sari

Members
  • Content Count

    105
  • Joined

  • Last visited

Everything posted by sari

  1. tman70, Well, nothing is showing there. I'm going to have you run scan that is similar to the combofix I had you run, but should be more detailed. Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Thanks, sari
  2. I am going to suggest you try the Kaspersky online scanner http://www.kaspersky.com/virusscanner Click on the thing with the magnifying glass at upper left. It will only identify (not remove) the infection but it will help the guys in the security and hijack forum to help you. Just for the record, I cannot find any info on this other than on 2 blogs. I've searched Kaspersky's site, Webroot's site, and many other legitimate sites that we commonly use to investigate malware, etc. I'm not sure of the origin of this particular story. Every other reference for snakeoil.dom that I can find is r
  3. tman70, We'll get rid of the key, but since that file seems to be gone, I don't think it's the issue. I'm trying to do some research on other ways to get rid of this. In the meantime, I want you to run a rootkit scanner. Download GMER from here: http://www.gmer.net/files.php Unzip it to the desktop. Open the program and click on the Rootkit tab. Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’. Click on Scan. When the scan has run click Copy and paste the results (if any) into this thread. Thanks, sari
  4. tman70, I believe that's telling me that file no longer exists - there's a registry entry pointing to it, but the file itself is gone, which is a good thing (except I would have like to have known what it was!). The attributes were hidden because it was a hidden directory - even though you had unhidden everything, the attributes would remain the same. Are you still having the redirections on secure links? sari
  5. tman70, Show Hidden Files * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. I'd like you to see if you can find the following file: C:\SysMa2\svchost.exe If so, please do the following: Right click on the folder - c:\SysMa2 - and select Send to Compressed Folder. It will create a zipped folder in the same directory
  6. tman70, Ok, that one is clean. Let's try a more generalized scan that will show me more files. 1. Download ComboFix.exe using either of these links: * bleepingcomputer.com * techsupportforum.com 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Thanks, sari
  7. Double_D_Edd, Hi, and welcome to the Besttechie forums. It looks like you've caught a case of Vundo, so let's get you cleaned up. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  8. tman70, There's not much jumping out at me in your log, except for maybe some leftovers, but let's run some things and see if anything comes up. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "Ris
  9. Moonastar, Hi, and welcome to Besttechie. You do indeed have some problems in your log, but I need a little more information before I can help you. The top of your hijackthis log was cut off, and i need to see that information. It should look something like this: Logfile of HijackThis v1.99.1 Scan saved at 1:48:59 PM, on 6/18/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) If you could please put that information in a reply to this thread, then I can move ahead with helping you. Thanks! sari
  10. jplink, Hi, and welcome to Besttechie. I need you to re-enable everything in msconfig and post a new hijackthis log. If you have malware, you may be hiding it, and I need to see everything that normally starts up. Thanks, sari
  11. Whiskeyman, That looks a lot better, but your Java version is very out of date, which still leaves this laptop vulnerable. You need to update (you can do that via the Java control panel), as well as uninstall any older versions. You should be able to update XP SP2 now as well. Finally, did you change security settings in IE? I ask because of this line: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present This often present with a protection program such as Spybot Search and Destroy's Teatimer, which I don't see, but I figured you may have restricted the security se
  12. I know you're whiskeyman at Geeks to Go, and you have access to everything there. I don't know if you recognized that you had an sdbot infection and should have run sdfix. Did you not really want help with the logs? I'm a little confused, and don't really know what's left on there since I don't really know everything that you did.
  13. TheTerrorist_75, I'm currently reviewing all your logs, and will be posting something soon. For the most part, the infections are PC-wide, so we can run the fixes on user only, which will help with the process. There is purityscan on one user only, which will have to be addressed separately. Keep your eyes open for my next reply. sari
  14. shortfuse, Hi, and welcome to the Besttechie forums. I apologize for the delay in responding to your thread. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\mbssm32.exe Now close all windows other than HiJackThis, then click Fix Checked. Please download the Killbox by Option^Explicit. Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All File
  15. rmurphy7817, Hello, and welcome to Besttechie. Your log is actually clean, and I don't see the tell-tale signs of AWF. Just to be on the safe side, though, I'd like you to repeat the scan in safemode using the following directions, and then post the log from the AVG Anti-Spyware scan so I can see what it finds. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning
  16. spikeq1love, Let's answer your questions first: O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll <== related to Java (which is out-of-date; I'll provide instructions on updating it). O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL <=== related to Microsoft office O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll <== This has to do with Windows Genuine Advantage, which is a program to verify the authenticity of your Windows version
  17. mainter, Hi, and welcome to Besttechie. Your friend does indeed have a few problems, so let's get started. It will take multiple steps to get this cleaned up, so please stay with me until we're finished. 1. Download Ewido anti-spyware from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete, run Ewido and update the definition files. On the main screen select the icon "Update" then select the "Update now" link.Next
  18. romeo, I'm glad we got you straightened out - we try to avoid re-formatting whenever possible. I would suggest getting something like spywareguard or spywareblaster, which will provide better protection against unexpected downloads than an anti-virus alone will. I would also recommend using something like Firefox as your browser - I've been using it for a while now, and I'm very impressed with it, and it will also provide more protection against Activex controls and popups. sari
  19. romeo, It looks like we finally got it! Your log is clean now Here are some tips to reduce the potential for spyware infection in the future. I strongly recommend installing the following applications: Detect and Remove Programs: How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Simil
  20. romeo, Well, the good news is that the entries are no longer in your hijackthis log. Please delete the following files: C:\WINDOWS\SYSTEM32\CSFAS.EXE C:\WINDOWS\SYSTEM32\DMHZB.EXE Also, look in your c:\windows\system32 directory and delete anything that looks like this: {AB48B2C9-9B9C-4CFB-A482-5DC00DDFFDDB}.exe {920B2EB2-7E96-47A2-8F3B-61445E3645A0}.exe Then run the wareoutfix again (I hope it's the last time) and post that and a new hijackthis log. sari
  21. romeo, Ok, we are making progress. Let's kill the remaining files, and then delete the lines from hijackthis. Please download the Killbox by Option^Explicit. Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button. [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): {5E3CCD7B-B470-4F31-86FE-017DEBF813FB}.exe {0F7A4563-
  22. romeo, Go to Start > Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the below services: System Startup Service (SvcProc) When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok. Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into t
  23. romeo, You have a newer variant of wareout - I'm reviewing information on how to fix it, and will post back shortly. sari
  24. HAPPY BIRTHDAY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!