Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Thursday 28.8.2025 / 19:19
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > hi there, help, i have problems.
Show topics
 
Forums
Forums
Hi there, HELP, I Have problems.
  Jump to:
 
Posted Message
Page:12Next >
UAAS
Newbie
_ 		11. August 2006 @ 14:58 _ Link to this message    Send private message to this user   
Hi friends,
I think I have a lot of problems, since my PC is always hanging on and pop ups are popping every where, and my browser get redirected to unwanted sites, this is a report by HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 01:34:15 ص, on 12/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\System32\ishost.exe
D:\WINDOWS\System32\ismon.exe
D:\WINDOWS\System32\issearch.exe
D:\WINDOWS\System32\isnotify.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - D:\WINDOWS\System32\ixt0.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - D:\Program Files\Safety Bar\Safety Bar.dll (file missing)
O4 - HKLM\..\Run: [DialerDetect] D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SpyBlocs] "C:\Program Files\SpyBlocs\SpyBlocs.exe"
O4 - HKLM\..\Run: [c7a318cf.exe] D:\WINDOWS\System32\c7a318cf.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [c7a318cf.exe] "D:\Documents and Settings\UAAS\Local Settings\Application Data\c7a318cf.exe"
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Bilal.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3631382D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152 217.144.6.121
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: SMDEn - D:\WINDOWS\system32\fpnm0351e.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - D:\WINDOWS\system32\wsps2.dll (file missing)
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - D:\WINDOWS\System32\urroxtl.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE



please, can anyone help me get my PC OK ???!!!
Uaas
[ + quote]
Advertisement
_ 		__
maca1
Senior Member
_ 		11. August 2006 @ 15:15 _ Link to this message    Send private message to this user   
You're quite infected

download SmitfraudFix (by S!Ri) http://www.geekstogo.com/modules.php?modid=5&action=download&id=80
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
[ + quote]

This message has been edited since posting. Last time this message was edited on 11. August 2006 @ 15:16
UAAS
Newbie
_ 		12. August 2006 @ 12:20 _ Link to this message    Send private message to this user   
Hi Maca1,
after I posted my HijackThis report, I read about smitfraudfix and executed it - last nigth - with option 2 ' clean' , any way here is the report - of now - of this program:
SmitFraudFix v2.79

Scan done at 23:13:00.51, Sat 08/12/2006
Run from D:\Documents and Settings\UAAS\Desktop\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» D:\


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\UAAS\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\UAAS\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

and here is a new HijackThis report, in case it could help:

Logfile of HijackThis v1.99.1
Scan saved at 11:17:49 م, on 12/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\SYSWB6.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\Winkb6.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\NOTEPAD.EXE
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
D:\WINDOWS\TEMP\win1F9.tmp.exe
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SpyBlocs] "C:\Program Files\SpyBlocs\SpyBlocs.exe"
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [DialerDetect] D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Bilal.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3631382D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: SMDEn - D:\WINDOWS\system32\fpnm0351e.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - D:\WINDOWS\system32\wsps2.dll (file missing)
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

and this is all,
awaiting your response,
uaas
[ + quote]
UAAS
Newbie
_ 		12. August 2006 @ 12:23 _ Link to this message    Send private message to this user   
And now, a new symptom:
the PC hanged the internet dialup connection, and dialed to a new number - which I don't now, but luckily the telecom company didn't respond to this number.

just in case it helps,

uaas
[ + quote]
maca1
Senior Member
_ 		12. August 2006 @ 12:51 _ Link to this message    Send private message to this user   
smitfraudfix did it's job so we'll move on.


* Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
* Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
* Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
* Ewido will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
* Close Ewido and reboot your system back into Normal Mode.

Post a new HijackThis and the ewido log
[ + quote]

This message has been edited since posting. Last time this message was edited on 12. August 2006 @ 12:52
UAAS
Newbie
_ 		14. August 2006 @ 07:06 _ Link to this message    Send private message to this user   
Hi there,
well, after i have done as you told me, I still have the problem of a dialer that hangs up the connection and dials a number, which I disconnect the cable for, well this is the HijackThis and the ewido report:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 07:41:38 ص 14/08/2006

+ Scan result:



D:\Program Files\Next\Farah\Farahjo.exe -> Heuristic.Win32.Dialer : Cleaned.
D:\Documents and Settings\UAAS\Local Settings\Temporary Internet Files\Content.IE5\63APE98F\bgates[1].exe -> Trojan.Dialer.pz : Cleaned.
D:\WINDOWS\Temp\win34D.tmp.exe -> Trojan.Dialer.pz : Cleaned.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 05:58:39 م, on 14/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe
D:\Program Files\Common

Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Webroot\Spy

Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\mqsvc.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft Internet

Explorer
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Inte

rnet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: ToolBar888 - {CBCC61FA-0221-

4ccc-B409-CEE865CACA3A} - D:\Program

Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-

876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-

8D29-0050BA6940E3} -

D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-

4ccc-B409-CEE865CACA3A} - D:\Program

Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [IncrediMail]

"D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program

Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE"

D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido

anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "D:\Program

Files\Webroot\Spy Sweeper\SpySweeperUI.exe"

/startintray
O4 - HKLM\..\Run: [SpyBlocs] "C:\Program

Files\SpyBlocs\SpyBlocs.exe"
O4 - HKLM\..\Run: [DialerDetect]

D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
O4 - HKCU\..\Run: [ctfmon.exe]

D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program

Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = D:\Program

Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk =

D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Bilal.lnk = ?
O4 - Global Startup: InterVideo WinCinema

Manager.lnk = D:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to

IncrediMail Style Box -

D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by

FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using

FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-

4FCB-11CF-AAA5-00401C608501} -

D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4

-885B-0000E8ECA40F} - D:\Program

Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare

Translator... - {87680762-4A83-11B4-

885B-0000E8ECA40F} - D:\Program

Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-

8D29-0050BA6940E3} -

D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-

11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} -

http://promo.dollarrevenue.com/activex/promocache/3

631382D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Cont

rols/en/x86/client/wuweb_site.cab?1125147223888
O17 -

HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-

4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152

217.144.6.5
O18 - Filter: application/xhtml+xml - {32F66A26-

7614-11D4-BD11-00104BD3F987} - D:\Program

Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-

11D4-BD11-00104BD3F987} - D:\Program Files\Design

Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 -

{32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program

Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-

7614-11D4-BD11-00104BD3F987} - D:\Program

Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: SMDEn -

D:\WINDOWS\system32\fpnm0351e.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate -

D:\WINDOWS\system32\wsps2.dll (file missing)
O20 - Winlogon Notify: winfvy32 -

D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier -

D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) -

Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file

missing)
O23 - Service: ewido anti-spyware 4.0 guard -

Anti-Malware Development a.s. - c:\Program

Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - D:\Program

Files\Common Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner -

D:\Program Files\Network Monitor\netmon.exe (file

missing)
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service

(SNDSrvc) - Symantec Corporation - D:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine

(WebrootSpySweeperService) - Webroot Software, Inc.

- D:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec

Corporation - D:\WINDOWS\System32\WFXSVC.EXE

awaiting your response,
uaas
[ + quote]
maca1
Senior Member
_ 		14. August 2006 @ 07:36 _ Link to this message    Send private message to this user   
download Webroot SpySweeper.
http://www.webroot.com/consumer/products/spysweeper/index.html?ac...

(It's a 2 week trial.)

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log. but make sure when the hijackhtis log opens in notepad that you have wordwrap selected.
[ + quote]

This message has been edited since posting. Last time this message was edited on 14. August 2006 @ 07:38
UAAS
Newbie
_ 		15. August 2006 @ 11:59 _ Link to this message    Send private message to this user   
Hi there,
Well, after around 6 hours of scanning, spy sweeper detected 25 threats and over 72 traces, but it couldn't continue, it only asked subscribe now or later, and I couldn't save the report of its scan !!.
What can I do instead??

uaas
[ + quote]
maca1
Senior Member
_ 		15. August 2006 @ 17:33 _ Link to this message    Send private message to this user   
Click here to download ATF Cleaner by Atribune and save it to your desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html


* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.


Run ActiveScan online virus scan:
http://www.pandasoftware.com/products/activescan.htm
When the scan is finished, save the results from the scan!

Come back here and post a new Hijack This log along with the report from the Panda scan.
[ + quote]
UAAS
Newbie
_ 		17. August 2006 @ 03:17 _ Link to this message    Send private message to this user   
Hi again,
Now I had the problem that my iexplorer couldn't oped the "Major Geeks'" page of ATF CLeaner, although I could open the main site but whenever I tried to get redirected to the ATF CLeaner download, the explorer said that "can't open" the site!!
So, do you have another source for ATF Cleaner ??

uaas
[ + quote]
maca1
Senior Member
_ 		17. August 2006 @ 06:08 _ Link to this message    Send private message to this user   
[ + quote]
UAAS
Newbie
_ 		17. August 2006 @ 12:58 _ Link to this message    Send private message to this user   
Hi,
First of all, a friend passed to me the serial number of ewido, and I entered it, and then I have performed a full scan and it returned the following report:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 09:42:48 م 17/08/2006

+ Scan result:



D:\Program Files\Next\Farah\Farahjo.exe -> Heuristic.Win32.Dialer : Ignored and added to exceptions
D:\Documents and Settings\UAAS\Local Settings\Temporary Internet Files\Content.IE5\2XUFMVAX\bgates[1].exe -> Trojan.Dialer.pz : Cleaned.


::Report end

Then I performed the ATF Cleaner and it did not generate any report, but it did its work;
Then I performed the Panda Active Scan, and it generated the following report:


Incident Status Location

Adware:adware/commad Not disinfected d:\windows\system32\atmtd.dll
Dialer:dialer.bny Not disinfected d:\windows\pcconfig.dat
Adware:adware/bravesentry Not disinfected d:\windows\wallpap.exe
Adware:adware/ist.istbar Not disinfected d:\program files\common files\Totem Shared
Adware:adware/look2me Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Adware:adware/dollarrevenue Not disinfected Windows Registry
Dialer:dialer.yc Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\shareddlls\D:\WINDOWS\Downloaded Program Files\UniDist.ocx
Spyware:Spyware/BetterInet Not disinfected C:\_RESTORE\TEMP\A0002152.CPY
and this is the new HijackThis report:
Logfile of HijackThis v1.99.1
Scan saved at 11:53:00 م, on 17/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [DialerDetect] D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Bilal.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3631382D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152 217.144.6.121
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: SMDEn - D:\WINDOWS\system32\fpnm0351e.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - D:\WINDOWS\system32\wsps2.dll (file missing)
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

well, what do you think now?

uaas
[ + quote]
maca1
Senior Member
_ 		17. August 2006 @ 14:45 _ Link to this message    Send private message to this user   
DownLoad http://www.downloads.subratam.org/KillBox.zip

you may want to copy these instrcutions as youll be going in to safe mode soon.

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

rescan and check these

O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - D:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - Global Startup: Bilal.lnk = ?
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activex/promocache/3631382D2D2D.exe
O20 - Winlogon Notify: SMDEn - D:\WINDOWS\system32\fpnm0351e.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - D:\WINDOWS\system32\wsps2.dll (file missing)
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

d:\windows\system32\atmtd.dll

d:\windows\pcconfig.dat

d:\windows\wallpap.exe

D:\WINDOWS\Downloaded Program Files\UniDist.ocx

D:\WINDOWS\SYSTEM32\winfvy32.dll

D:\Program Files\ToolBar888





post a new HijackThis log

now what happened with spysweeper?
and what's this D:\Program Files\Next\Farah\Farahjo.exe ?
[ + quote]

This message has been edited since posting. Last time this message was edited on 17. August 2006 @ 14:47
UAAS
Newbie
_ 		17. August 2006 @ 23:15 _ Link to this message    Send private message to this user   
Hi,

First when I go to safemode, "scan and Check" with which program??

and about Farah, it is a dialer provided by my ISP, it makes the connection through a number of phone numbers, and it saves my username and password so I don't have to type it each time I connect.

uaas
[ + quote]
UAAS
Newbie
_ 		17. August 2006 @ 23:18 _ Link to this message    Send private message to this user   
About Spy sweeper,
It still there, I got the serial number but I couldn't get it to open the subscribe page, so when it scans the HD, it cann't quarantine or clean the files, but it's shield is still working, that's why I keep it.
uaas
[ + quote]
maca1
Senior Member
_ 		18. August 2006 @ 03:32 _ Link to this message    Send private message to this user   
scan and check with HijackThis. did you not download the trial of spysweeper I asked, it scan and cleans
[ + quote]

This message has been edited since posting. Last time this message was edited on 18. August 2006 @ 03:48
UAAS
Newbie
_ 		18. August 2006 @ 08:43 _ Link to this message    Send private message to this user   
Hi,
This is the HijackThis report after the Checking and the KillBox,
by the way, I didn't check the line about Bilal.lnk since it is a Muslim Prayer times reminder (I am Muslim).
the report is :
Logfile of HijackThis v1.99.1
Scan saved at 07:33:34 م, on 18/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
H:\Bilal CDs\HijackThis_v1.99.1.exe
D:\Program Files\Real\RealOne Player\RealPlay.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [DialerDetect] D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Bilal.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152 217.144.6.5
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

About Spy Sweeper, I download it some time ago, the same version, and it timed out, no more clean until registered, and I managed to get the serial number, but the program does not respond when I click on "subscribe".

awaiting your response,
uaas
[ + quote]
maca1
Senior Member
_ 		18. August 2006 @ 09:54 _ Link to this message    Send private message to this user   
the rest of ur log looks okay, u having problesm still?
[ + quote]

This message has been edited since posting. Last time this message was edited on 18. August 2006 @ 09:55
UAAS
Newbie
_ 		19. August 2006 @ 09:36 _ Link to this message    Send private message to this user   
Hi,
not yet, thank god, but in case I will show you a newer HijackThis report,:
Logfile of HijackThis v1.99.1
Scan saved at 08:29:44 م, on 19/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\Program Files\Real\RealOne Player\RealPlay.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\WINDOWS\System32\wuauclt.exe
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] H:\Bilal CDs\HijackThis.exe /startupscan
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152 217.144.6.121
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

How could I get my PC go Faster??
and What combination of Anti-Virous, anti-Spyware, Anti-... etc, do you think I should have to keep my PC clean,? or is there any specific parameters to alter in order to keep clean?

uaas
[ + quote]
maca1
Senior Member
_ 		19. August 2006 @ 09:51 _ Link to this message    Send private message to this user   
missed something

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Command Service (cmdService)
Right click and choose "Properties". On the "General" tab under "Service
Status" click the "Stop" button to stop the service. Beside "Startup Type"
in the dropdown menu select "Disabled". Click Apply then OK. Exit the
Services utility.

Note: You may get an error here when trying to access the properties of the
service. If you do get an error, just select the service and look there in
the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.



Check these

O20 - Winlogon Notify: winfvy32 - D:\WINDOWS\SYSTEM32\winfvy32.dll

O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)



we can talk about programs then
[ + quote]

This message has been edited since posting. Last time this message was edited on 19. August 2006 @ 09:53
UAAS
Newbie
_ 		20. August 2006 @ 03:36 _ Link to this message    Send private message to this user   
Hi again,
I have done what you asked, but in HijackThis, I couldn't find the line
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\VUFBUw\command.exe (file missing)

and here is a new HijackThis report:
Logfile of HijackThis v1.99.1
Scan saved at 02:30:46 م, on 20/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\IncrediMail\bin\IncrediMail.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\Program Files\Real\RealOne Player\RealPlay.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] H:\Bilal CDs\HijackThis.exe /startupscan
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152 217.144.6.5
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

so, am I Clear now??

uaas
[ + quote]
UAAS
Newbie
_ 		20. August 2006 @ 04:48 _ Link to this message    Send private message to this user   
Hi,
By the way, ewido is still detecting "trojan.dialer.qy" in files that are in "D:\windows\temp\ " and the name is "idd***.tmp.exe" where *** are wildcards.
so how can we get rid of this dialer??
uaas
[ + quote]
maca1
Senior Member
_ 		20. August 2006 @ 06:54 _ Link to this message    Send private message to this user   
that line is stopped already.

Is your copy of windows illegal because you should be on service pack 2 by now? It's a necessity really to prevent from being infected.
I should have said it sooner actually, it makes this kind of pointless coz you'll keep getting reinfected but I still didn't expect to go on this long.

If your not illegal. get service pack 1 here and install it.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0136e5f8... This will patch insecurities.

The dialer is in your temp files.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the D:\Windows\Temp folder or D:\WINNT\temp

Download and scan with CCleaner
http://www.ccleaner.com/downloadbuilds.asp
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

USe ATF cleaner again

Let me know if it's still detecting it after that.
[ + quote]

This message has been edited since posting. Last time this message was edited on 20. August 2006 @ 06:55
UAAS
Newbie
_ 		21. August 2006 @ 09:04 _ Link to this message    Send private message to this user   
Hi,
I haven't seen the dialer in the last 2 days, after the last clean up, but I still having "Freezes" , so just in case, here is a new HijackThis report, so it can be rechecked, after which, I hope, we can get to the issue of what software should I maintain to keep clean:

Logfile of HijackThis v1.99.1
Scan saved at 08:03:20 م, on 21/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\mqsvc.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\PROGRA~1\NEXT\FARAH\Farahjo.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Bilal CDs\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [IncrediMail] "D:\PROGRA~1\INCRED~1\bin\IncrediMail.exe" /c
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] H:\Bilal CDs\HijackThis.exe /startupscan
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - D:\Program Files\LingoCom\Translator.lnk
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E7FF9AB-5382-4993-BEAC-55122587A6FB}: NameServer = 217.144.6.152 217.144.6.121
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - D:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - c:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - D:\WINDOWS\System32\WFXSVC.EXE

So: is everything OK? as I hope !!

uaas
[ + quote]
Advertisement
_ 		__
 
_
maca1
Senior Member
_ 		21. August 2006 @ 16:39 _ Link to this message    Send private message to this user   
Your log is clean.

Question. Did you have to use ccleaner and my last post or had you gotten rid of the dialer already?
[ + quote]
 
Page:12Next >
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > hi there, help, i have problems.
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork