Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Malware cleanup help; (Resolved) [CLOSED]

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 2 posts
I have followed step by step on the self help removal and I am left with 3 issues.
1. I am unable to get windows to update, and get the following message: Windows Genuine Advantage Validation Tool (KB892130) I followed a Microsoft thread to fix this manually but it does not seem to work.
2. There is some sort of ghost wallpaper left on my desktop that does not allow me to see my actual desktop, although all of my icons show up on this "ghost". If I move my mouse arrow over the desktop from a program it changes as it recognizes the mouse hitting it. It is not causing a problem that I can see but I wonder if my memory starts getting full due to this issue.
3. I am unable to open a program called infoselect without first getting an error message saying Infoselect has encountered a problem and has had to shut down. Then I start it again and get Infoselect was not closed properly during the last seccion and was temporarily switched into safe mode.Please confirm loading of .ini file. I click cancel and it opens up. Please find below the data I believe I am to include. Thanks for any and all help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:50 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = excite.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: GNX Rolex - {A554EBAE-AB0F-4C22-B623-A38C36B772D8} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206841254515
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: My Excite - http://www.excite.com/
O24 - Desktop Component 1: Privacy Protection - (no file)

End of file - 9817 bytes

Panda threats

MS07-058High+ InfoMS06-045Medium+ InfoMS07-016High+ InfoMS07-057High+ InfoMS06-002High+ InfoMS06-072High+ InfoMS06-042High+ InfoMS06-041High+ InfoMS07-013High+ InfoMS06-040High+ InfoMS07-012High+ InfoMS07-069High+ InfoMS08-002Medium+ InfoMS07-011High+ InfoMS08-001Medium+ InfoMS07-067High+ InfoMS07-061High+ InfoMS06-018Medium+ InfoMS07-064High+ InfoMS07-008High+ InfoMS06-008Medium+ InfoMS07-007High+ InfoMS06-007Medium+ InfoMS06-065Medium+ InfoMS07-050High+ InfoMS07-006Medium+ InfoMS06-006Medium+ InfoMS06-001High+ InfoMS06-064Medium+ InfoMS06-032Medium+ InfoMS06-063Medium+ InfoMS06-036High+ InfoMS06-070High+ InfoMS06-035High+ InfoMS06-030Medium+ InfoMS07-046High+ InfoMS07-045High+ InfoMS06-067High+ InfoMS07-027High+ InfoMS07-043High+ InfoMS07-035High+ InfoMS06-057High+ InfoMS06-025High+ InfoMS07-033High+ InfoMS07-031High+ InfoMS06-022High+ InfoMS06-021High+ InfoMS06-015High+ InfoMS06-013High+ InfoMS07-017High+ InfoMS06-053Medium+ InfoMS06-052Medium+ InfoMS05-049Medium+ InfoMS07-022High+ InfoMS07-021High+ InfoMS07-020High+ InfoMS05-051High+ InfoMS07-019High+ InfoMS05-053High+ InfoMS05-050High+ InfoMS06-051High+ InfoMS06-050Medium+ InfoMS06-055High+ InfoMS06-076High+ InfoMS06-075Medium+ InfoMS06-046High+ Info

AVG Anti-Spyware - Scan Report

+ Created at: 3:05:21 PM 4/13/2008

+ Scan result:

Nothing found.

::Report end

SUPERAntiSpyware Scan Log

Generated 04/13/2008 at 05:37 PM

Application Version : 4.0.1154

Core Rules Database Version : 3437
Trace Rules Database Version: 1429

Scan type : Complete Scan
Total Scan Time : 01:56:28

Memory items scanned : 594
Memory threats detected : 0
Registry items scanned : 6077
Registry threats detected : 27
File items scanned : 89180
File threats detected : 1

MyWay Search Assistant Computers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
HKU\S-1-5-21-27987841-921125120-4191668413-1006\Software\Microsoft\Internet Explorer\URLSearchHooks#{4D25F926-B9FE-4682-BF72-8AB8210D6D75}

ANALYSIS: 2008-04-14 05:00:06
Description Version Active Updated
Norton AntiVirus Yes Yes
Id Description Type Active Severity Disinfectable Disinfected Location
00502546 Application/MyWay HackTools No 0 Yes No C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
Sent Location O]
Id Severity Description O]
184380 MEDIUM MS08-002 O]
184379 MEDIUM MS08-001 O]
182048 HIGH MS07-069 O]
182046 HIGH MS07-067 O]
182043 HIGH MS07-064 O]
179553 HIGH MS07-061 O]
176382 HIGH MS07-057 O]
176383 HIGH MS07-058 O]
170911 HIGH MS07-050 O]
170907 HIGH MS07-046 O]
170906 HIGH MS07-045 O]
170904 HIGH MS07-043 O]
164915 HIGH MS07-035 O]
164913 HIGH MS07-033 O]
164911 HIGH MS07-031 O]
160623 HIGH MS07-027 O]
157262 HIGH MS07-022 O]
157261 HIGH MS07-021 O]
157260 HIGH MS07-020 O]
157259 HIGH MS07-019 O]
156477 HIGH MS07-017 O]
150253 HIGH MS07-016 O]
150249 HIGH MS07-013 O]
150248 HIGH MS07-012 O]
150247 HIGH MS07-011 O]
150243 HIGH MS07-008 O]
150242 HIGH MS07-007 O]
150241 MEDIUM MS07-006 O]
141034 HIGH MS06-076 O]
141033 MEDIUM MS06-075 O]
141030 HIGH MS06-072 O]
137571 HIGH MS06-070 O]
137568 HIGH MS06-067 O]
133387 MEDIUM MS06-065 O]
133386 MEDIUM MS06-064 O]
133385 MEDIUM MS06-063 O]
133379 HIGH MS06-057 O]
131654 HIGH MS06-055 O]
129977 MEDIUM MS06-053 O]
129976 MEDIUM MS06-052 O]
126093 HIGH MS06-051 O]
126092 MEDIUM MS06-050 O]
126087 HIGH MS06-046 O]
126086 MEDIUM MS06-045 O]
126083 HIGH MS06-042 O]
126082 HIGH MS06-041 O]
126081 HIGH MS06-040 O]
123421 HIGH MS06-036 O]
123420 HIGH MS06-035 O]
120825 MEDIUM MS06-032 O]
120823 MEDIUM MS06-030 O]
120818 HIGH MS06-025 O]
120815 HIGH MS06-022 O]
120814 HIGH MS06-021 O]
117384 MEDIUM MS06-018 O]
114666 HIGH MS06-015 O]
114664 HIGH MS06-013 O]
108744 MEDIUM MS06-008 O]
108743 MEDIUM MS06-007 O]
108742 MEDIUM MS06-006 O]
104567 HIGH MS06-002 O]
104237 HIGH MS06-001 O]
96574 HIGH MS05-053 O]
93395 HIGH MS05-051 O]
93394 HIGH MS05-050 O]
93454 MEDIUM MS05-049 O]

Edited by SteveB240D, 15 April 2008 - 03:54 PM.

  • 0




    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers when you are following the procedures below.

Download ATF Cleaner at http://www.atribune..../click.php?id=1. Don't run it yet.

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop. Do not run it yet.

Restart your computer and boot into Safe Mode. If you don't know how, go to http://www.bleepingc...tutorial61.html

Once in Safe Mode, open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #2 - Clean by typing 2 and press Enter to delete infected files. You will be prompted Registry cleaning - Do you want to clean the registry? Answer Yes by typing Y and press Enter in order to remove the desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found). Answer Yes by typing Y and press Enter.

The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart it manually to get back to Normal Mode. A text file will appear onscreen, with results from the cleaning process. Copy and paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt

WARNING: Running option #2 on a non infected computer will remove your desktop background.

Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser click Opera at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan in HijackThis. Check each of the following if they still exist and hit Fix checked when ready:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: GNX Rolex - {A554EBAE-AB0F-4C22-B623-A38C36B772D8} - (no file)
O24 - Desktop Component 0: My Excite - http://www.excite.com/
O24 - Desktop Component 1: Privacy Protection - (no file)

Post the rapport.txt and a new HijackThis log here.
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
It worked! Thanks. The only unresolved issue I have is the problem opening infoselect and I believe that is related to Norton Utilities. I can open it but it's a hassle to do. I am considering getting rid of Norton Utilities as I did not see it help out on this last virus/Malware attack. I would be interested in the opinion of Norton from this group. I appreciate all the resources you have put out here to help me resolve my other issues. It's nice to have my computer back.

  • 0



    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Steve, please post the logs requested. It may seem clean and all, but we just want to confirm this before we let you go.

You may uninstall Norton if you want including removing their antivirus. Use the Norton Removal Tool to confirm no remnants of Norton remain. You can get the free version of AVG Antivirus here instead (version 7.5).
  • 0



    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP