Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32myzor Virus And Malware Wipe


  • Please log in to reply
8 replies to this topic

#1 margyukling

margyukling

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 13 August 2006 - 06:32 PM

Your step by step guide is very helpful thanks. Followed steps to above link " Do you have popus/ Malware start here" Did adware, spybot, housecall, firewall. Problem installing widnows service pack 3 not enough memory. Will clean out computer. When I open internet explorer, get message saying infected with w32myzor.fk@yfvirus and also ad for Malware wipe comes up to buy it. There is uninstall icon but not sure what will happen if I try to clean it.Also get a message in bottom right saying critical sysytem error in red "your computer is infected". Also get pop up about sex ads. Should i be concerned as I do banking on the net?
Thanking you in advance
Miriam

Logfile of HijackThis v1.99.1
Scan saved at 9:20:27 , on 14/08/2006
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Malware-Wipe\Malware-Wipe.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Malware-Wipe\Malware-Wipe.exe
c:\program files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;www.sia.net.au;sia.net.au;ftp.sia.net.au;203.63.47.242;203.63.47.243;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\IntCodec\isaddon.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Malware-Wipe] C:\Program Files\Malware-Wipe\Malware-Wipe.exe /h
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Shortcut to Felix2.lnk = C:\My Documents\Miriam's folder\FELIX2.EXE
O4 - Global Startup: Shortcut to Internet Explorer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1155471047825
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/ins...ckerutility.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E581F2C0-9293-11D0-B132-00A0249C49D7} (Net-It jDoc PrintGraphics) - file://D:\bms\jdocprtm.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\System32\viruxz.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe



Also got the following report from BitDefender. Please see below thanks

BitDefender Online Scanner - Real Time Virus Report



Generated at: Sun, Aug 13, 2006 - 04:47:58


-------------------------------------------------------------------------------


Scan Info



Scanned Files
187016

Infected Files
4



Virus Detected



Trojan.Downloader.Zlob.TJ
1

Trojan.Dropper.VB
1

Trojan.Fakealert.CX
2

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 13 August 2006 - 07:13 PM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 margyukling

margyukling
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 24 August 2006 - 08:31 PM

I am over the moon that you have answered me thanks. i tried to download Smitfraudfix but then it says select program to open it. i dont know which one to choose?

#4 margyukling

margyukling
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 24 August 2006 - 08:53 PM

I realised that I didnt tried to open it without saving to my desktop. Then I got into safe mode but it asks me which program to open it with, I chose internet explorer but nothing happens. What do i do now?

I will give you a donation but wanting to know how to donate safelyo n the net?

I will buy a firewall after all this. What would you recommend. I am trialling Zonealarm

#5 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 25 August 2006 - 08:39 AM

Its a zip file - get the evaluation copy

http://www.winzip.com/downwzeval.htm

No need to buy Zone Alarm, the free version is fine - its what I use

You do need an AV = its free also

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#6 margyukling

margyukling
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 26 August 2006 - 06:20 PM

Hi
Thanks for your reply. i am in real trouble now as I cant double click your link from google to send you a message. I am sending this from my friends computer.

I downloaded winzip so I could open Smitfraudfix v2.81 then I double clicked smitfraudifx.cmd. It said that my process. exe file is missing and that i need to unzip all archive in a folder. So I saw a file witht he word process in smitfraudix and clicked on extract.

When I went back to using the net I typed in 'hotmail' thru google and got in but when I typed in 'bleeping computer' thru google the screen goes to errror and that I have to open 'system doctor' to fix my computer and then they want me to buy it.

I clicked on pop up ok in hotmail in the hope that maybe that is stopping your website from coming up on the screen but it didnt work. Before when I clicked on the bleeping computer link I got the popo up icon. It seems that it will only let me open some websites. Could the zonealarm firewall be stopping me from getting through?

Thank you again. IT is an amazingly laborious process to fix a computer.

Thanks again.

#7 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 26 August 2006 - 06:33 PM

You did not extract all the files to the same folder - you should run it from a folder that has 7 or 8 files in it

What does Google have to do with any of this?
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#8 margyukling

margyukling
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 27 August 2006 - 06:48 AM

Thank you so much!! My problem is solved. I didnt know how to extract from winzip when a friend said that she used wizrd on her xp windows computer. Found the wizard icon and away I went.
I will definitely make a donation.
Thanks again

#9 margyukling

margyukling
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 23 September 2006 - 11:10 PM

Hi
I finally got around to trying to give a donation for releiving me of my nightmare of a a virus a few weeks ago. I am in Australia and your system doesnt seem to like if i dont come from America. Please let me know what I can do to make a donation tbanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users