[Michelle]

Ok give me a sec, I'll brb!

[Advertisements]

Please remove it.

[Michelle]

Please remove it.

[rusty38dei]

Ok I removed it. It wanted me to restart my pc, so I did, and was that all my problem was ? Im not sure if I am outta the woods yet or not lol ?

[Michelle]

NO, that was definitely not all of your problem!! That was only solving the not being able to get into Safe Mode problem heh

I need you to follow ALL of Kat's instructions. You should now be able to boot into Safe Mode (let me know if you still can't).

[rusty38dei]

nope still doing the same thing

[Michelle]

Ok we'll deal with that later

I need you to follow ALL of Kat's instructions minus Safe Mode.

[rusty38dei]

Incident Status Location

Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
Adware:Adware/FunWeb No disinfected C:\Program Files\FunWebProducts
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/MyWebSearch No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Ab scissor.url
Adware:Adware/IGuard No disinfected C:\WINDOWS\system32\wldr.dll
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Giles Family\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL
Virus:Bck/Haxdoor.H Disinfected C:\WINDOWS\d3oi32.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\iicxz.dll
Adware:Adware/IGuard No disinfected C:\WINDOWS\system32\wldr.dll

[rusty38dei]

seems like a lot it found ehhh

[Michelle]

I need a new HiJackThis log too, please.

[Michelle]

(I've seen worse )

[rusty38dei]

Logfile of HijackThis v1.99.1
Scan saved at 6:39:37 PM, on 5/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Paltalk Messenger\paltalk7.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GILESF~1\LOCALS~1\Temp\Rar$EX00.735\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {95FA0852-5909-4AD8-BC5C-94070338E3B6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {95FA0852-5909-4AD8-BC5C-94070338E3B6} - (no file) (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {797FA1DD-30E7-4093-A892-E8C2A556A583} (CFM2005TurboDMCrs.UserControl1) - http://www.racelm.co...5turboDMCrs.CAB
O16 - DPF: {8F8F1EF4-92D6-4C59-B5B4-E6E5E0284676} (OLRComm.Communications) - http://www.onlinerac...ing/OLRComm.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {ADB6CCF9-8853-4431-82A0-B7494DED18C3} (WcnfGrpCtl Class) - http://download.palt...roupControl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CC1E9F72-AFBE-4C67-B6E1-AB992035E562} (CFM2005TurboDMCrsnorun.UserControl1) - http://www.racelm.co...oDMCrsnorun.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Panda Firewall Service (PAVFIRES) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

[Michelle]

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C:

C:\WINDOWS\smdat32m.sys
C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL
C:\WINDOWS\d3oi32.dll
C:\WINDOWS\system32\iicxz.dll
C:\WINDOWS\system32\wldr.dll

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After reboot I need you to delete these folders (in bold), they are there):

C:\Program Files\MyWay
C:\Program Files\FunWebProducts
C:\Documents and Settings\Giles Family\Favorites\Sites about

Do you have your desktop properties back? (5 tabs when you right-click on the desktop and go to "properties")

[Michelle]

Please download ewido security suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:

• Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run Ewido.
• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

Reboot into normal mode.

I need you to post the log from Ewido and a new HiJackThis log.

[rusty38dei]

yes i have my 5 tabs when i right click on my desktop and choose properties.............
only one thing i couldnt delete off of the 3 things u mentioned was myway folder.
I also wanna say i reallly do appr. your help with this...
no way i would have ever figured this out without reformatting

[Michelle]

You're very welcome!

Ah, yes, I forgot...MyWay is being used right now so you won't be able to delete it yet since you can't get into Safe Mode. Maybe after you run Ewido you'll be able to.