[tampabelle]

Lets try this instead -

Run Hijack This. Click on Config ---> Misc Tools ---> Open Process Manager.
Kill each of the following processes, if found -

Hardware Clock Driver / (hwclock) / C:\WINDOWS\System32\hwclock.exe
Network DDE Client / (NetDDEclnt) / C:\WINDOWS\System32\netddeclnt.exe

C:\WINDOWS\System32\Fmspdy.exe
C:\WINDOWS\System32\Twypai.exe
C:\WINDOWS\System32\oif6ak25.exe
C:\Program Files\Wflumn\Fdgyzs.exe
winhost.exe
Logitech.exe
ntguard32.exe
winupdater.exe


Run Hijack This again. Click on config ---> Misc Tools ----> Delete an NT service. Enter the following item - hwclock - and hit enter. Repeat the process with NetDDEclnt.

Run Hijack This and click on scan. The following items need to be fixed -

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O4 - HKLM\..\Run: [Logitech] Logitech.exe
O4 - HKLM\..\Run: [WSAConfiguration] ntguard32.exe
O4 - HKLM\..\Run: [Microsoft Update] winupdater.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Fmspdy.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Twypai.exe
O4 - HKLM\..\Run: [oif6ak25] C:\WINDOWS\System32\oif6ak25.exe
O4 - HKLM\..\Run: [Vrbteswr] C:\Program Files\Wflumn\Fdgyzs.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKLM\..\RunServices: [Logitech] Logitech.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] ntguard32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winupdater.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Connect back the PC and modem.

Reboot the PC in Safe Mode.

Locate and delete the files -

C:\WINDOWS\System32\Fmspdy.exe
C:\WINDOWS\System32\Twypai.exe
C:\WINDOWS\System32\oif6ak25.exe
C:\Program Files\Wflumn\Fdgyzs.exe
winhost.exe
Logitech.exe
ntguard32.exe
winupdater.exe

Reboot the PC and post a fresh HJT log

[Advertisements]

Lets try this instead -

Run Hijack This. Click on Config ---> Misc Tools ---> Open Process Manager.
Kill each of the following processes, if found -

Hardware Clock Driver  /  (hwclock)  /  C:\WINDOWS\System32\hwclock.exe
Network DDE Client    /    (NetDDEclnt)    /  C:\WINDOWS\System32\netddeclnt.exe

C:\WINDOWS\System32\Fmspdy.exe
C:\WINDOWS\System32\Twypai.exe
C:\WINDOWS\System32\oif6ak25.exe
C:\Program Files\Wflumn\Fdgyzs.exe
winhost.exe
Logitech.exe
ntguard32.exe
winupdater.exe

none of these are in the list

Run Hijack This again. Click on config ---> Misc Tools ----> Delete an NT service. Enter the following item - hwclock - and hit enter. Repeat the process with NetDDEclnt.

got the same message: they are running and need to disabled.

Run Hijack This and click on scan. The following items need to be fixed -

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O4 - HKLM\..\Run: [Logitech] Logitech.exe
O4 - HKLM\..\Run: [WSAConfiguration] ntguard32.exe
O4 - HKLM\..\Run: [Microsoft Update] winupdater.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Fmspdy.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Twypai.exe
O4 - HKLM\..\Run: [oif6ak25] C:\WINDOWS\System32\oif6ak25.exe
O4 - HKLM\..\Run: [Vrbteswr] C:\Program Files\Wflumn\Fdgyzs.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKLM\..\RunServices: [Logitech] Logitech.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] ntguard32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winupdater.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Connect back the PC and modem.

Reboot the PC in Safe Mode.

Locate and delete the files -

C:\WINDOWS\System32\Fmspdy.exe
C:\WINDOWS\System32\Twypai.exe
C:\WINDOWS\System32\oif6ak25.exe
C:\Program Files\Wflumn\Fdgyzs.exe
winhost.exe
Logitech.exe
ntguard32.exe
winupdater.exe

Reboot the PC and post a fresh HJT log

[Souss]

Lets try this instead -

Run Hijack This. Click on Config ---> Misc Tools ---> Open Process Manager.
Kill each of the following processes, if found -

Hardware Clock Driver  /  (hwclock)  /  C:\WINDOWS\System32\hwclock.exe
Network DDE Client    /    (NetDDEclnt)    /  C:\WINDOWS\System32\netddeclnt.exe

C:\WINDOWS\System32\Fmspdy.exe
C:\WINDOWS\System32\Twypai.exe
C:\WINDOWS\System32\oif6ak25.exe
C:\Program Files\Wflumn\Fdgyzs.exe
winhost.exe
Logitech.exe
ntguard32.exe
winupdater.exe

none of these are in the list

Run Hijack This again. Click on config ---> Misc Tools ----> Delete an NT service. Enter the following item - hwclock - and hit enter. Repeat the process with NetDDEclnt.

got the same message: they are running and need to disabled.

Run Hijack This and click on scan. The following items need to be fixed -

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O4 - HKLM\..\Run: [Logitech] Logitech.exe
O4 - HKLM\..\Run: [WSAConfiguration] ntguard32.exe
O4 - HKLM\..\Run: [Microsoft Update] winupdater.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Fmspdy.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Twypai.exe
O4 - HKLM\..\Run: [oif6ak25] C:\WINDOWS\System32\oif6ak25.exe
O4 - HKLM\..\Run: [Vrbteswr] C:\Program Files\Wflumn\Fdgyzs.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKLM\..\RunServices: [Logitech] Logitech.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] ntguard32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winupdater.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Connect back the PC and modem.

Reboot the PC in Safe Mode.

Locate and delete the files -

C:\WINDOWS\System32\Fmspdy.exe
C:\WINDOWS\System32\Twypai.exe
C:\WINDOWS\System32\oif6ak25.exe
C:\Program Files\Wflumn\Fdgyzs.exe
winhost.exe
Logitech.exe
ntguard32.exe
winupdater.exe

Reboot the PC and post a fresh HJT log

[tampabelle]

ok, proceed with the rest of the fix i.e. fixing the entries in HJT and then deleting them !!!

[Souss]

I couldn't find any of the files you asked to delete.

here is the new log
thanks

Attached Files

•  hijackthis5.txt   7.16KB   128 downloads

[tampabelle]

The HJT log looks much better !!!

Has your PC improved in any perceptible way ???

[Souss]

there is slight improvement, I have less popups.

but the wallpaper is still gone, so as the start bar, my internet explorer is still weird and I can't run most programs.

Edited by Souss, 29 June 2005 - 12:30 PM.

[tampabelle]

Hi Souss,

Can you visit this site - http://www3.ca.com/s...sinfo/scan.aspx and do an online scan ??

Let it fix any itmes that it finds and save the scan report for posting here

[Souss]

Here is the report. All viruses could not be cured so they were deleted, except for the last one.

Scan Results: 33335 files scanned. 10 viruses were detected.

prompt[1].htm
JS.SillyDlScript.H
deleted
C:\Documents and Settings\Souss\Local Settings\Temporary Internet Files\Content.IE5\6MN07HCS\

Fdgyzs.exe
Win32.Dyfuca.B
deleted
C:\RECYCLER\S-1-5-21-2176965470-3732937156-2088241414-1005\Dc24\

actalert.exe
Win32.Dyfuca.L
deleted
C:\RECYCLER\S-1-5-21-2176965470-3732937156-2088241414-1005\Dc26\

optimize.exe
Win32.Dyfuca.P
deleted
C:\RECYCLER\S-1-5-21-2176965470-3732937156-2088241414-1005\Dc26\

actalert.exe
Win32.Dyfuca.L
deleted
C:\RECYCLER\S-1-5-21-2176965470-3732937156-2088241414-1005\Dc26\update\

rogue.exe
Win32.Dyfuca.B
deleted
C:\RECYCLER\S-1-5-21-2176965470-3732937156-2088241414-1005\Dc26\update\

Dc30.dll
Win32.Dyfuca.F
deleted
C:\RECYCLER\S-1-5-21-2176965470-3732937156-2088241414-1005\

A0038157.dll
Win32.Dyfuca.D
deleted
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP5\

A0038158.exe
Win32.SillyDl.JC
deleted
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP5\

wininet.dll
Win32.Alemod.A
cannot delete
C:\WINDOWS\system32\

Edited by Souss, 29 June 2005 - 01:11 PM.

[tampabelle]

Copy this into a text file and name it as locate.bat -

dir %Systemdrive%\wininet.dll /a h /s > files.txt

Run locate.bat

Attach the files.txt in your next reply

[Souss]

here it is

Attached Files

•  files.txt   525bytes   112 downloads

[tampabelle]

Hi Souss,

looks like all the available and latest copies of wininet.dll are infected !!!!

I want you to edit the registry now !!! You have to be very careful as modifying any key other than the one specified can seriously effect your PC !!!!

If you are not comfortable, then I will figure out another way !!!!

Run regedit. Locate the following keys -

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

For each of the keys, make sure that the DisableRegistryTools dword is set to 0.

Please try it and report back

[Souss]

again, I can't run regedit. error message.

[tampabelle]

Can you save the text -

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

as a text file and rename it as 1.reg. Double click on it and let it merge with the registry.

Let me know how it goes

[Souss]

same error message when I double click the file

[tampabelle]

Souss,

I need to get more ideas !!!!!!!!!

I will check with others and get back