Posts by PhilliePhan

You should have AVG CLEAN the items it finds. You have a couple things hiding in System Restore.....

-- Please download FixxIt.zip and Extract FixxIt.reg to your desktop.
DoubleClick on FixxIt.reg and allow it to merge into the registry.
REBOOT

You ought to be able to reset your Desktop now.

Cheers :)
PP

I think i am hit by a virus/spyware. I got a windows security alert balloon. when i restarted my computer, it disappeared but my desktop background is stuck with a blue color and when i try to change it, the option seems to be locked or diabled. I tried to delete all spyware using AVG anti-spyware. Though it shows Deleted, the problem still exists. Your help to resolve this problem will be appreciated.

-- Can you give us a fresh AVG Scanlog?

Please relocate HijackThis to a safer location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.

THEN:
-- Please download Peekaboo.bat to your Desktop.
-- DoubleClick peekaboo.bat and give it a couple seconds to run.
A log should pop up in Notepad. Please attach that (peek.txt) for me using the "manage attachments" button when you post back (scroll down).

BTW - You should be advised that anytime somebody in any forum gives you an unknown program to run (even a simple batch like this one), it is strictly a "Use At Your Own Risk" proposition!

Anyhoo, it is up to you if you want to trust me :)

Cheers :)
PP

Actually, this is a Smitfraud infection.

There are a couple dedicated removal tools for this.

-- A note on HJT and Online Analyzers.
Both miss a lot. An online analyzer is only as good as it's DB and there are a ton of baddies that do not show in a HJT Log in the first place.

-- Hazdude,
I'd be happy to help you clean this, time permitting (I am juggling a number of threads in a number of forums at the moment).
At this point, I am not sure what you have and haven't done to your machine. So, please do the following:
Please look at the steps I have written here and obtain the three logs as directed and post them here.
1- Kaspersky
2- AVG Anti-Spy
3- Fresh HJT Log

Often, there are multiple malware issues with this infection and it helps to get a good baseline from which to start. Those scans will do it and we'll go from there.

Cheers :)
PP

Hi Carrie,

Looks like we have a bunch yet to do. But, we'll get there! :)

First and foremost, you really need to install a resident Anti-Virus app. I also suggest installing a Firewall as well.
http://free.grisoft.com/doc/2/lng/us/tpl/v5
http://dl2.zonelabs.com/bin/free/1001_cnet_zdnet/zlsSetup_70_302_000_en.exe

Install Spyware Blaster, too!
http://www.javacoolsoftware.com/spywareblaster.html

All of the Above are FREE!!

-- You should definitely Update your Java here ---> http://www.java.com/en
-Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions! If you do not uninstall ALL older versions, you may remain at risk for a number of baddies such as Vundo.
Do this now.

Also, when we are done, we will need to Flush System Restore – Don’t let me forget!

*** The AVG AntiSpy Log was not saved properly. We’ll run it again after these steps.
*** You have a lot of backdoor Trojans showing. They may have compromised any sensitive information on your computer (banking, passwords, etc...) – You might want to keep an eye on those or change them via a clean computer!

Anyhoo, off we go!
Please do these steps in the order given. Let me know if you have any questions.
You might want to print these steps or save them locally since you will have to reboot and be in Safe Mode.

-- Please Disable SpybotSD’s Tea Timer so it doesn’t interfere with the repair process.

…

I was wondering - is there a way to make sure that my computer is virus free?

I suggest looking at both of my links below for good tips, etc....

If you feel the need, try the Kaspersky Online Scan listed in my Self-help steps.

Definitely install Spyware Blaster and ZoneAlarm Firewall. Both are in my Protect Yourself linky.

O23 - Service: Mrfs80b5porh - Unknown owner - C:\WINDOWS\system32\drivers\drvnddm.sys (file missing) I am not sure about this HJT entry - You may want to investigate further. The file may not be missing / may even be legit...

Also, be careful with the BitTorrent and what you download. Lotta people get baddies that way. In many forums, we see "repeat customers" due to this and there is now an ongoing discussion among those of us who volunteer our free time in these forums as to whether we want to waste that time on people who are just going to get reinfected.......

Best :)
PP

2. Now update your AV program and do another full and thorough scan.

Flushing System Restore might be a bit hasty since AVG Anti-spyware did not show and infected restore points - If the scan is done properly, it should show them.

Also, it's pretty difficult to update an AV program when none exists on your machine!! Not a safe way to go! See my linky below for some good and FREE options (including AVG Free). Install one! (AVG Anti-spyware is NOT an AV app)

While you are at it, update your Java as per the instructions in the linky! That way you are less likely to get hit again by Vundo and other baddies....

PP :)

sites take 4ever to open and my computer takes just as long.
Many thanks!

Logfile of HijackThis v1.98.2

Hi Carrie,

It looks like you have a few malware issues.

--- Your HJT is an old version and outdated. Let's kill a few birds with one stone and do this:

Please follow the steps that I have written here and get an up-to-date copy of HJT. Be sure to rename it as instructed.

Please submit the three scanlogs requested in the link to this forum and we'll get you cleaned up!

1 - Kaspersky Log
2 - AVG Anti-Spy log (remember to "quarantine" and "Apply Actions" as indicated in my instructions)
3 - Fresh HJT Log

If you have any questions, feel free to ask.

Best Luck :)
PP

how did u get it fixed?

This message occurs when a "run key" still exists in the registry for an item that has been removed from your machine.

In this case, you would just "fix" it with HJT to remove the key from the registry.

If you still have Mywebsearch active, the first step would be to uninstall it via Add/Remove Programs.

Failing that, open the C:\PROGRAM FILES\MYWEBSEARCH folder and run the uninstaller manually. If no uninstaller exists, you could just delete the folder and clean registry remnants manually, to the extent desired - (most just remove the runkey and leave it at that).

Best :)
PP

Thank you so much for all your help.

You're welcome!

Everything looks OK. Just remember to completely uninstall AVAST! so it doesn't get tangled with AVG Free and you should be good to go.

Cheers :)
PP

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP487\A0095385.exe -> Trojan.DNSChanger.hg : Cleaned with backup (quarantined).

That looks good - AVG Found the Trojan in System Restore and cleaned it.

-- How are things running now? Any Issues?

-- You might want to submit a final HJT log to double-check.

Cheers :)
PP

-- I like your siggy quote - Reminds me of that great Lennon song, "Whatever gets you through the night." I've quoted it numerous times....

Thanks for replying.:mrgreen:

I did everything and got all the logs except AVG..
so far AVG has found a dns changer Trojan.
What I meant by weird is everything slowed down a lot this week and
randomly getting sent to a different site then I enter or a site with almost the same name.

The AVG Anti-spy log is coming soon...Still running.

Yeah - that's the DNS hijacker we ran the FixWareout to remove.

Will wait on the AVG Anti-spy log - it may be detecting items in System Restore. We'll flush that.

Looks like you opted for AVG FreeAV. You should go into Add/Remove Programs and completely Uninstall AVAST! so they don't come into conflict with each other.

Be back tomorrow :)
PP

My computers been acting "weird" for awhile.
I ran a few programs and here are my results...
Considering I don't know much about this I am kindly asking for help.:cheesy:

--- What is the "weird" behavior?
--- What makes you think there is a rootkit on your machine?
--- Note that EWIDO was bought by Grisoft and is now AVG Anti-spyware.
For our purposes, your current version should be OK. Just update the definitions before scanning.

Anyhoo, here we go:
You might wish to relocate HijackThis to a safer location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.

NOW, on to the fix:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

his is my log is there anything wrong with my computer?

Oh yeah . . . . A boatload of malware in that log including some nasty backdoors and a DNS hijacker.

-- In cases like this, it might be easier/better to reformat.
Also, you should assume that any sensitive info on your compy has been compromised (passwords/ banking data, etc...) and you should change them via a clean computer.
This may not be the case, but you cannot be sure what info has been harvested....

IF you would like to try to clean your computer, I'll be happy to help. We'll need to take a few passes with a number of different tools.

--- FIRST:
Please run through the steps I have outlined in my post here and produce the three scanlogs as requested.

1- Kaspersky
2- AVG Anti-spy
3 - Fresh HJT (renamed as per the instructions)

Let me know if you want to proceed and we'll go from there.

** I see from some of your other posts that you are no stranger to malware! ;)
-- Is this the same computer? The other posts had XP Service Pack2 while this compy is SP1.
Did you reformat/reinstall??

Best :)
PP

Thank you so much for helping me, it completely worked! My desktop is back and I checked just to make sure I can change it. FANTASTIC! THANK YOU!

You're welcome!

Sorry about the rather "roundabout" approach it took us to get there, but I wanted to be sure the cause of the problem was gone.

Be sure to have a look at my linky below to help head off future problems.

Cheers :)
PP

Hi Eander,

The AVG log looks ok. I'll wager any baddies have long since been cleaned by your resident AV/Anti-spy apps.

-- The registry looks like you are running Windows XP Professional as opposed to XP Home?

Anyhoo, let's try a minimally invasive registry patch and see if it does the job....

Please download EanderFix.zip and extract the contents (Eanderfix.reg) to your Desktop.
-- DoubleClick on EanderFix.reg and follow the prompts to allow it to merge into the registry. You may then delete it from your desktop.

-- REBOOT your compy and see if you are able to reset your Desktop.

Let me know how it shakes out.

Best Luck :)
PP

Yup...I found all 3 of those files. Also, I realized I never removed the creative file from hijack this.
What's the next step with those 3 files you were talking about and should I run HT and remove the creative file?

Just to butt in and back out quickly ;)

Until Gerbil is able to check back, go here ---> and use the Browse Button at the top of the page to navigate to C:\WINDOWS\yxdxj.dll and Upload it for analysis. Please Copy&Paste the results.

-- Do the same for C:\WINDOWS\system32\izxfae34.sys and C:\WINDOWS\sys0162438219112006.exe

Since you were indeed able to find them, it might be nice to know what malware they belong to (if that is the case).

Cheers :)
PP

Hi Eander,

It looks like you did indeed have a SpySheriff or similar infection. The bulk of it ssems to have been cleaned somewhere along the way. The only remaining component found by SmitfraudFix is the below and it is harmless. You may delete it if you desire.

C:\Documents and Settings\David\Application Data\Install.dat

-- The AVG Anti-Spy Log will pop up and you'll need to save it where you can find it easily. My steps cover it pretty well.
I would also suggest that you keep the AVG anti-spy on your machine after we are done. Even if you do not buy it (it's worth the cost) and the "real-time" protection is disabled after a month, you can always use it as an "on-demand" scanner as we are doing now. Just follow the same steps as I have outlined.... Update and Scan.

Anyhoo, as I mentioned, it looks like the malware has come and gone, leaving an altered registry. Let's have a look at what sort of mess it left so that we can fix it:

-- Please download Peekaboo.bat to your Desktop.
-- DoubleClick peekaboo.bat and give it a couple seconds to run.
A log should pop up in Notepad. Please submit that (peek.txt) for me along with the AVG AntiSpy log and we'll get you fixed up.

BTW - You should be advised that anytime somebody in any forum gives you an unknown program to run (even …

I also had another Question with the Windows Defender. Since we just decided for me to keep the Windows One, at the end of your steps after rebooting in safe mode should I open my Windows One care where it says to open Defender?

That's not necessary.

I just wanted a couple initial logs so as to set a baseline to start from.
Your HijackThis log looks pretty clean - a couple very minor issues, but nothing to worry about at the moment.

-- Your HJT also tells me that you are running Windows XP, not 2003.

Logfile of HijackThis v1.99.1
Scan saved at 6:10:17 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

So, you can and should run the AVG Anti-Spyware step and submit that log for me.

Anyhoo, as poster DimaYasny mentioned, your description of the problem does indeed sound like a "Spy Sheriff" issue (Smitfraud Trojan).
However, it is usually evident in a HijackThis log, but I see no sign of it.
To rule it out as the cause, please do the following:

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Desktop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
Please be patient while the program runs.

PP, I have a question about the last couple of steps in your forum after rebooting in safe mode. The first is to run the ATF cleaner and it's for XP and 2000 OS only, are the other steps following good for 2003 users like me? Or is that whole set of things only for Xp and 2000?

Everything is geared toward XP & 2K.

-- The HijackThis log and the Kaspersky log should be plenty to get us started. Let's just do those first and go from there.

PP :)

well, you could go through the registry, and reset the permissions for every key altered by the malware, but as I said formatting is really faster and more efficient :)

Yes it does sound like a Smitfraud issue and NO, a reformat is not the easiest way to deal with this. (I agree that it IS 100% effective, but can often be problematic - depending on the user, how skilled they are, backup of data, whather they have copy of Windows with valid key.... the list goes on.)

Better to try removal first and save format as last option.
However, before we run a bunch of specialized removal tools, it is important to pin down exactly what is going on.
Hence the scanlogs.

Also, if we find exactly what is at the root of the problem, I can make a "one-click" registry patch that will address any altered Registry keys.

-- Eander - Hold off on replacing One Care with Defender until we get a better idea of what is going on. Just skip it fo now.

PP :)

so what software should you really have, which one is better as well as packages and such. or is there another virus protection program that you can buy that is better than these two?

To quote from my linky below:

Two of the best AV products I have found are Kaspersky and NOD32 . The edge would probably go to NOD32.

Some good FREE alternatives are:
• AVG Free Edition
• AntiVir® Personal Edition Classic
• Avast! Home Edition

If you are considering buying a "security suite" from either Norton or McAfee, I would instead point you to Kaspersky Internet Security 6.0

Have a peek at my linky below for more info and tips.

PP :)

Is there an easier way to go about this?

Not really.

It is difficult to ascertain the cause of the problem - may or may not be malware. Could have been a malware infection that was partially cleaned and left an altered registry. Who knows?

There have been a ton of malware that bork the desktop. But, if indeed there is a malware cause, nobody is going to be able to help you without getting more information.
Hence the steps I requested. (If it IS malware, just running them may even fix the problem, if Kaspersy or AVG are able to clean it...)

If you can get us those scanlogs, we can rule out malware and go from there.

PP :)

Hi Eander,

If nobody else answers, I suggest you follow my steps outlined here and attach the requested scanlogs to this thread.

-- Kaspersky Log
-- AVG Anti-spy Log
-- HijackThis Log

If none of the other volunteers here is able to help, I will try to check back. Have a lot on my plate these days...

Best Luck :)
PP

nb. About rootkillers, doesn't NAV find these parasites?

Rootkits?
Some Security Suite packages claim to detect them, but for the most part it is hit-or-miss. Generally, you are better off using a few of the specialized tools along in concert with an experienced forum advisor........

PP :)

Things are much better back to normal thanks to you.
I am inclusing a copy of a HJK log done after fixing. I did download the AWF and included the log in my previous reply. I am not sure whether I know what you asked for.
Thanks again

You're welcome!

Everything looks good :)

--- Sorry for the confusion. What I meant was that I did not see any trace of the AWF downloader in those (FindAWF) logs.....

-- You can remove that AVG Anti-Spy if you like since you have both Spy Sweeper and Windows Defender on board. The AVG "Guard" feature will be disabled after a month, anyway. 'Course, you could keep it on hand as an "on demand" scanner - you can always get definitions updates for it....

Best :)
PP

Some additional info for you.
The link below can explain it better than I ever could. ;)

See post #8 for the FFF entries....

Click the LINKY

PP :)

rogram AVG Anti-Spyware - Správa o vyhľadávaní
---------------------------------------------------------

C:\syst.exe -> Downloader.Small.dam : Vyčistené so zálohou (karanténa).

Hi Tommi,

It looks like AVG quarantined syst.exe.

As for your other problem, you might try the advice in this link:
http://forum.hijackthis.de/showthread.php?p=98121

Best Luck :)
PP

** You might want to consider installing an anti-virus app from my linky below!

Hi George,

Things look OK.

I do not see the downloader AWF that I thought might be present - That saves a lot of hassle!

-- How are things running now?

-- How about posting a Fresh HJT log just to double-check?

I'll be back tomorrow.

Best :)
PP

Hi gjeha,

You have what look to be a couple of the nastier baddies that are making the rounds. We'll try to get the bulk of them in one pass (though one baddie replaces legit files with malware and we'll have to reconstitute to good files to their proper locations - Hopefully the AVG run will delete the bad ones...).

***Please DISABLE SpybotSD's "Tea Timer" before doing the steps below!!!! Frankly, I would suggest uninstalling SpyBotSD completeley since you already have Spy Sweeper and Windows Defender in play.
If you are concerned about the "immunize" freature of Spybot, you'd be better off with Spyware Blaster....

Anyhoo, off we go . . .

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch (If Hijackthis does not launch then please start it yourself).

Please Scan with HJT, and check the boxes for the following items:
O2 - …

Quite some time ago, I had the 'Symantec Email Proxy' problem where 'Scanning Message One of One' kept on popping up, and it kept on sending random e-mails to unknown IPs and what not.

Hi Kevin,

I am not sure about the Symantec problem, but you do have a couple baddies showing in your HJT Log.

FIRST -- Please DELETE your current copy of HijackThis

Download a fresh HijackThis from http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save the setup file on your desktop.
Then, DoubleClick on it and by default it should install to C:\Program Files\HijackThis
Continue through the setup and allow it to create a desktop icon for you. Follow all the prompts, and click Finish .

Please Scan with HJT, and check the boxes for the following items:
O4 - HKLM\..\Run: [itunesff] C:\WINDOWS\system32\itunesff.exe -go -c48 -w
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\PON\LOCALS~1\Temp\2307796.exe

O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -

O17 - HKLM\System\CCS\Services\Tcpip\..\{CB45AE83-A2C7-4543-9F30-ED0CB0B3874C}: NameServer = 202.188.0.133 202.188.1.5 ---> If this is your ISP in Kuala Lumpur then leave this entry alone

Be sure All Browser Windows are Closed and then Click Fix Checked.

NEXT:
Please Boot to Safe Mode and navigate to and DELETE C:\WINDOWS\system32\itunesff.exe
If you are unable to do so, let me know.

THEN:
Please download HOSTER and Extract it to your Desktop.
Click the Restore Original …

um the only problem that occured so far is that my audio device is missing;

medias on internet and some other programs; musics played by media player and adrenalin ; i can hear them well like before

but certain programs doesnt make a single sound

Hi Stephanie,

-- Can you tell me when you first noticed this? After which post in the removal procedure?

Honestly, I am kinda winging it here . . . This is a very difficult HJT log for me because of the Asian background.

For instance, conime.exe is a valid file . . . it's an IME for Asian language input. However, it doesn't run as a service and it doesn't run from %windir% as it was showing in your HJT - so it was a baddie. But, these things make it a bit difficult.....

There are a number of things we removed that I am pretty sure had to go. I am not 100% on them because I've never seen them before - going on gut and experience.

For instance, C:\WINDOWS\system32\upl.dll could very well be a legitimate dll, but it shouldn't be running from system32.

Plus, it looks like a Korean baddie:
http://info.ahnlab.com/securityinfo/virus_view_eng_new2.jsp?SEQ_NO=6544
http://v3.korea.com/info_virus_view.asp?list=/virus_info_list.asp&seq=6544

And, it's a newly discovered baddie, which may be why McAfee pooped up with a heuristic detection rather than a specific one...
So, I had you fix it...

On the …

checked the two programs(below)
File: CDANSRV.EXE
Status: OK
File: mdm.exe
Status: OK

Interesting . . . . The first one I kinda expected, but drawing on experience, this one just looks really wrong to me:
O23 - Service: COM+ Provider (COMSrvlagacy) - Unknown owner - C:\WINDOWS\mdm.exe

We'll leave it alone for the time being. However, if you still have problems, it may bear further scrutiny!

Anyhoo, let’s finish up, shall we....

--- Please download KillBox to your Desktop. Leave it where you can find it for now.
--- Download ATF-Cleaner.exe by Atribune to your Desktop. Just leave it for now . . .

Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.

-- Please Boot to Safe Mode

NOW:
Click Start > Run > type services.msc and Click OK
Locate Windows Management Network (WMN) (WNManage) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply. Note that it may already be disabled.
Then: Run HijackThis and open the Misc Tools section and select Delete an NT service and follow the instructions to enter and remove that service.

NEXT:
Please scan with HijackThis and …

No help huh? No one at all?

Sorry.

These forums are based upon the good will and free time of volunteers. Usually there is plenty of good will to go around, but never enough free time! :)

When I post at SpywareWarrior, for instance, there is often a wait of a few days before a volunteer can get to your thread.

In your case, your HJT log looks OK. Of course, there are a number of baddies that go undetected by HJT these days and necessitate further scans with other tools.

I have too many open threads in various forums to take on another at this time.
If somebody else does not step in and help here at Daniweb, you might consider running through my "do it yourself" steps.

Best luck :)
PP

Hi Stephanie,

I’ll leave the sorting out of the Anti-Virus programs to you ;)

-- It looks like you have 2 copies of HJT running. Delete the one on the desktop and run the one located at C:\Program Files\HijackThis

-- I am not certain about this item:
O23 - Service: C-DillaService - Unknown owner -C:\WINDOWS\system32\drivers\CDANSRV.EXE
It should be CDANTSRV.EXE

Please go here ---> and use the Browse Button at the top of the page to navigate to C:\WINDOWS\system32\drivers\CDANSRV.EXEand Upload it for analysis.
Please Copy&Paste the results for me.
-- Do the same for C:\WINDOWS\mdm.exe
Make sure the file paths are exactly as listed!

NOW:
Please Scan with HJT, and check the boxes for the following items:
O2 - BHO: ShopGuide Class - {3CB0CF42-DA54-47d2-8999-23928A2DEA42} - c:\Program Files\ShopGuide\shpguide.dll
O2 - BHO: upg Class - {AD4A14F9-1BA1-49EC-B721-E1D79AD768F6} - C:\WINDOWS\system32\upl.dll --> I do not know what this is. If you do not either, fix it.
O2 - BHO: IWebInterception Class - {BFDDBDBB-F62C-4D4A-B574-59D276F47196} - C:\Program Files\Click To Tweak [Basic]\WebInterception.dll
O2 - BHO: (no name) - {D2A0394A-64E0-461B-A038-A52B41C03F75} - C:\WINDOWS\system32\beans.dll
O2 - BHO: (no name) - {E3231BA4-4271-402E-B20C-D5CFFF70F9D4} - C:\WINDOWS\system32\fasts.dll

O4 - HKLM\..\Run: [Intelligent Update] "C:\Program Files\Intelligent Update\IntelliUpdate.exe"

O9 - Extra button: 7-up - {22FF2F07-6455-4cac-A71D-EA1C47EA6DA6} - C:\Program Files\Sevenup\7up.exe
O9 - Extra button: 무료 백신 - {73182355-ED2B-4064-A45F-49227EA0EE74} - C:\Program Files\OKToolbar\Okupdmnger.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra …

i'm using avast and mcafree right now, but my mcafree keeps telling me that it's expired, even though it is not supposed to say that, cause i purchased it like 3 months ago with one year subscription - -; i dont know what's going on b/c it doesnt let me upgrade so it's kinda outdated,

Well . . .If you cannot update its definitions, an AV is useless. Also, having both Avast! and McAffee on the same compy can be problematic. Perhaps you'll need to work it out with the McAfee people since you paid for their product?

At any rate,
You should uninstall one of the two AV programs - Then, give me a fresh HJT Log (reflecting your choice of which to keep) and I'll post some cleanup instructions for you.
We'll leave the Naver Toolbar alone, but a lot of other stuff will go.

PP :)

Hi Dan,

It looks like you have battled malware recently? Makes it a bt more difficult because I am not sure what has already been done....

Can you give me an idea of what you did (if anything)?

There are a number of malware traces in the WinPFind log, but some may be remnants - I even see a few that look like VUNDO remnants.

Before I work up a removal procedure, I'd like you to do two more things for me.

1 - I see you have AVG Anti-spy on your compy.
RightClick the AVG Anti-Spy Icon in your system tray and Click Run online update and allow it to run until you see the Update Successful message. If you are unable to do this, please let me know.

NOW, run a full scan:

-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save …

I know this post is a little old, but I thought I might add a possible solution. I am having the same problem. . . .

That could be, but my money is on the Backdoor SDBot being the culprit in this case:
O4 - HKLM\..\RunServices: [Windoxs Update Center] W32RfSA.exe

And two moderators even looked at this thread :eek:

I have also run Hi-Jack this, however I cannot find anything I need to get rid of.

What about these?
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://195.95.*.*
O15 - Trusted IP range: http://195.225.*.*
O15 - Trusted IP range: http://205.177.*.*
O15 - Trusted IP range: http://205.188.*.*
O15 - Trusted IP range: http://216.239.*.*
There is no reason that I can think of for anything to be in the Trusted Zone. Ever.

Let's try this:
-- Please download DelDomains and save it to your DeskTop. Then, RightClick DelDomains.inf and select Install

NEXT:
Click Start > Run > type CMD > Enter
Type or Copy&Paste: ipconfig /flushdns > Press Enter
(Be sure to leave the space between the g and the / )

THEN:
Please Update your Java here ---> http://www.java.com/en
Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions!
If you do not uninstall ALL older versions, you may remain at risk for a number of baddies.

AFTER Java had been updated:
ATF-Cleaner.exe by Atribune to your Desktop.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To …

omg !! i haven't done the second list of things you told me to do !
but it works now !!! thank you so much , yeapee~

Happy to help :)

There are still a number of baddies to fix as well as some nuisance items in your HJT Log - If you want to proceed, let us know!

I am spread a bit thin posting in a number of different Forums, so I will not work up a fix until I hear back from you with answers to my previous post.

Cheers :)
PP

Phil: thank you very much for the quick response
i really appreciate it!

Happy to try to help :)

You have a number of items in your HJT Log that look like Adware/Spyware that you may have installed and want to keep. I am not familiar with all of them.
It looks like you are in Korea?

Anyhoo, can you tell me what each of the following is and whether you want to keep any of them:

C:\Program Files\Intelligent Update
C:\Program Files\CyberScrub AntiVirus --> if legit, should be uninstalled anyway
c:\Program Files\ShopGuide
C:\Program Files\Click To Tweak
C:\Program Files\share
OKToolbar
Windows Direct Toolbar
NaverToolbar

Uninstall the ones that you are able to via ADD/REMOVE Programs

-- Also, it looks like you have elements of Kaspersky and AVAST! anti-virus programs on your machine. You should remove (uninstall) them so they do not conflict or interfere with McAfee!

Let me know about the above and we can continue from there.

PP :)

mcafree on my computer just detected i have a new win32 virus
(is the new win32 virus and just win 32 virus different??)
i spent the last three hours searching and struggling to get rid of this thing;

Hi Stephanie,

I do not believe this is a specific virus - I think the notification is the result of a heuristic detection (similar to Symantec's "bloodhound").

You DO have some baddies showing in that HJT Log. Please do a few things for me:

FIRST:
Please relocate HijackThis to a safer location. Most Forum volunteers expect to find it at C:\Program Files\HijackThis or C:\HijackThis.
If you are unable to move it on your own, please do the following:

Download a fresh HijackThis from http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save the setup file on your desktop.
Then, DoubleClick on it and by default it should install to C:\Program Files\HijackThis
Continue through the setup and allow it to create a desktop icon for you. Follow all the prompts, click Finish and just leave it for now.

NEXT:
Please download and Install AVG Anti-Spyware v7.5

THEN:
RightClick the AVG Anti-Spy Icon in your system tray and do the following:
-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows
* You can reset the above to their defaults AFTER your machine has been deemed “clean,” if you so desire. For …

What do you think of AVIRA anti-virus? It takes a long time to scan!

Avira AntiVir PersonalEdition Classic? - It's pretty solid and holds up well against competition. Especially for a free product!

Also, scan time will depend on a number of different variables. I do not mind long scans as long as 1- they finish, 2- they are thorough and 3- they catch what they are supposed to catch! Frankly, I am more concerned with "real-time" scanning and an AV product not letting baddies onto my compy in the first place. .. .

--- You'll find that the free options in my linky are much less bloated than their commercial counterparts and use fewer system resources.
However, some of the better "security suites" will attempt to offer rootkit protection, and the like - this might be a factor you'd want to consider as well.

Cheers :)
PP

Hey thanks for all your help I still cant shake msn from taking over my home page. This is the default url under internet options:

http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

It won't allow you the switch that from the default? What happens if you go into Internet Options right now and try to select "use current" (this page) as your homepage?

Let's take a closer look at what's going on here:

Please go to this link and follow the instructions to scan with WinPFind by OldTimer.

Please submit the WinPFind Log for me.

-- Also, is there a reason you don't want to run an Anti-virus app?

PP :)

Besides Windows DEFENDER, how many other anti-spyware programs (e.g. Freebies) do you recommend sensibly installing on a notebook? Am I right that too many can cause conflicts and/or reduce operating speed? Which one's do you suggest? (I am running XP Pro SP2)

You can get by just fine with a good AV and Firewall, plus Windows Defender (enable the real-time protections) and Spyware Blaster. Just be sure to update the definitions for all your tools regularly!
The same for your Windows Updates - they are your first line of defense...

Also, using an alternative browser such as Firefox is a good idea. And, of course, employing safe browsing habits!

Have a look at my Linky below.

PP :)

GOTCHA. The uninstall list came up witha couple of curious names I didn't recognise, one of which was "mvi". I uninstalled this and *gone*.

Great! Happy to hear it :)

You can also dump J2SE Runtime Environment 5.0 Update 3 and install the latest update.

Java Runtime Environment (JRE) 6

Cheers :)
PP

sorry, didnt see that (never used HJT before)

No worries - It was a good suggestion! :)

And, if you hadn't gotten me thinking about it, I'd probably never have placed that questionable driver with Spyware Doctor......

PP :)

oh right, ok.
Thanks very much for all the help again.
Much appreciated

You're welcome!

Happy New Year :)

Here it is

Yup - It looks like it merged just fine :)

You can see the differences between the two peek.txt logs.

Also, if you take fixxshort.reg and change the extension to fixxshort.txt and open it, it will match the second log exactly.

PP :)

Anyway, thanks for all the help you've given me

Happy to try to help :)

That's odd - that should just merge right in. Perhaps it did.
-- If you like, you can give me a fresh peekaboo log and we can see if it merged successfully.

At any rate, all's well that ends well . . ..

Cheers :)
PP

mchInjDrv: \??\C:\WINDOWS\TEMP\mc22.tmp (disabled)---> this is related to a nasty backdoor trojan with keylogging capabilities. Probably no longer active, but you may want to investigate further.

LOL! :)

That last post jogged my memory . . . . mc22.tmp may very well be a driver related to the Spyware Doctor component of Spy Sweeper.

Good grief! How do they expect us to keep track of the good and the bad.....

PP :)