[stevewp]

I am working with an end-user who has tried about 6 different spyware/adaware removal programs. He used Trend Micro PC Cillin. He is remote from me so I use gotomypc to connect to his system.

I found on google that other people had this problem and is caused by malware. Most people were submitting hijackthis logs and following a custom treatment program.

I have attached the log from his computer.

Thanks for your help.

Attached Files

•  hijackthis_mike.txt   10.9KB   194 downloads

[Advertisements]

Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

Download and run About:Buster from:
http://www.majorgeek...wnload4289.html
It usually takes two runs to get cleaned.

Copy the part in bold below into notepad and save it as winpup.reg

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup]

Doubleclick winpup.reg and confirm you want to merge it with the registry.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uoysa.dll/sp.html#22776

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://prosearching....//my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CAF26EC5-E0AD-49E5-5C3C-D6D5210B1C3D} - C:\WINDOWS\ipxd32.dll

O4 - HKLM\..\Run: [win32app] C:\WINDOWS\System32\winpup32.exe

O4 - HKLM\..\Run: [Windrv] C:\WINDOWS\System32\fld.exe
O4 - HKLM\..\Run: [APIMon] C:\WINDOWS\System32\123268.exe
O4 - HKLM\..\Run: [Wingraph] C:\WINDOWS\System32\wingraphsx.exe
O4 - HKLM\..\Run: [Winspool] C:\WINDOWS\System32\winspls.exe
O4 - HKLM\..\Run: [gjmmgl] C:\WINDOWS\System32\afnpie.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b

O4 - HKLM\..\Run: [19XFJ13R.exe] C:\WINDOWS\System32\19XFJ13R.exe

O4 - HKLM\..\Run: [borelitelicensemix] C:\Documents and Settings\All Users\Application Data\dent idol bore lite\real fork.exe

O4 - HKLM\..\Run: [ntpr.exe] C:\WINDOWS\ntpr.exe

O4 - HKCU\..\Run: [MSNAVPM] C:\WINDOWS\System32\WinSpool.exe
O4 - HKCU\..\Run: [NAV32sta] C:\WINDOWS\system32\3de43g.exe
O4 - HKCU\..\Run: [sixthsave] C:\DOCUME~1\MBERTE~1\APPLIC~1\FILMBO~1\defytrust.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.5.cab

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlbh32.exe" /s (file missing)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Then post back with a new log.
You said you wanted to have a look for some fixes yourself.
You are looking at LOP. WebRebates, CWS, Winpup and a bunch of trojans/viruses using random filenames.

Regards,

[Metallica]

Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

Download and run About:Buster from:
http://www.majorgeek...wnload4289.html
It usually takes two runs to get cleaned.

Copy the part in bold below into notepad and save it as winpup.reg

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup]

Doubleclick winpup.reg and confirm you want to merge it with the registry.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uoysa.dll/sp.html#22776

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://prosearching....//my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CAF26EC5-E0AD-49E5-5C3C-D6D5210B1C3D} - C:\WINDOWS\ipxd32.dll

O4 - HKLM\..\Run: [win32app] C:\WINDOWS\System32\winpup32.exe

O4 - HKLM\..\Run: [Windrv] C:\WINDOWS\System32\fld.exe
O4 - HKLM\..\Run: [APIMon] C:\WINDOWS\System32\123268.exe
O4 - HKLM\..\Run: [Wingraph] C:\WINDOWS\System32\wingraphsx.exe
O4 - HKLM\..\Run: [Winspool] C:\WINDOWS\System32\winspls.exe
O4 - HKLM\..\Run: [gjmmgl] C:\WINDOWS\System32\afnpie.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b

O4 - HKLM\..\Run: [19XFJ13R.exe] C:\WINDOWS\System32\19XFJ13R.exe

O4 - HKLM\..\Run: [borelitelicensemix] C:\Documents and Settings\All Users\Application Data\dent idol bore lite\real fork.exe

O4 - HKLM\..\Run: [ntpr.exe] C:\WINDOWS\ntpr.exe

O4 - HKCU\..\Run: [MSNAVPM] C:\WINDOWS\System32\WinSpool.exe
O4 - HKCU\..\Run: [NAV32sta] C:\WINDOWS\system32\3de43g.exe
O4 - HKCU\..\Run: [sixthsave] C:\DOCUME~1\MBERTE~1\APPLIC~1\FILMBO~1\defytrust.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.5.cab

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlbh32.exe" /s (file missing)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Then post back with a new log.
You said you wanted to have a look for some fixes yourself.
You are looking at LOP. WebRebates, CWS, Winpup and a bunch of trojans/viruses using random filenames.

Regards,