Hi there, HELP, I Have problems.

UAAS · Aug 11, 2006

Hi friends,
I think I have a lot of problems, since my PC is always hanging on and pop ups are popping every where, and my browser get redirected to unwanted sites, this is a report by HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 01:34:15 ص, on 12/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\System32\ishost.exe
D:\WINDOWS\System32\ismon.exe
D:\WINDOWS\System32\issearch.exe
D:\WINDOWS\System32\isnotify.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - D:\WINDOWS\System32\ixt0.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - D:\Program Files\Safety Bar\Safety Bar.dll (file missing)
O4 - HKLM\..\Run: [DialerDetect] D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SpyBlocs] "C:\Program Files\SpyBlocs\SpyBlocs.exe"
O4 - HKLM\..\Run: [c7a318cf.exe] D:\WINDOWS\System32\c7a318cf.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [c7a318cf.exe] "D:\Documents and Settings\UAAS\Local Settings\Application Data\c7a318cf.exe"
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Bilal.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3631382D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125147223888
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152 217.144.6.121
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: SMDEn - D:\WINDOWS\system32\fpnm0351e.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - D:\WINDOWS\system32\wsps2.dll (file missing)
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - D:\WINDOWS\System32\urroxtl.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

please, can anyone help me get my PC OK ???!!!
Uaas

maca1 · Aug 11, 2006

You're quite infected

download SmitfraudFix (by S!Ri) http://www.geekstogo.com/modules.php?modid=5&action=download&id=80
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

UAAS · Aug 12, 2006

Hi Maca1,
after I posted my Hijackthis report, I read about smitfraudfix and executed it - last nigth - with option 2 ' clean' , any way here is the report - of now - of this program:
SmitFraudFix v2.79

Scan done at 23:13:00.51, Sat 08/12/2006
Run from D:\Documents and Settings\UAAS\Desktop\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» D:\

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\UAAS\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\UAAS\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

and here is a new HiJackThis report, in case it could help:

Logfile of HijackThis v1.99.1
Scan saved at 11:17:49 م, on 12/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\SYSWB6.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\Winkb6.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\NOTEPAD.EXE
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
D:\WINDOWS\TEMP\win1F9.tmp.exe
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SpyBlocs] "C:\Program Files\SpyBlocs\SpyBlocs.exe"
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [DialerDetect] D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Bilal.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3631382D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125147223888
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: SMDEn - D:\WINDOWS\system32\fpnm0351e.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - D:\WINDOWS\system32\wsps2.dll (file missing)
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

and this is all,
awaiting your response,
uaas

UAAS · Aug 12, 2006

And now, a new symptom:
the PC hanged the internet dialup connection, and dialed to a new number - which I don't now, but luckily the telecom company didn't respond to this number.

just in case it helps,

uaas

maca1 · Aug 12, 2006

smitfraudfix did it's job so we'll move on.

* Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
* Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
* Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
* Ewido will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
* Close Ewido and reboot your system back into Normal Mode.

Post a new HijackThis and the ewido log

UAAS · Aug 14, 2006

Hi there,
well, after i have done as you told me, I still have the problem of a dialer that hangs up the connection and dials a number, which I disconnect the cable for, well this is the Hijackthis and the ewido report:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 07:41:38 ص 14/08/2006

+ Scan result:

D:\Program Files\Next\Farah\Farahjo.exe -> Heuristic.Win32.Dialer : Cleaned.
D:\Documents and Settings\UAAS\Local Settings\Temporary Internet Files\Content.IE5\63APE98F\bgates[1].exe -> Trojan.Dialer.pz : Cleaned.
D:\WINDOWS\Temp\win34D.tmp.exe -> Trojan.Dialer.pz : Cleaned.

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 05:58:39 م, on 14/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe
D:\Program Files\Common

Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Webroot\Spy

Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\mqsvc.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft Internet

Explorer
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Inte

rnet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: ToolBar888 - {CBCC61FA-0221-

4ccc-B409-CEE865CACA3A} - D:\Program

Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-

876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-

8D29-0050BA6940E3} -

D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-

4ccc-B409-CEE865CACA3A} - D:\Program

Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [IncrediMail]

"D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program

Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE"

D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido

anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "D:\Program

Files\Webroot\Spy Sweeper\SpySweeperUI.exe"

/startintray
O4 - HKLM\..\Run: [SpyBlocs] "C:\Program

Files\SpyBlocs\SpyBlocs.exe"
O4 - HKLM\..\Run: [DialerDetect]

D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
O4 - HKCU\..\Run: [ctfmon.exe]

D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program

Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = D:\Program

Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk =

D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Bilal.lnk = ?
O4 - Global Startup: InterVideo WinCinema

Manager.lnk = D:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to

IncrediMail Style Box -

D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by

FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using

FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-

4FCB-11CF-AAA5-00401C608501} -

D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4

-885B-0000E8ECA40F} - D:\Program

Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare

Translator... - {87680762-4A83-11B4-

885B-0000E8ECA40F} - D:\Program

Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-

8D29-0050BA6940E3} -

D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-

11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} -

http://promo.dollarrevenue.com/activex/promocache/3

631382D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Cont

rols/en/x86/client/wuweb_site.cab?1125147223888
O17 -

HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-

4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152

217.144.6.5
O18 - Filter: application/xhtml+xml - {32F66A26-

7614-11D4-BD11-00104BD3F987} - D:\Program

Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-

11D4-BD11-00104BD3F987} - D:\Program Files\Design

Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 -

{32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program

Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-

7614-11D4-BD11-00104BD3F987} - D:\Program

Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: SMDEn -

D:\WINDOWS\system32\fpnm0351e.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate -

D:\WINDOWS\system32\wsps2.dll (file missing)
O20 - Winlogon Notify: winfvy32 -

D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier -

D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) -

Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file

missing)
O23 - Service: ewido anti-spyware 4.0 guard -

Anti-Malware Development a.s. - c:\Program

Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - D:\Program

Files\Common Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner -

D:\Program Files\Network Monitor\netmon.exe (file

missing)
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service

(SNDSrvc) - Symantec Corporation - D:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine

(WebrootSpySweeperService) - Webroot Software, Inc.

- D:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec

Corporation - D:\WINDOWS\System32\WFXSVC.EXE

awaiting your response,
uaas

maca1 · Aug 14, 2006

download Webroot SpySweeper.
http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

(It's a 2 week trial.)

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log. but make sure when the hijackhtis log opens in notepad that you have wordwrap selected.

UAAS · Aug 15, 2006

Hi there,
Well, after around 6 hours of scanning, spy sweeper detected 25 threats and over 72 traces, but it couldn't continue, it only asked subscribe now or later, and I couldn't save the report of its scan !!.
What can I do instead??

uaas

maca1 · Aug 15, 2006

Click here to download ATF Cleaner by Atribune and save it to your desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

Run ActiveScan online virus scan:
http://www.pandasoftware.com/products/activescan.htm
When the scan is finished, save the results from the scan!

Come back here and post a new Hijack This log along with the report from the Panda scan.

UAAS · Aug 17, 2006

Hi again,
Now I had the problem that my iexplorer couldn't oped the "Major Geeks'" page of ATF CLeaner, although I could open the main site but whenever I tried to get redirected to the ATF CLeaner download, the explorer said that "can't open" the site!!
So, do you have another source for ATF Cleaner ??

uaas

maca1 · Aug 17, 2006

Atf cleaner http://www.atribune.org/content/view/19/2/

UAAS · Aug 17, 2006

Hi,
First of all, a friend passed to me the serial number of ewido, and I entered it, and then I have performed a full scan and it returned the following report:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 09:42:48 م 17/08/2006

+ Scan result:

D:\Program Files\Next\Farah\Farahjo.exe -> Heuristic.Win32.Dialer : Ignored and added to exceptions
D:\Documents and Settings\UAAS\Local Settings\Temporary Internet Files\Content.IE5\2XUFMVAX\bgates[1].exe -> Trojan.Dialer.pz : Cleaned.

::Report end

Then I performed the ATF Cleaner and it did not generate any report, but it did its work;
Then I performed the Panda Active Scan, and it generated the following report:

Incident Status Location

Adware:adware/commad Not disinfected d:\windows\system32\atmtd.dll
Dialer:dialer.bny Not disinfected d:\windows\pcconfig.dat
Adware:adware/bravesentry Not disinfected d:\windows\wallpap.exe
Adware:adware/ist.istbar Not disinfected d:\program files\common files\Totem Shared
Adware:adware/look2me Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Adware:adware/dollarrevenue Not disinfected Windows Registry
Dialer:dialer.yc Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\shareddlls\D:\WINDOWS\Downloaded Program Files\UniDist.ocx
Spyware:Spyware/BetterInet Not disinfected C:\_RESTORE\TEMP\A0002152.CPY
and this is the new Hijackthis report:
Logfile of HijackThis v1.99.1
Scan saved at 11:53:00 م, on 17/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [DialerDetect] D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Bilal.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3631382D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125147223888
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152 217.144.6.121
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: SMDEn - D:\WINDOWS\system32\fpnm0351e.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - D:\WINDOWS\system32\wsps2.dll (file missing)
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

well, what do you think now?

uaas

maca1 · Aug 17, 2006

DownLoad http://www.downloads.subratam.org/KillBox.zip

you may want to copy these instrcutions as youll be going in to safe mode soon.

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

rescan and check these

O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - Global Startup: Bilal.lnk = ?
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3631382D2D2D.exe
O20 - Winlogon Notify: SMDEn - D:\WINDOWS\system32\fpnm0351e.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - D:\WINDOWS\system32\wsps2.dll (file missing)
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

d:\windows\system32\atmtd.dll

d:\windows\pcconfig.dat

d:\windows\wallpap.exe

D:\WINDOWS\Downloaded Program Files\UniDist.ocx

D:\WINDOWS\SYSTEM32\winfvy32.dll

D:\Program Files\ToolBar888

post a new hijackthis log

now what happened with spysweeper?
and what's this D:\Program Files\Next\Farah\Farahjo.exe ?

UAAS · Aug 17, 2006

Hi,

First when I go to safemode, "scan and Check" with which program??

and about Farah, it is a dialer provided by my ISP, it makes the connection through a number of phone numbers, and it saves my username and password so I don't have to type it each time I connect.

uaas

UAAS · Aug 17, 2006

About Spy sweeper,
It still there, I got the serial number but I couldn't get it to open the subscribe page, so when it scans the HD, it cann't quarantine or clean the files, but it's shield is still working, that's why I keep it.
uaas

maca1 · Aug 18, 2006

scan and check with hijackthis. did you not download the trial of spysweeper I asked, it scan and cleans

UAAS · Aug 18, 2006

Hi,
This is the HiJackThis report after the Checking and the KillBox,
by the way, I didn't check the line about Bilal.lnk since it is a Muslim Prayer times reminder (I am Muslim).
the report is :
Logfile of HijackThis v1.99.1
Scan saved at 07:33:34 م, on 18/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
H:\Bilal CDs\HijackThis_v1.99.1.exe
D:\Program Files\Real\RealOne Player\RealPlay.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [DialerDetect] D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Bilal.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125147223888
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152 217.144.6.5
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

About Spy Sweeper, I download it some time ago, the same version, and it timed out, no more clean until registered, and I managed to get the serial number, but the program does not respond when I click on "subscribe".

awaiting your response,
uaas

maca1 · Aug 18, 2006

the rest of ur log looks okay, u having problesm still?

UAAS · Aug 19, 2006

Hi,
not yet, thank god, but in case I will show you a newer HijackThis report,:
Logfile of HijackThis v1.99.1
Scan saved at 08:29:44 م, on 19/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\Program Files\Real\RealOne Player\RealPlay.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\WINDOWS\System32\wuauclt.exe
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] H:\Bilal CDs\HijackThis.exe /startupscan
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125147223888
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152 217.144.6.121
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

How could I get my PC go Faster??
and What combination of Anti-Virous, anti-Spyware, Anti-... etc, do you think I should have to keep my PC clean,? or is there any specific parameters to alter in order to keep clean?

uaas

maca1 · Aug 19, 2006

missed something

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Command Service (cmdService)
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.

Note: You may get an error here when trying to access the properties of the
service. If you do get an error, just select the service and look there in
the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Check these

O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll

O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)

we can talk about programs then

Log in or Sign up

Hi there, HELP, I Have problems.

UAAS Member

maca1 Regular member

UAAS Member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

UAAS Member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

Share This Page

Log in or Sign up

Hi there, HELP, I Have problems.

UAAS Member

maca1 Regular member

UAAS Member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

UAAS Member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

UAAS Member

maca1 Regular member

Share This Page

Useful Searches