Search Extender,Shopping Wizard and Home Search

San1117San1117
edited June 2005 in Spyware & Virus Removal
I have spent three days and until I found your site I could not get rid of this garbage. I would like to include my latest Hijack This Log. Could you please look at it and see if I need to remove anything else, or put something back lol? I am not very computer literate, but your step by step directions helped greatly.
Thanks, Barbara

Logfile of HijackThis v1.99.1
Scan saved at 9:53:46 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Updater.exe
C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
c:\syz_dat\systray.exe
C:\Program Files\NoAdware3\NoAdware3.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Class - {54869853-24E2-1ED8-29CD-D04EE4F73800} - C:\WINDOWS\system32\netum32.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServices: [Systmesy] Systmesy.exe
O4 - HKLM\..\RunServices: [MicrosoftXP Service Pack 2] servicepack2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Windows.hta
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094912922109
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://stamps.com/download/us/cab/stamps/stamps.cab?r=0.0531513684495977&file=stamps.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE

Comments

  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    HSA appears to be gone but you've got some other trojans lurking on your system.

    O2 - BHO: Class - {54869853-24E2-1ED8-29CD-D04EE4F73800} - C:\WINDOWS\system32\netum32.dll (file missing)
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O4 - HKLM\..\RunServices: [Systmesy] Systmesy.exe
    O4 - HKLM\..\RunServices: [MicrosoftXP Service Pack 2] servicepack2.exe
    O4 - Global Startup: Microsoft Windows.hta

    Fix those entries then find and delete the following files:
    Systmesy.exe
    servicepack2.exe
    Microsoft Windows.hta

    Then reboot your computer and post a new log.
  • San1117San1117
    edited June 2005
    I think I did what you said, but I cannot find the 04 Global Startup: Microsoft Windows.hta..Here is the new log and thanks
    Logfile of HijackThis v1.99.1
    Scan saved at 12:30:18 PM, on 6/29/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Updater.exe
    C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
    O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094912922109
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://stamps.com/download/us/cab/stamps/stamps.cab?r=0.0531513684495977&file=stamps.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Verizon Online\WinPoET\WrOS.EXE




    QUOTE=SpywareShooter]HSA appears to be gone but you've got some other trojans lurking on your system.

    O2 - BHO: Class - {54869853-24E2-1ED8-29CD-D04EE4F73800} - C:\WINDOWS\system32\netum32.dll (file missing)
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O4 - HKLM\..\RunServices: [Systmesy] Systmesy.exe
    O4 - HKLM\..\RunServices: [MicrosoftXP Service Pack 2] servicepack2.exe
    O4 - Global Startup: Microsoft Windows.hta

    Fix those entries then find and delete the following files:
    Systmesy.exe
    servicepack2.exe
    Microsoft Windows.hta

    Then reboot your computer and post a new log.[/QUOTE]
  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    Run these two online virus scans:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    There may be some files that they cannot clean. Please post the log of those files here.
  • San1117San1117
    edited June 2005
    Here is the log from Panda

    Incident Status Location

    Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
    Adware:Adware/SearchAid No disinfected Windows Registry
    Virus:Bck/Webber.P Disinfected Operating system
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Ab scissor.url
    Adware:Adware/WUpd No disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\IV4VTARE\go[1].htm
    Adware:Adware/WUpd No disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\IV4VTARE\go[2].htm
    Adware:Adware/CWS.Aboutblank No disinfected C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20050628-211320-133.dll
    Adware:Adware/IWon No disinfected C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20050628-211321-203.inf
    Virus:VBS/Inor.AF Renamed C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20050629-115320-700-Microsoft Windows.RB0
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Ab scissor.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Broadband comparison.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit counseling.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit report.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Crm software.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Debt credit card.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Escorts.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Fha.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Health insurance.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Help desk software.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Insurance home.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for debt consolidation.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for people with bad credit.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Marketing email.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage insurance.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage life insurance.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Nevada corporations.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online Betting Site.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online gambling casino.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online instant loan.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Order phentermine.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Payroll advance.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans online.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans with bad credit.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Prescription Drugs Rx Online.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Refinancing my mortgage.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Tahoe vacation rental.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Unsecured bad credit loans.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Videos.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\What is hydrocodone.url
    Virus:VBS/Inor.AF Renamed C:\ntdetect.RB0
    Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\MYBAREX.DLL
    Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL
    Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\NPMYWAY.DLL
    Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\S42NS.EXE
    Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\system32\cmd.ftp
    Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\o
  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    Clear your Temporary Internet Files (in Internet Explorer go to Tools»Internet Options»Temporary Internet Files»Delete Files).

    Next boot into Safe Mode (press F8 at the BIOS screen when booting) and delete the bold folder:
    C:\Program Files\MySearch\

    Then boot back into Normal Mode, do another scan and post the log.
  • San1117San1117
    edited June 2005
    SpywareShooter wrote:
    Clear your Temporary Internet Files (in Internet Explorer go to Tools»Internet Options»Temporary Internet Files»Delete Files).

    Next boot into Safe Mode (press F8 at the BIOS screen when booting) and delete the bold folder:
    C:\Program Files\MySearch\

    Then boot back into Normal Mode, do another scan and post the log.

    Here is the latest log after I deleted MySearch from the Program Files


    Incident Status Location

    Adware:Adware/MyWay No disinfected Windows Registry
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Ab scissor.url
    Adware:Adware/WUpd No disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\IV4VTARE\go[1].htm
    Adware:Adware/WUpd No disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\IV4VTARE\go[2].htm
    Adware:Adware/CWS.Aboutblank No disinfected C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20050628-211320-133.dll
    Adware:Adware/IWon No disinfected C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20050628-211321-203.inf
    Virus:VBS/Inor.AF Renamed C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20050629-115320-700-Microsoft Windows_RB0.vir
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Ab scissor.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Broadband comparison.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit counseling.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit report.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Crm software.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Debt credit card.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Escorts.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Fha.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Health insurance.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Help desk software.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Insurance home.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for debt consolidation.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for people with bad credit.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Marketing email.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage insurance.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage life insurance.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Nevada corporations.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online Betting Site.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online gambling casino.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online instant loan.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Order phentermine.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Payroll advance.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans online.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans with bad credit.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Prescription Drugs Rx Online.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Refinancing my mortgage.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Tahoe vacation rental.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Unsecured bad credit loans.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Videos.url
    Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\What is hydrocodone.url
    Virus:VBS/Inor.AF Renamed C:\ntdetect_RB0.vir
  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    Boot into Safe Mode (press F8 at the BIOS screen when booting)and delete the bold folders:
    C:\Documents and Settings\Owner\Favorites\Sites about\
    C:\Documents and Settings\Owner\Desktop\hijackthis\backups\

    Then boot back into Normal Mode, scan again, and post a new log.
  • San1117San1117
    edited June 2005
    I am not sure what you mean by the "bold" folders. I want to make sure I delete the right ones...Thanks
  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    The two folders that are in this text:

    C:\Documents and Settings\Owner\Favorites\Sites about\
    C:\Documents and Settings\Owner\Desktop\hijackthis\backups\
  • San1117San1117
    edited June 2005
    SpywareShooter wrote:
    The two folders that are in this text:

    C:\Documents and Settings\Owner\Favorites\Sites about\
    C:\Documents and Settings\Owner\Desktop\hijackthis\backups\
    Here is the latest scan


    Incident Status Location

    Adware:Adware/MyWay No disinfected Windows Registry
    Adware:Adware/WUpd No disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\IV4VTARE\go[1].htm
    Adware:Adware/WUpd No disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\IV4VTARE\go[2].htm
    Virus:VBS/Inor.AF Renamed C:\ntdetect_RB0.vir
  • San1117San1117
    edited June 2005
    Last Panda Scan

    Incident Status Location

    Adware:Adware/MyWay No disinfected Windows Registry
    Virus:VBS/Inor.AF Renamed C:\ntdetect_RB0.vir
  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    Boot into Safe Mode and find and delete this file:
    C:\ntdetect_RB0.vir

    Then boot back into Normal Mode and post a new virus scan log.
  • San1117San1117
    edited June 2005
    SpywareShooter wrote:
    Boot into Safe Mode and find and delete this file:
    C:\ntdetect_RB0.vir

    Then boot back into Normal Mode and post a new virus scan log.
    Ok, this is the last scan from
    Panda


    Incident Status Location

    Adware:Adware/MyWay No disinfected Windows Registry
  • SpywareShooterSpywareShooter 127.0.0.1
    edited June 2005
    Congratulations! Your computer is now spyware free! That one entry that Panda is detecting is just a leftover that it can't delete. I wouldn't reccomend removing it, as removing the wrong registry key can cause parts of your system to become unusuable.

    As precaution measures for the future, please follow these steps to ensure that your computer stays clean and secure:
    1. Always have AntiVirus software running - Having an AntiVirus is very important and can protect you in the future from all kinds of viruses, spyware and other malicious software.

    2. Keep your AntiVirus program updated - Without having an updated AntiVirus program you will be susceptible to any form of new malware as it is released. If your AntiVirus software has the option of Automatic Updates you should enable it. If not, visit the producer's website at least once a week and download any updates for the product.

    3. Use a Firewall - Using a firewall is essential in the Internet today. Having one at default settings will block intruders from accessing your computer and can block new programs from installing without your consent.

    4. WindowsUpdate - Make sure that you keep your computer updated by visiting [link=http://www.windowsupdate.com]windowsupdate.com[/link] weekly, and downloading any critical updates. Many of these updates are against hackers and malware installations. Without all critical updates you will be susceptible to many of the spyware creator's tricks to get you to install their software. Download and install all critical updates and reboot your computer. Continue this until all critical updates have been installed.

    5. Anti-Spyware Software - Spybot - Search & Destroy and Ad-Aware SE

      Both of these programs are free and reccomended by many anti-spyware professionals. You should download them from the links below, keep them updated, and scan weekly.

      Spybot - Search & Destroy
      Ad-Aware SE Personal Edition 1.06

    6. Secure Internet Explorer - Spyware Shooter is a free program which I developed for the cause of blocking malicious websites from installing spyware onto your computer. Please check for updates weekly and download any new releases to make sure that you are safe against newly-disovered websites.

      Spyware Shooter home page



    How to say "thanks":
    1. Donations are not accepted - At Short-Media we do not accept donations. If you have found this website helpful, you can contribute in the following ways.
    2. Stick Around - Without users like you, Short-Media would not be as successful as it is today. One way you can thank us is to stick around the forums. Even if you are not a computer professional you can learn by reading past topics in the forums, or if you do not feel comfortable helping, there are a few forums for non-computer-related topics.
    3. Refer Friends - If you know anyone who is having problems with their computers, or just needs a place to chill online, they would make a great addition to the Short-Media community.
    4. Fold! - Folding is a safe and easy way to help find a cure for fatal diseases such as Alzheimer's. You can learn more about folding at the topic "[link=http://www.short-media.com/forum/showthread.php?t=3"]Everything About Folding@Home[/link]"
This discussion has been closed.