0

Hello I need help with cleaning IE. FOREVER please. Then I will use FireFox :-))

This is my HijackThis log..

Logfile of HijackThis v1.99.1
Scan saved at 21:47:01, on 4. 8. 2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\oaDial\OADSRV.EXE
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Program Files\Winamp\Winampa.exe
D:\WINDOWS\mHotkey.exe
D:\PROGRA~1\QUICKT~1\qttask.exe
D:\Program Files\WinAlarm\WinAlarm.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
D:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
D:\Program Files\ICQLite\ICQLite.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Mr.Q\Anti Spy\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://trytofind.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - D:\WINDOWS\mslagent\4b_1,0,1,2_mslagent.dll (file missing)
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - D:\Program Files\MySearch\bar\3.bin\S4BAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - D:\Program Files\NewDotNet\newdotnet4_85.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69A96DAA-F6E6-4B76-B1E1-0DEF1DEBBC82} - D:\WINDOWS\System32\dskrfuoui.dll (file missing)
O2 - BHO: Name - {914E4C31-FD08-4091-AAAA-6471A6F09101} - D:\WINDOWS\System32\msxdq.dll (file missing)
O2 - BHO: Name - {BBAEB581-98E3-4AD7-BF0B-DF417ABDCCE5} - D:\WINDOWS\System32\msxdq.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [CXMon] "D:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinAlarm] D:\Program Files\WinAlarm\WinAlarm.exe
O4 - HKLM\..\Run: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [qwty] sftex.exe autorun
O4 - HKLM\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SphereXP] D:\Program Files\SphereXP\SphereXP.exe
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1CD49DC9-FD88-41FA-B892-47E037267D45} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1059_XP.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_EN_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1B43BD7-CD03-4602-B572-E86A634D31BA}: NameServer = 69.50.188.180 195.225.176.37
O20 - Winlogon Notify: WB - D:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OADSRV - SODATSW spol. s r.o. - D:\Program Files\oaDial\OADSRV.EXE
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe

2
Contributors
3
Replies
4
Views
12 Years
Discussion Span
Last Post by swatkat
0

Hi,
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.

Download CleanUp! and install it, do not run it now.

Download CWShredder. Download SpSeHjfix to the Desktop and then right click a blank part of Desktop & select new folder, call it spfix unzip the file into that folder.


Disconnect from the net and Close ALL OPEN PROGRAMS.

Run SpSeHjfix112 and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder, and click "Fix" button.

Now, run CleanUp!, click the "Options" button. Here move the "Quick Setup" slider to "Thorough CleanUp!" and click "OK" to warning message.
Next, uncheck the option "Delete Favorite places". Exit from Options and in the main window, click "CleanUp!" to start cleaning. After cleaning, click "Close" and choose "Yes" to restart the PC.


When the system restarts, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Uninstall these Software from Add/Remove Programs in Control Panel:-
1] NewDotNet orNew.Net
2] MyWebSearch
3] Spyware Vanisher


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://trytofind.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - D:\WINDOWS\mslagent\4b_1,0,1,2_mslagent.dll (file missing)
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - D:\Program Files\MySearch\bar\3.bin\S4BAR.DLL
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - D:\Program Files\NewDotNet\newdotnet4_85.dll
O2 - BHO: (no name) - {69A96DAA-F6E6-4B76-B1E1-0DEF1DEBBC82} - D:\WINDOWS\System32\dskrfuoui.dll (file missing)
O2 - BHO: Name - {914E4C31-FD08-4091-AAAA-6471A6F09101} - D:\WINDOWS\System32\msxdq.dll (file missing)
O2 - BHO: Name - {BBAEB581-98E3-4AD7-BF0B-DF417ABDCCE5} - D:\WINDOWS\System32\msxdq.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [qwty] sftex.exe autorun
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Hijacked Internet access by New.Net
O16 - DPF: {1CD49DC9-FD88-41FA-B892-47E037267D45} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1059_XP.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_EN_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Exit from HijackThis. Delete this folder:-
c:\spywarevanisher-free


Go to Start > Search. Here click "All files and folders" in the left pane. Next, click "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders".
Next, search for this file:-
sftex.exe
If the above mentioned file is found, right-click on it and click "Delete". After deleting, exit from Search window.


Run Ewido, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.


Go to Start > All Programs > Accessories > Command Prompt. Here in the Command Prompt, type netsh winsock reset and press ENTER. After this, type exit and press ENTER.


Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log along with SpSeHjFix and Ewido logs.

0

I think (hope) I have done everithing what you wanted. Here are my fresh logs

HijackThis log.....

Logfile of HijackThis v1.99.1
Scan saved at 16:02:47, on 7. 8. 2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
D:\Program Files\Winamp\Winampa.exe
D:\WINDOWS\mHotkey.exe
D:\PROGRA~1\QUICKT~1\qttask.exe
D:\Program Files\WinAlarm\WinAlarm.exe
D:\Program Files\ICQLite\ICQLite.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
D:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Mr.Q\Anti Spy\hijackthis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://trytofind.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [CXMon] "D:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinAlarm] D:\Program Files\WinAlarm\WinAlarm.exe
O4 - HKLM\..\Run: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [qwty] sftex.exe autorun
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SphereXP] D:\Program Files\SphereXP\SphereXP.exe
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O20 - Winlogon Notify: WB - D:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe


SPSeHjFix log....


(8.7.05 14:56:01) SPSeHjFix started v1.1.2
(8.7.05 14:56:01) OS: WinXP Service Pack 2 (5.1.2600)
(8.7.05 14:56:01) Language: slovenina
(8.7.05 14:56:01) Win-Path: D:\WINDOWS
(8.7.05 14:56:01) System-Path: D:\WINDOWS\system32
(8.7.05 14:56:01) Temp-Path: D:\DOCUME~1\miro1\LOCALS~1\Temp\
(8.7.05 14:56:03) Disinfection started
(8.7.05 14:56:03) Bad-Dll(IEP): d:\windows\system32\dskrfuoui.dll
(8.7.05 14:56:03) BHO: {69A96DAA-F6E6-4B76-B1E1-0DEF1DEBBC82} D:\WINDOWS\System32\dskrfuoui.dll
(8.7.05 14:56:03) BHO-deleted
(8.7.05 14:56:03) BHO-CLSID-Key deleted
(8.7.05 14:56:03) UBF: 7 - UBB: 6 - UBR: 18
(8.7.05 14:56:03) UBF: 7 - UBB: 6 - UBR: 18
(8.7.05 14:56:03) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://d:\windows\system32\dskrfuoui.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://d:\windows\system32\dskrfuoui.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, CustomizeSearch: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://d:\windows\system32\dskrfuoui.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://d:\windows\system32\dskrfuoui.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch: about:blank
(8.7.05 14:56:03) Stealth-String not found
(8.7.05 14:56:03) File added to delete: d:\windows\system32\dskrfuoui.dll
(8.7.05 14:56:03) Reboot


And Ewido log....


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           15:55:28, 7. 8. 2005
+ Report-Checksum:      5B1EB0C4


+ Scan result:


HKLM\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKU\S-1-5-21-861567501-764733703-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{008DB894-99ED-445D-8547-0E7C9808898D} -> Spyware.Slagent : Cleaned with backup
HKU\S-1-5-21-861567501-764733703-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10} -> Spyware.eXact : Cleaned with backup
HKU\S-1-5-21-861567501-764733703-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
D:\WINDOWS\NDNuninstall4_85.exe -> Spyware.NewDotNet : Cleaned with backup
D:\WINDOWS\system32\diantzpt.exe -> Trojan.SpoofDNS : Cleaned with backup



::Report End

Edited by mike_2000_17: Fixed formatting

0

Hi,
We have to run SpSeHjFix again! Before that, open NotePad, and copy the contents of the below "Quote" box:-

cd %windir%
attrib -s -r -h sftex.exe
del sftex.exe
cd System32
attrib -s -r -h sftex.exe
del sftex.exe
attrib -s -r -h dskrfuoui.dll
del dskrfuoui.dll

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.


Boot in safe mode.

Run SpSeHjfix112 and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.


Now run the CWShredder, and click "Fix" button.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://trytofind.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\System32\dskrfuoui.dll/sp.html (obfuscated)
O4 - HKLM\..\Run: [qwty] sftex.exe autorun
O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Double-Click on the file Test.bat, a small DOS type window should open and close immediately.


Run HijackThis again, and post a fresh log. By the way, have you uninstalled SpywareVanisher?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.