help me against adware, trojan...(RESOLVED)
-
help me against adware, trojan...(RESOLVED)
First nothing i don't know too much of this things....
I got virus(iworm_attack) but a think that i had remuved it from my PC with spy sweeper.
Adware and Trojan became appear no matter wich anti-spyware i use(Ad-aware SE,spy sweeper, ewido anti-spyware and nod32 antivirus). May be i have a bad use at them. I already made one scan with hijack and here is log
Logfile of HijackThis v1.99.1
Scan saved at 12:35:03 a.m., on 05/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Archivos de programa\Eset\nod32kui.exe
D:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
D:\Archivos de programa\Shareaza\Shareaza.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\Archivos de programa\Executive Software\DiskeeperLite\DKService.exe
D:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
D:\Archivos de programa\Eset\nod32krn.exe
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\System32\svchost.exe
D:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
D:\ARCHIV~1\MOZILL~1\FIREFOX.EXE
D:\Archivos de programa\WinRAR\WinRAR.exe
D:\DOCUME~1\Matias\CONFIG~1\Temp\Rar$EX00.687\Hija ckThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - D:\WINDOWS\System32\hp104.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] D:\Archivos de programa\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "D:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ink Monitor] D:\Archivos de programa\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Shareaza] "D:\Archivos de programa\Shareaza\Shareaza.exe" -tray
O4 - Global Startup: Microsoft Office.lnk = D:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://kq.bar.need2find.com/KQ/menusearch.html?p=KQ
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
please help me.
sorry my english, i'm from argentina....
-
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply (if unsure of your results).
DO NOT RUN ANY OTHER OPTIONS UNTIL REQUESTED TO.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
If infected files were listed above, please proceed as follows:
STEP # 2 - Cleaning
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Download and install Ewido anti-spyware 4.0 (uninstall any previous version first).- Click the Download BUTTON. On the next page click the Download now BUTTON.
- Save and then install (Run) from the save location.
- Open/Run ewido anti-spyware
- Wait a few moments and Ewido should Auto update itself (note date of last update). If it doesn't update, click the update ICON at top of screen:
- Click on the Update now LINK at the top of the window
- Click on the Start update button
- Wait for the update to download and install
- This is very important to get the LATEST updates
- Click on the Status ICON
- Under "Your computers Security"
Click change status on Resident shield to inactive (ONLY consider activation of that feature once you are clean)
- Click on the Scanner ICON at the top of the window
- Click on the Settings tab then select Recommended Actions and choose Quarantine
- When updating has finished. Close Ewido.
We will be using this tool in a later step.
Reboot your computer in Safe Mode.- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
______________________________
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________
Clean out your Temporary Internet files. Proceed like this:- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________
Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan:
- Click on the default Status ICON and select the Scan now LINK.
OR
- Click on the Scanner ICON . Select the Scan TAB.
- Select Complete System Scan. Ewido will now begin to scan your system.
- If Ewido finds anything, it will list them in the Preview WINDOW. Select Apply all actions (and the items found will be quarantined – and recoverable, if any items are needed back).
- When the scan has completed, click on the Save Scan Report button and save the scan to your Desktop where it can be easily found.
- Copy and paste the EWIDO scan results into your next post.
- Close Ewido.
______________________________
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________
Reboot in Normal Mode.
Please post (preferably not file attachments, please):- c:\rapport.txt
- Ewido log
- A new HijackThis log
-
here is what you ask me for
SMITFRAUDFIX
1.search
SmitFraudFix v2.69
Scan done at 13
44.54, 11/07/2006
Run from D:\Documents and Settings\Matias\Escritorio\SmitfraudFix
OS: Microsoft Windows XP [Versi¢n 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» D:\
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32
D:\WINDOWS\system32\dcomcfg.exe FOUND !
D:\WINDOWS\system32\hp???.tmp FOUND !
D:\WINDOWS\system32\hp????.tmp FOUND !
D:\WINDOWS\system32\ld???.tmp FOUND !
D:\WINDOWS\system32\ld????.tmp FOUND !
D:\WINDOWS\system32\ot.ico FOUND !
D:\WINDOWS\system32\simpole.tlb FOUND !
D:\WINDOWS\system32\stdole3.tlb FOUND !
D:\WINDOWS\system32\ts.ico FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Matias\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\Matias\FAVORI~1
D:\DOCUME~1\Matias\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» D:\Archivos de programa
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mi p gina de inicio actual"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
2.clean
SmitFraudFix v2.69
Scan done at 14:18:11.37, 11/07/2006
Run from D:\Documents and Settings\Matias\Escritorio\SmitfraudFix
OS: Microsoft Windows XP [Versi¢n 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
EWIDO
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 05:09:47 p.m. 11/07/2006
+ Scan result:
E:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010453.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010449.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010450.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010445.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010446.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010447.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010448.exe/Save.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010448.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010448.exe/Weather\Uninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010448.exe/Weather\Weather.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010442.exe/zc.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010442.exe/gc.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{07AB79E4-2F68-4398-BD76-249569C05EDB}\RP62\A0010443.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
:mozilla.38
:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.49:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.46:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.47:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.40:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.50:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.51:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.52:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.37:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.22:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.23:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.31:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.32:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.33:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
::Report end
HJT LOG
Logfile of HijackThis v1.99.1
Scan saved at 05:27:39 p.m., on 11/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Archivos de programa\Eset\nod32kui.exe
D:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
D:\Archivos de programa\Shareaza\Shareaza.exe
D:\Archivos de programa\Google\Google Talk\googletalk.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\Archivos de programa\Executive Software\DiskeeperLite\DKService.exe
D:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
D:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
D:\Archivos de programa\Eset\nod32krn.exe
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\System32\svchost.exe
D:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\ctfmon.exe
D:\ARCHIV~1\MOZILL~1\FIREFOX.EXE
D:\Archivos de programa\WinRAR\WinRAR.exe
D:\DOCUME~1\Matias\CONFIG~1\Temp\Rar$EX00.703\Hija ckThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] D:\Archivos de programa\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "D:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ink Monitor] D:\Archivos de programa\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Shareaza] "D:\Archivos de programa\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [googletalk] "D:\Archivos de programa\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Microsoft Office.lnk = D:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://kq.bar.need2find.com/KQ/menusearch.html?p=KQ
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Archivos de programa\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - D:\Archivos de programa\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - D:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
THANKS FOR YOUR TIME....
Once i did what you told me, i run spy sweeper and i found 4 adware.
-
HI,
To clean your temp folder, recycle bin, etc..please download this free tool:
CCleaner
Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.
Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.
Then Reboot (Exit)
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Plus a new hijackthis log please. Thanks.
-
hi, neal
here is the list:
Actualización para Windows XP (KB898461)
Ad-Aware SE Personal
Adobe Reader 6.0.1 - Español
AnyDVD
AutoCAD 2004
Autodesk Express Viewer
BadCopy Pro
CCleaner (remove only)
CD Catalog Expert V8.00 build 020601
Chessmaster 9000
CloneDVD2
Digital Camera
Diskeeper Lite
ewido anti-spyware 4.0
GNU Octave 2.1.50
Google Talk (remove only)
HijackThis 1.99.1
Icatch(IV) Camera Driver
Ink Monitor
Microsoft Age of Empires II
Microsoft Office XP Professional con FrontPage
Mozilla Firefox (1.0.7)
MSN Messenger 7.5
Nero 6 Ultra Edition
NOD32 Antivirus System
Panda ActiveScan
PhoTags Express
PowerDVD
ProSavageDDR and Utilities
Realtek AC'97 Audio
RegSupreme 1.2
Revisión de Windows XP - KB842773
S3Display
S3Gamma2
S3Info2
S3Overlay
SafeCast Shared Components
Shareaza versión 2.2.1.0
Smart Link 56K Voice Modem
Software de impresora EPSON
Spy Sweeper
ubi.com
Winamp (remove only)
Windows Installer 3.1 (KB893803)
WinRAR archiver
and here is HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:54:31 a.m., on 13/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Archivos de programa\Eset\nod32kui.exe
D:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe
D:\Archivos de programa\Shareaza\Shareaza.exe
D:\Archivos de programa\Google\Google Talk\googletalk.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\Archivos de programa\Executive Software\DiskeeperLite\DKService.exe
D:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
D:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
D:\Archivos de programa\Eset\nod32krn.exe
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\System32\svchost.exe
D:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
D:\Archivos de programa\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Archivos de programa\WinRAR\WinRAR.exe
D:\WINDOWS\System32\notepad.exe
D:\DOCUME~1\Matias\CONFIG~1\Temp\Rar$EX17.422\Hija ckThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] D:\Archivos de programa\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "D:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ink Monitor] D:\Archivos de programa\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Shareaza] "D:\Archivos de programa\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [googletalk] "D:\Archivos de programa\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Microsoft Office.lnk = D:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://kq.bar.need2find.com/KQ/menusearch.html?p=KQ
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Archivos de programa\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - D:\Archivos de programa\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - D:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Archivos de programa\Webroot\Spy Sweeper\WRSSSDK.exe
Thanks...
-
HI and thanks,
Run hijackthis and click on scan button and put a check next tto this:
O8 - Extra context menu item: &Search - http://kq.bar.need2find.com/KQ/menusearch.html?p=KQ
Nothing open but hijackthis and click on fix checked.
Reboot
How is your computer behaving now?
-
it's really changed, thanks man...
i run spy swepper and found nothing
i run smitfraudfix and found cero
i run ad-adware SE and no critical objects were found
i run ewido and just found this:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:13:07 a.m. 14/07/2006
+ Scan result:
:mozilla.6:\Documents and Settings\Matias\Datos de programa\Mozilla\Firefox\Profiles\51gvjvw3.default \cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
::Report end
see you.
-
Your good to go,
If you are no longer having any more trouble here is some preventative measures for you.
Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.
http://www.d-a-l.com/help/showthread.php?t=32403
Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.
Explained Here:
Windows XP: http://vil.nai.com/vil/SystemHelpDoc...ysRestore.aspx
Explained Here
Microsoft ME:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam
RegProtect
This small registry protection tool will save you hours of heartache by notifying you when some program good or bad is trying to access your registry.
You have the option of allowing(good) items or blocking(bad)items.
http://www.diamondcs.com.au/index.php?page=regprot
To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:
1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html
3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
Windows Defender
http://www.microsoft.com/athome/secu...e/default.mspx
4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio
http://www.sunbelt-software.com/Kerio.cfm
OutPost Personal Firewall:
Outpost
5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/
6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:
http://www.javacoolsoftware.com/spywareblaster.html
If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm
Block access to Untrustworthy Sites
You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the: MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.
*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free
