 06 Member No.: 84,132	ok here's my updated logs. The system alert issue appears to be gone from my tray as of this restart... hope it's all gone. SmitFraudFix v2.131 Scan done at 9:27:28.56, Thu 12/28/2006 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}"="buprestidae" [HKEY_CLASSES_ROOT\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32] @="C:\WINDOWS\system32\cthkpcv.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32] @="C:\WINDOWS\system32\cthkpcv.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\system32\cthkpcv.dll -> Hoax.Win32.Renos.gen.i C:\WINDOWS\system32\cthkpcv.dll -> Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of HijackThis v1.99.1 Scan saved at 9:33:01 AM, on 12/28/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE D:\Charter\Common\FSM32.EXE D:\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\RUNDLL32.EXE D:\Creative\mediasource\Detector\CTDetect.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Logitech\Video\FxSvr2.exe D:\Program Files\WinZip\WZQKPICK.EXE D:\Charter\backweb\3528733\Program\SERVIC~1.EXE C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe D:\Charter\Anti-Virus\fsgk32st.exe D:\Charter\Anti-Virus\FSGK32.EXE D:\Charter\backweb\3528733\program\fsbwsys.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN D:\Charter\Common\FSMA32.EXE C:\WINDOWS\system32\nvsvc32.exe D:\Charter\Common\FSMB32.EXE D:\Charter\backweb\3528733\Program\fspex.exe D:\Charter\Anti-Virus\fssm32.exe C:\WINDOWS\System32\svchost.exe D:\Charter\Common\FCH32.EXE D:\Charter\Anti-Virus\fsqh.exe D:\Charter\Common\FAMEH32.EXE D:\Charter\FSPC\fspc.exe D:\Charter\Anti-Virus\fsrw.exe D:\Charter\FWES\Program\fsdfwd.exe C:\WINDOWS\system32\wuauclt.exe D:\Charter\Anti-Virus\fsav32.exe D:\Charter\ANTI-S~1\fsaw.exe D:\Charter\FSGUI\fsguidll.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing) O4 - HKLM\..\Run: [News Service] "D:\Charter\FSGUI\ispnews.exe" O4 - HKLM\..\Run: [F-Secure TNB] "D:\Charter\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "D:\Charter\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [F-Secure Manager] "D:\Charter\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [CTSysVol] D:\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [Creative Detector] D:\Creative\mediasource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Charter High-Speed Security Suite.lnk = D:\Charter\backweb\3528733\Program\fspex.exe O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Block this popup - D:\Charter\Anti-Spyware\blockpopups.htm O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000 O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Charter\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Charter\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Charter\FSPC\fspcmsie.dll O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Charter\Anti-Spyware\ieshield.dll O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Charter\Anti-Spyware\ieshield.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156884357637 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156884336137 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - D:\Charter\backweb\3528733\Program\SERVIC~1.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Charter\Anti-Virus\fsgk32st.exe O23 - Service: FSBWSYS - F-Secure Corp. - D:\Charter\backweb\3528733\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Charter\FWES\Program\fsdfwd.exe O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - D:\Charter\FSPC\fshttps\fshttps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Charter\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

amateur View Member Profile	Dec 28 2006, 10:16 AM Post #4
Malware Fighter Group: HJT Team Posts: 2,730 Joined: 19-November 05 From: Rhode Island Member No.: 41,169	Hello, So far so good. The major part is gone. Let's do some clean up now. Before we start, you need to place HijackThis.exe into a folder of its own for it to function properly. Right click on an empty space on your desktop. Choose New>Folder. Name the New Folder HJT. Now drag and drop HijackThis.exe into the new folder on your desktop. It may be a good idea to print these out so that you can have access to them later when you're in safe mode. ============================ There is evidence of Ewido 4.0 in your log. If you haven't already uninstalled/removed it, please do it now. Go to Start>Control Panel>Add/Remove Programs and remove it. Then, using Windows Explorer (right click on Start, click on Explore) navigate to its folder and delete it. C:\Program Files\ewido anti-spyware 4.0 While you're in Add/Remove Programs check for MyWebSearch too, and remove it if found, and delete its folder, too: C:\Program Files\MyWebSearch and remove its folder, the same way. ============================ Next, Please download Ccleaner and save it to your desktop. Tutorial for CCleaner During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it Do not use it yet. ============================ Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder. http://www.ewido.net/en/download/ Install AVG Anti-Spyware by double clicking the installer. Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked. On the main screen under Your Computer's security. Click on Change state next to Resident shield. It should now change to inactive. Click on Change state next to Automatic updates. It should now change to inactive. Next to Last Update, click on Update now. (You will need an active internet connection to perform this) Wait until you see the Update succesfull message. Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. If you are having problems with the updater, you can use this link to manually update ewido. AVG Anti-Spyware manual updates. Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. ============================ Reboot your computer in Safe Mode using the F8 method below. a. If the computer is running, shut down Windows, and then turn off the power. b. Wait 30 seconds, and then turn the computer on. c. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. d. Ensure that the Safe Mode option is selected. e. Press Enter. The computer then begins to start in Safe mode. ============================ Scan with HijackThis and put a checkmark against the following entries, if found: R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing) O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000 ewido anti-spyware 4.0 guard O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe Close all other browsers/windows, except HijackThis and click on fix checked. Exit HijackThis. ============================ From Safe Mode run Ccleaner Click on Options, Select Advanced Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours" Make sure the Cleaner block on the left is selected. Do not use the "Issues" block . It's meant for professionals. Choose the Windows tab. Check everything EXCEPT Advanced part of the Menu. Click on "Analyze". This process could take a while. If you don't want to loose your login passwords to certain sites, click on Options Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle. Choose Run Cleaner. When CCleaner shows how much has been removed, cleaning is finished. Click Exit. If you have more than one users, run Ccleaner for every user ============================ Still in Safe Mode, Please start AVG Anti-Spyware and run a full scan. Click on Scanner on the toolbar. Click on the Settings tab. Under How to act? Click on Recommended Action and choose Quarantine from the popup menu. Under How to scan? All checkboxes should be ticked. Under Possibly unwanted software: All checkboxes should be ticked. Under Reports: Select Automatically generate report after every scan and uncheck Only if threats were found. Under What to scan? Select Scan every file. Click on the Scan tab. Click on Complete System Scan to start the scan process. Let the program scan the machine. When the scan has finished, follow the instructions below. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button. Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2) At the bottom of the window click on the Apply all Actions button. (3) When done, click the Save Scan Report button. (4) Click the Save Report as button. Save the report to your Desktop. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. Reboot in Normal Mode. ============================== Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6.0. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "*Accept* License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6.0 windows-i586-p.exe to install the newest version. ============================= Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ============================= Post back the results from AVG Anti Spyware, Panda Online Scan and a fresh HijackThis log please. Let me know how the computer is running now. -------------------- Amateur ASAP

amateur View Member Profile	Jan 4 2007, 02:50 PM Post #5
Malware Fighter Group: HJT Team Posts: 2,730 Joined: 19-November 05 From: Rhode Island Member No.: 41,169	Hello, are you still with us? -------------------- Amateur ASAP

Omega Knight View Member Profile	Jan 5 2007, 05:44 PM Post #6
Member Group: Members Posts: 34 Joined: 7-September 06 Member No.: 84,132	sorry, lost the internet over a week ago. just got it back today.

amateur View Member Profile	Jan 7 2007, 09:35 PM Post #7
Malware Fighter Group: HJT Team Posts: 2,730 Joined: 19-November 05 From: Rhode Island Member No.: 41,169	I guess you're still having problems with the internet. -------------------- Amateur ASAP

Omega Knight View Member Profile	Jan 12 2007, 02:48 PM Post #8
Member Group: Members Posts: 34 Joined: 7-September 06 Member No.: 84,132	yeah, every now and then I loose it. ISP is doing maintanence in the area I think.

Omega Knight View Member Profile	Jan 12 2007, 02:50 PM Post #9
Member Group: Members Posts: 34 Joined: 7-September 06 Member No.: 84,132	I have started doing the steps you listed above. RL is making it a real pain to get any consistant work done, or time on the puter. I cannot seem to put hijackthis into the folder I created... is there an option somewhere that will allow me to do so, or do I need to uninstall/reinstall it?

amateur View Member Profile	Jan 12 2007, 06:52 PM Post #10
Malware Fighter Group: HJT Team Posts: 2,730 Joined: 19-November 05 From: Rhode Island Member No.: 41,169	Hi, QUOTE I cannot seem to put hijackthis into the folder I created... is there an option somewhere that will allow me to do so, or do I need to uninstall/reinstall it? You can click on HERE to download a self extractable version of hijackthis. Double click on hijackthis.exe to extract hijackthis to folder c:\hijackthis. It will extract it to that folder and open the folder for you. It will also create a shortcut on your desktop to hijackthis. P.S. Delete the present HijackThis from your desktop before you download this one. This post has been edited by amateur: Jan 14 2007, 03:54 PM -------------------- Amateur ASAP

amateur View Member Profile	Jan 22 2007, 04:16 PM Post #11
Malware Fighter Group: HJT Team Posts: 2,730 Joined: 19-November 05 From: Rhode Island Member No.: 41,169	Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- Amateur ASAP

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive