Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

startsearch.net [RESOLVED]

Started by mashingon , Jun 06 2005 08:03 PM

  • This topic is locked This topic is locked

#1
mashingon
Posted 06 June 2005 - 08:03 PM

mashingon

    New Member

  • Member
  • Pip
  • 8 posts
I need help to remove the www.startsearch.net hijacker because it keeps appearing as soon as I type www.google.com (which is my start up page). I already have my hijackthis log, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 07:53:32 p.m. Bion®, on 06/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Winamp3\winampa.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\Mouse Driver\Mouse Driver\5.2\MOUSE32A.EXE
C:\Archivos de programa\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\Archivos de programa\Free History Eraser\HistoryEraser.exe
C:\Archivos de programa\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Archivos de programa\Netropa\Onscreen Display\OSD.exe
C:\Archivos de programa\Netropa\Multimedia Keyboard\nhksrv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\CreataCard\Gold\FMRemind.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\LimeWire\LimeWire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\WinRAR\WinRAR.exe
C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\Rar$EX00.829\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.12.62.9:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Archivos de programa\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp9F24.tmp
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Archivos de programa\Mouse Driver\Mouse Driver\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Archivos de programa\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\DELDIR0.EXE" "C:\Archivos de programa\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Archivos de programa\Free History Eraser\HistoryEraser.exe" /stealt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Archivos de programa\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Acceso directo a TERRA.lnk = ?
O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Archivos de programa\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb041
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://www.accesoplu...ternacional.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117270600531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C367FEB-C133-43A2-8DDB-1DE388187168}: NameServer = 200.12.63.2,200.12.63.10
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe

Thanks for any help.
  • 0

Advertisements

#2
Guest_usetobe_*
Posted 11 June 2005 - 12:35 AM

Guest_usetobe_*
  • Guest
Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe
  • 0

#3
mashingon
Posted 13 June 2005 - 09:30 AM

mashingon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Dear Usetobe:

The problem is still present. I'm not in my home computer right now, but I will send you the new HJT log later on today so that you can help me.

Thank you very much for your help.

Mashingon :tazz:
  • 0

#4
mashingon
Posted 18 June 2005 - 10:05 AM

mashingon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Usetobe:

Sorry for the dealy, here is my new HJT Log. Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 09:56:40 a.m. Bion®, on 18/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Winamp3\winampa.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\Mouse Driver\Mouse Driver\5.2\MOUSE32A.EXE
C:\Archivos de programa\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CreataCard\Gold\FMRemind.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Archivos de programa\Netropa\Multimedia Keyboard\nhksrv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Archivos de programa\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Archivos de programa\Netropa\Onscreen Display\OSD.exe
C:\Archivos de programa\WinRAR\WinRAR.exe
C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\Rar$EX00.937\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.12.62.9:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Archivos de programa\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp9F24.tmp
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Archivos de programa\Mouse Driver\Mouse Driver\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Archivos de programa\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\DELDIR0.EXE" "C:\Archivos de programa\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb041
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://www.accesoplu...ternacional.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117270600531
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C367FEB-C133-43A2-8DDB-1DE388187168}: NameServer = 200.12.63.2,200.12.63.10
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe

Thanks again for your help!!!

Best regards,

Mashingon :tazz:
  • 0

#5
Guest_usetobe_*
Posted 18 June 2005 - 10:18 AM

Guest_usetobe_*
  • Guest
Hi mashingon,

Firstly please create a new folder on your C drive (for example C\HJT). Install HJT into that folder and run it from there. That way it can create backups if required.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Cleanup from here:
Cleanup. Do not run it yet.

Set up PC to show hidden files.(Click link if you do not know how)
Show hidden files

Go to add/remove in control panel and if Mywebsearch is present delete it.

Run this online virus scan: ActiveScan - Save the results from the scan!

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Then please run Ewido, and run a full scan. This may take some time, so go grab a coffee. Once it finds the first issue tick the box for all. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check the following if present:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Archivos de programa\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp9F24.tmp
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb041
O9 - Extra button: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://www.accesoplu...ternacional.cab

Ensure no windows open except HJT and click fix checked.

Now using windows explorer locate and delete the following files if found;

C:\Archivos de programa\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
C:\WINDOWS\System32\hp9F24.tmp
C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

Now run clean up.

Reboot pc normally, rescan with HJT and post the log back with the ewido and panda logs
  • 0

#6
mashingon
Posted 27 June 2005 - 11:52 PM

mashingon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Usetobe,

Already did everything you recommended and apparently it worked, no longer does the startsearch page appear.

Here are the logs (Panda first, then ewido and HJT last)

PANDA:

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\fsg_tmp
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\FunWebProducts
Virus:Exploit/Mhtredir.gen Disinfected Operating system
Spyware:Spyware/Altnet No disinfected Windows Registry
Adware:Adware/MyWebSearch No disinfected C:\Archivos de programa\MyWebSearch
Adware:Adware/P2PNetworking No disinfected C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\p2psetup.exe
Adware:Adware/IGuard No disinfected C:\WINDOWS\system32\wldr.dll
Adware:Adware/Popuper No disinfected Windows Registry
Adware:Adware/Virmaid No disinfected C:\WINDOWS\system32\perfcii.ini
Virus:Trj/Cloak.A Disinfected C:\WINDOWS\system32\LogFiles\UT5172000.so
Adware:Adware/Virmaid No disinfected C:\WINDOWS\system32\ole32vbs.exe
Adware:Adware/FunWeb No disinfected C:\WINDOWS\system32\f3pssavr.scr
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\$NtUninstallKB890923-IE6SP1-20050225.103456$\wininet.dll
Spyware:Spyware/Altnet No disinfected C:\Documents and Settings\Onixx Bion\Configuración local\Temp\asmfiles.cab[asm.exe]
Adware:Adware/Gator No disinfected C:\Documents and Settings\Onixx Bion\Configuración local\Temp\fsg_tmp\ginst_001_1234_4201.exe
Adware:Adware/Gator No disinfected C:\Documents and Settings\Onixx Bion\Configuración local\Temp\fsg_tmp\ginst_001_1234_4201a.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-67e8b4ab.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-67e8b4ab.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-67e8b4ab.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-67e8b4ab.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-3c04a3a5.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-3c04a3a5.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-3c04a3a5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-3c04a3a5.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-17d0d071.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-17d0d071.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-17d0d071.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-17d0d071.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-6e743f85.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-6e743f85.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-6e743f85.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Onixx Bion\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-6e743f85.zip[Installer.class]
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\MSN Messenger\riched20.dll
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\MyWebSearch\bar\1.bin\F3POPSWT.DLL
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\MyWebSearch\bar\1.bin\F3REPROX.DLL
Adware:Adware/MyWebSearch No disinfected C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSBAR.DLL
Adware:Adware/MyWebSearch No disinfected C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOEMON.EXE
Adware:Adware/MyWebSearch No disinfected C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
Adware:Adware/MyWebSearch No disinfected C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOESTB.DLL
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\MyWebSearch\bar\2.bin\F3CJPEG.DLL
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\MyWebSearch\bar\2.bin\F3HISTSW.DLL
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\MyWebSearch\bar\2.bin\F3RESTUB.DLL
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\MyWebSearch\bar\2.bin\F3SCHMON.EXE
Adware:Adware/FunWeb No disinfected C:\Archivos de programa\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
Adware:Adware/MyWebSearch No disinfected C:\Archivos de programa\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
Adware:Adware/MyWebSearch No disinfected C:\Archivos de programa\MyWebSearch\bar\2.bin\M3SKIN.DLL
Adware:Adware/MyWebSearch No disinfected C:\Archivos de programa\MyWebSearch\bar\2.bin\__delete_on_reboot__mwsoestb.dll
Adware:Adware/MyWebSearch No disinfected C:\Archivos de programa\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\asm.exe


EWIDO:

---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 11:20:30 p.m., 27/06/2005
+ Report-Checksum: ACEC20F7

+ Fecha de la base de datos: 28/06/2005
+ Versión del scanner: v3.0

+ Duración: 52 min
+ Archivos explorados: 91397
+ Velocidad: 29.14 Archivos/Segundo
+ Archivos infectados: 22
+ Archivos eliminados: 22
+ Archivos puestos en cuarentena: 22
+ Archivos que no se han podido abrir: 0
+ Archivos que no se han podido limpiar: 0

+ Carpeta: Si
+ Encriptar: Si
+ Archivos: Si

+ Items explorados:
C:\

+ Resultados de la exploración:
C:\WINDOWS\system32\wldr.dll -> TrojanProxy.Small.bo -> Limpio con backup
C:\WINDOWS\system32\f3pssavr.scr -> Spyware.MyWebSearch -> Limpio con backup
C:\Documents and Settings\Onixx Bion\Configuración local\Temp\fsg_tmp\ginst_001_1234_4201.exe -> Spyware.Browsertoolbar -> Limpio con backup
C:\Documents and Settings\Onixx Bion\Configuración local\Temp\fsg_tmp\ginst_001_1234_4201a.exe -> Spyware.Browsertoolbar -> Limpio con backup
C:\Archivos de programa\MSN Messenger\riched20.dll -> Spyware.Wesbar -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\1.bin\F3REPROX.DLL -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSBAR.DLL -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOEMON.EXE -> Spyware.Wesbar -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3CJPEG.DLL -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3HISTSW.DLL -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3PSSAVR.SCR -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3REPROX.DLL -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3RESTUB.DLL -> Spyware.Wesbar -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3SCHMON.EXE -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3WPHOOK.DLL -> Spyware.Wesbar -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3HTML.DLL -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3OUTLCN.DLL -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3PLUGIN.DLL -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3SKIN.DLL -> Spyware.Wesbar -> Limpio con backup
C:\Archivos de programa\MyWebSearch\bar\2.bin\NPMYWEBS.DLL -> Spyware.MyWebSearch -> Limpio con backup
C:\Archivos de programa\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL -> Spyware.Wesbar -> Limpio con backup
C:\Program Files\Altnet\Download Manager\asm.exe -> Spyware.Altnet -> Limpio con backup


::Fin Report

HIJACKTHIS:

Logfile of HijackThis v1.99.1
Scan saved at 11:42:21 p.m. Bion®, on 27/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Winamp3\winampa.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\Mouse Driver\Mouse Driver\5.2\MOUSE32A.EXE
C:\Archivos de programa\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CreataCard\Gold\FMRemind.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Archivos de programa\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Archivos de programa\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Archivos de programa\Netropa\Onscreen Display\OSD.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\WinRAR\WinRAR.exe
C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\Rar$EX00.297\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.12.62.9:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Archivos de programa\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Archivos de programa\Mouse Driver\Mouse Driver\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Archivos de programa\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\DELDIR0.EXE" "C:\Archivos de programa\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb041
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117270600531
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C367FEB-C133-43A2-8DDB-1DE388187168}: NameServer = 200.12.63.2,200.12.63.10
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe

These are the three logs you asked for. Thank you SO MUCH for your help!!!! that startsearch was making me crazy. Again, thank you very much... you've been MOST HELPFUL.

Mashingon :tazz:
  • 0

#7
Guest_usetobe_*
Posted 28 June 2005 - 04:40 AM

Guest_usetobe_*
  • Guest
I need you to copy all of the Killbox file paths below and paste them into Notepad.

C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\fsg_tmp
C:\Archivos de programa\FunWebProducts
C:\Archivos de programa\MyWebSearch
C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\p2psetup.exe
C:\WINDOWS\system32\wldr.dll
C:\WINDOWS\system32\perfcii.ini
C:\WINDOWS\system32\LogFiles\UT5172000.so
C:\WINDOWS\system32\ole32vbs.exe
C:\WINDOWS\system32\f3pssavr.scr
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\GatorHDPlugin.log-old.log
C:\WINDOWS\GatorHDPlugin.log
C:\Documents and Settings\Onixx Bion\Configuración local\Temp\asmfiles.cab[asm.exe]
C:\Documents and Settings\Onixx Bion\Configuración local\Temp\fsg_tmp\ginst_001_1234_4201.exe
C:\Documents and Settings\Onixx Bion\Configuración local\Temp\fsg_tmp\ginst_001_1234_4201a.exe
C:\Archivos de programa\MSN Messenger\riched20.dll
C:\Archivos de programa\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Archivos de programa\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Archivos de programa\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Archivos de programa\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3CJPEG.DLL
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3HISTSW.DLL
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3RESTUB.DLL
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3SCHMON.EXE
C:\Archivos de programa\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
C:\Archivos de programa\MyWebSearch\bar\2.bin\M3SKIN.DLL
C:\Archivos de programa\MyWebSearch\bar\2.bin\__delete_on_reboot__mwsoestb.dll
C:\Archivos de programa\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\Altnet\Download Manager\asm.exe

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Rescan with HJT and check the following if they still exist:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Archivos de programa\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb041
O9 - Extra button: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)

Ensure no windows open except HJT and click fix checked.

Reboot pc normally, rescan with HJT and post the log back.
  • 0

#8
mashingon
Posted 30 June 2005 - 09:35 PM

mashingon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Dear Usetobe:

I had a problem opening Notepad, it gave me this error message:

C:\WINDOWS\system32\smss.exe no se puede ejecutar en modo Win32.
(which translated to english might mean: C:\WINDOWS\system32\smss.exe can't be executed in Win32 mode.)

Because of this I had to use Wordpad instead... I don't know if it worked or not. I did everything you said and I only found 2 of the items in the list you sent. Also, after doing everything you said in the second to last log, my Windows configuration changed a bit... especially in its appearance, I use Windows XP home edition and all those cool blue colors in the task bar have changed... and also the colors and appearance of the windows where the programs open up... I don't have the smooth round blue appearance anymore.

Here is my new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 09:26:56 p.m. Bion®, on 30/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Winamp3\winampa.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\Mouse Driver\Mouse Driver\5.2\MOUSE32A.EXE
C:\Archivos de programa\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Archivos de programa\Netropa\Multimedia Keyboard\nhksrv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Archivos de programa\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Archivos de programa\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\Rar$EX00.984\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.12.62.9:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Archivos de programa\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Archivos de programa\Mouse Driver\Mouse Driver\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Archivos de programa\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\DELDIR0.EXE" "C:\Archivos de programa\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb041
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117270600531
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C367FEB-C133-43A2-8DDB-1DE388187168}: NameServer = 200.12.63.2,200.12.63.10
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe

Thanks for your help,

Best regards,

Mashingon
  • 0

#9
Guest_usetobe_*
Posted 01 July 2005 - 05:10 AM

Guest_usetobe_*
  • Guest
Please carry out the following

In ADD/REMOVE in control panel look to see if the following is in the list

MyWebSearch

If there please remove it.

Then carry out the following

Reboot into SAFE MODE by tapping the F8 key whilst your PC starts up.

Rescan with HJT and check the following:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Archivos de programa\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZSzeb041
O9 - Extra button: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BB6ECA4A-A057-45E7-BEFC-C7803566D4F8} - (no file) (HKCU)

Ensure no windows open except HJT and click fix checked.

Using windows explorer locate and delete the following folder if present.

C:\Archivos de programa\MyWebSearch

Reboot PC normally.

Rescan with HJT and post the log back

Regarding your desktop appearance try this first.

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.
If that has not rectified the situation do this:

Rightclick on your desktop > choose properties > display properties and choose Windows XPstyle.
Click apply and OK.

You have to choose the tab 'display properties', not the tab 'Theme's'.
The tab display properties is the 4th one from left. There will be the ' "windows and buttons" menu in it where you can select Windows Classic or Windows XP-style.
Select Windows XP-style.

If you can't find the Windows XP-style in there -- only the windows classic, tell me afterwards.

Also check next:

Go to start > run and type: services.msc
Search in that list for themes and check if it's running. If not, click start the service.
  • 0

#10
mashingon
Posted 05 July 2005 - 11:56 PM

mashingon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Dear Usetobe,

Did everything you said:

Regarding removing MyWebSearch using ADD/REMOVE, couldn't do it. The only thing that appears there is "MyWebSearch (FunBuddyIcons)" and when I try to remove it it gives me an error message saying: "Error al cargar C:\ARCHIV~1\MYWEBS~\bar\2.bin\mwsbar.dll No se puede encontrar el módulo especificado", which in english would be something like this: "Error while loading C:\ARCHIV~1\MYWEBS~\bar\2.bin\mwsbar.dll Could not find the specified module".

I also located the MyWebSearch folder and removed it.

The weird thing was that if I set the computer on SAFE MODE, none of the files you asked me to remove appeared on with HJT. If I restarted the computer in normal mode and did a scan, then they did appear, so here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:49:30 p.m. Bion®, on 05/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Winamp3\winampa.exe
C:\WINDOWS\system32\pctspk.exe
C:\Archivos de programa\Mouse Driver\Mouse Driver\5.2\MOUSE32A.EXE
C:\Archivos de programa\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Archivos de programa\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Archivos de programa\Netropa\Onscreen Display\OSD.exe
C:\Archivos de programa\Netropa\Multimedia Keyboard\nhksrv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\Rar$EX06.375\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.12.62.9:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Archivos de programa\Mouse Driver\Mouse Driver\5.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Archivos de programa\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Archivos de programa\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ONIXXB~1\CONFIG~1\Temp\DELDIR0.EXE" "C:\Archivos de programa\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117270600531
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C367FEB-C133-43A2-8DDB-1DE388187168}: NameServer = 200.12.63.2,200.12.63.10
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Archivos de programa\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe

Last, regarding the appearance of my desktop, I did everything but nothing worked and the Windows XP-style does not appear on desktop > choose properties > display properties, only Windows classic. The appearance changed after the I fixed files with HJT as instructed in the previous post.

Thanks again, I'll wait for your advice.

Best regards,

Mashingon :tazz:
  • 0

#11
Guest_usetobe_*
Posted 07 July 2005 - 07:50 AM

Guest_usetobe_*
  • Guest
click here

Unzip it and MOVE the luna.msstyles which is present in that folder you unzipped to next folder: C:\WINDOWS\Resources\Themes\Luna
Don't move it to anywhere else than that folder!

When moved it there, rightclick on your desktop > properties ... and look if Windows XPstyle is now present again. Choose apply and OK.

If not, reboot first, and try again to select Windows XPstyle
  • 0

#12
mashingon
Posted 07 July 2005 - 09:32 PM

mashingon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks a lot!!! It worked, my computer is back to normal. I really appreciate all your time and effort with my problems...

Thanks again, you've been most helpful.

Yours truly,

Mashingon :tazz:
  • 0

#13
Guest_usetobe_*
Posted 08 July 2005 - 12:08 AM

Guest_usetobe_*
  • Guest
From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#14
mashingon
Posted 08 July 2005 - 11:10 AM

mashingon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks a lot for the advise. I do have AdWare and Spybot installed in my laptop and AVG and I also use Firefox so I feel pretty much protected, the problems you helped me with were with the desktop at home, where I have also Adware, Spybot and firefox and AVG, but I will download the firewall programs and Spywareblaster.

Again, thanks a lot for everything, you really did a great job with my computer.

Yours truly,

Mashingon :tazz:

(PD: I have a problem running spybot in my laptop, it basically will not start, I know it has to be posted in a new log, but my question is if there is a way for me to get that new log directly to you, instead of waiting for a new person? Thanks).
  • 0

#15
Guest_usetobe_*
Posted 10 July 2005 - 03:10 AM

Guest_usetobe_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP