|
Win32:Winfixer-B
|
|
|
geoff007
Newbie
|
14. February 2007 @ 00:12 |
Link to this message
|
|
Hi there.
I scanned using ewido and this is the log.
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:59:14 p.m. 14/02/2007
+ Scan result:
C:\Program Files\Alwil Software\Avast4\DATA\moved\USYP_0001_N76M1005NetInstaller.exe.vir -> Downloader.Small : No action taken.
C:\Documents and Settings\Geoffrey.HOME\Cookies\geoffrey@com[1].txt -> TrackingCookie.Com : No action taken.
::Report end
Can you please help me to delete this malware. Thanks in advance for your help.
|
|
Advertisement
|
 |
|
|
|
kateman
Senior Member
|
14. February 2007 @ 17:31 |
Link to this message
|
|
just clean out your cookies folder
C:\Documents and Settings\Geoffrey.HOME\Cookies\
and then delete every cookie in there.
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
kateman
Senior Member
|
14. February 2007 @ 17:32 |
Link to this message
|
|
and why do you use an out dated scanner?
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
geoff007
Newbie
|
15. February 2007 @ 10:42 |
Link to this message
|
Hi kateman,
I deleted the cookies as you said but when i restarted my computer and scanned using Ad-Aware i still find this malware in my system. So i scanned using AVG Anti spyware and this is the log ...
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:18:46 p.m. 15/02/2007
+ Scan result:
C:\Program Files\Alwil Software\Avast4\DATA\moved\USYP_0001_N76M1005NetInstaller.exe.vir -> Downloader.Small : No action taken.
::Report end
Its a program or malware called Downloader.Small that is doing all the problem i think. Please help.
|
|
bkf
Suspended due to non-functional email address
|
15. February 2007 @ 11:05 |
Link to this message
|
What made you run the scan? What symptoms were you getting? Popups. Posting a HjT log would be your first step. If your getting popups it could be a vundo or coolweb problem. win32:winfixer-b Not much info on it but it does not seem to be the end of the world to get rid of either. And there is about 2000 downloaders.small
You said you ran the scan but did not say why and that is very important.
Kateman you still got this one. I just saw it and did a little looking up :-)
Did not mean to stict my nose in a working thread. I think you know me enough by now. Only if I think I can help with some idea. Sometimes the problems can be posted a little vague. :-)
If I could spell I would never need to edit lol
This message has been edited since posting. Last time this message was edited on 15. February 2007 @ 11:13
|
|
geoff007
Newbie
|
15. February 2007 @ 11:13 |
Link to this message
|
Actually i didnt get any popups. But i found this malware randomly. When i scan with Ad-Aware it said there is a malware named Win32:Winfixer-B[TOOL]. I left out the word 'TOOL' before. Does that make any difference? not sure. If i scan with Spybot it doesnt show me that i have a malware.
I ran the scan because i wanted to give you guys where the malware is actually located. Do you want me to install some other software and run a scan in my comp? Let me know.
|
|
bkf
Suspended due to non-functional email address
|
15. February 2007 @ 11:19 |
Link to this message
|
That is up to Kateman. Makes us all better in the end. I just did a little research on it. A HjT this log would be a good start but don't save it in a temp file and rename it before using it. You want it on your C:/ drive for backup. Call it XXX.exe, it's still HjT
It is considered a tool so no big deal.
This message has been edited since posting. Last time this message was edited on 15. February 2007 @ 11:23
|
|
geoff007
Newbie
|
15. February 2007 @ 11:47 |
Link to this message
|
Hi
I downloaded HijackThis and I'm posting its log
Logfile of HijackThis v1.99.1
Scan saved at 10:44:38 a.m., on 16/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\khooker.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Downloads\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
|
|
kateman
Senior Member
|
15. February 2007 @ 20:10 |
Link to this message
|
this situation is weird, the log is clean :S
i did some looking around and no website seems to know what this is. I could run heaps of scanners off a list but none i think will help this situation.
there are two ways this can go:
1. its a faulse psitive (very unlikely with adaware) or
2. if HjT didn't pick it up its either spyware that realised that you have HjT on your hd or its probs a trojan.
@bkf: Quote:
Kateman you still got this one. I just saw it and did a little looking up :-)
Did not mean to stict my nose in a working thread. I think you know me enough by now. Only if I think I can help with some idea. Sometimes the problems can be posted a little vague. :-)
hey, i dont mind. this place is about helping others, if you can do it faster iam all for it. anyway, i may learn a thing or two :D
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
kateman
Senior Member
|
15. February 2007 @ 20:12 |
Link to this message
|
|
okay, long shot but the best i have right now. fingers crossed boys
Restart your computer into Safe Mode now.
(Start tapping the F8 key at Startup, before the Windows logo screen).
Perform the following steps in Safe Mode:
* Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK.
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop.
Reboot.
Post a new Hijack This log and the results of the Ewido scan.
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
janrocks
Suspended permanently
|
15. February 2007 @ 22:09 |
Link to this message
|
|
This message has been edited since posting. Last time this message was edited on 15. February 2007 @ 22:13
|
|
kateman
Senior Member
|
15. February 2007 @ 22:12 |
Link to this message
|
|
@janrocks: umm thanks, but how does that thread have any relevance?
that is about ssqro.dll
we are talking about Win32:Winfixer-B[TOOL].
haha and ive never heard of the freeprod virus :P
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
This message has been edited since posting. Last time this message was edited on 15. February 2007 @ 22:13
|
|
janrocks
Suspended permanently
|
15. February 2007 @ 22:21 |
Link to this message
|
It's listed in the HjT logs the sufferer posted.
Just remembered seeing it yesterday and thought it "might" help while you are trying to hunt it down.
|
|
kateman
Senior Member
|
15. February 2007 @ 22:22 |
Link to this message
|
|
cheers
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
bkf
Suspended due to non-functional email address
|
16. February 2007 @ 08:10 |
Link to this message
|
|
Kateman: It's not a contest. You are far better then me in here. My console would be a scan log using vundofix, smitfraud, and an on-line panda scan to see where we stand. While all 3???? pages about this was interesting they did move from a false indication to a valid problem know under a dozen names. I found one site and the guy had to jump through hoops. Hopefully we do not need to do this here. And will you people STOP downloading those stupid browser helper programs. If I did a math study of people infected 80% have those helper bars. Nothing is ever free. Keep thinking and we will keep watching and in the end it will be us that learn something from you and you will be solid with how to deal with yet another bug.
Thanks Jan for getting involved also! Bk
|
|
kateman
Senior Member
|
16. February 2007 @ 13:32 |
Link to this message
|
Originally posted by bkf:
Kateman: It's not a contest. You are far better then me in here.
don't put yourself down, heck i've never seen somebody so dedicated to finding information on stuff like you do :)
Originally posted by bkf:
If I did a math study of people infected 80% have those helper bars. Nothing is ever free.
haha i reckon. you now what else i have realised. EVERYBODY's HjT log i have seen (who have nortan), has an infection :P
this has gone way off track.
@geoff007: any luck with ewido in safe mode?
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
This message has been edited since posting. Last time this message was edited on 16. February 2007 @ 13:37
|
|
geoff007
Newbie
|
16. February 2007 @ 19:15 |
Link to this message
|
Hello
Interestingly i scanned using ewido and now it says that there's no problem. it says that the system is clean. i'm not sure why its not showing the problem now. i didnt do any cleaning except the one when u told me to clean the cookies in a folder. when i scanned with Ad-Aware it didnt show me any malware, so i guess its good news. in 3 days i'll scan once again and i'll let u know if there's any problem, OK.
|
|
kateman
Senior Member
|
16. February 2007 @ 19:39 |
Link to this message
|
|
haha sounds awesome :D
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
|
bkf
Suspended due to non-functional email address
|
17. February 2007 @ 01:36 |
Link to this message
|
|
Thanks Kateman: When you sit here wondering if you going to live or die in 6 months it gives me something usefull to do. My consols would still be scanning using some of the free programs just to make sure. Your a good person Kateman! Bk
|
|
Advertisement
|
|
|
|
kateman
Senior Member
|
17. February 2007 @ 13:10 |
Link to this message
|
Quote:
When you sit here wondering if you going to live or die in 6 months
omfg bkf, iam sorry :S
help the monkeys are attacking me! dont worry, i fed the monkeys a banana, so now their off fighting a cat. i like the snow but the rain burns my skin. i can build a fort but thefhsfhkfnkjdsfikdgkjnbgjk...
|
