Hi there. I scanned using ewido and this is the log. ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 10:59:14 p.m. 14/02/2007 + Scan result: C:\Program Files\Alwil Software\Avast4\DATA\moved\USYP_0001_N76M1005NetInstaller.exe.vir -> Downloader.Small : No action taken. C:\Documents and Settings\Geoffrey.HOME\Cookies\geoffrey@com[1].txt -> TrackingCookie.Com : No action taken. ::Report end Can you please help me to delete this malware. Thanks in advance for your help.
just clean out your cookies folder C:\Documents and Settings\Geoffrey.HOME\Cookies\ and then delete every cookie in there.
Hi kateman, I deleted the cookies as you said but when i restarted my computer and scanned using Ad-aware i still find this malware in my system. So i scanned using AVG Anti spyware and this is the log ... --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 8:18:46 p.m. 15/02/2007 + Scan result: C:\Program Files\Alwil Software\Avast4\DATA\moved\USYP_0001_N76M1005NetInstaller.exe.vir -> Downloader.Small : No action taken. ::Report end Its a program or malware called Downloader.Small that is doing all the problem i think. Please help.
What made you run the scan? What symptoms were you getting? Popups. Posting a HJT log would be your first step. If your getting popups it could be a vundo or coolweb problem. win32:winfixer-b Not much info on it but it does not seem to be the end of the world to get rid of either. And there is about 2000 downloaders.small You said you ran the scan but did not say why and that is very important. Kateman you still got this one. I just saw it and did a little looking up Did not mean to stict my nose in a working thread. I think you know me enough by now. Only if I think I can help with some idea. Sometimes the problems can be posted a little vague. If I could spell I would never need to edit lol
Actually i didnt get any popups. But i found this malware randomly. When i scan with Ad-aware it said there is a malware named Win32:Winfixer-B[TOOL]. I left out the word 'TOOL' before. Does that make any difference? not sure. If i scan with Spybot it doesnt show me that i have a malware. I ran the scan because i wanted to give you guys where the malware is actually located. Do you want me to install some other software and run a scan in my comp? Let me know.
That is up to Kateman. Makes us all better in the end. I just did a little research on it. A HJT this log would be a good start but don't save it in a temp file and rename it before using it. You want it on your C:/ drive for backup. Call it XXX.exe, it's still HJT It is considered a tool so no big deal.
Hi I downloaded Hijackthis and I'm posting its log Logfile of HijackThis v1.99.1 Scan saved at 10:44:38 a.m., on 16/02/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\khooker.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\PROGRA~1\FREEDO~1\fdm.exe C:\Downloads\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
this situation is weird, the log is clean :S i did some looking around and no website seems to know what this is. I could run heaps of scanners off a list but none i think will help this situation. there are two ways this can go: 1. its a faulse psitive (very unlikely with adaware) or 2. if hjt didn't pick it up its either spyware that realised that you have hjt on your hd or its probs a trojan. @bkf: hey, i dont mind. this place is about helping others, if you can do it faster iam all for it. anyway, i may learn a thing or two
okay, long shot but the best i have right now. fingers crossed boys Restart your computer into Safe Mode now. (Start tapping the F8 key at Startup, before the Windows logo screen). Perform the following steps in Safe Mode: * Run Ewido: Click on scanner Click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK. When the scan is finished, look at the bottom of the screen and click the Save report button. Save the report to your desktop. Reboot. Post a new Hijack This log and the results of the Ewido scan.
@ kateman.. some info here http://forums.techguy.org/security/436352-solved-trojan-vundo.html seems related to the freeprod virus. possibly come from AIM as a toolbar addon.
@janrocks: umm thanks, but how does that thread have any relevance? that is about ssqro.dll we are talking about Win32:Winfixer-B[TOOL]. haha and ive never heard of the freeprod virus
It's listed in the HJT logs the sufferer posted. Just remembered seeing it yesterday and thought it "might" help while you are trying to hunt it down.
Kateman: It's not a contest. You are far better then me in here. My console would be a scan log using vundofix, smitfraud, and an on-line panda scan to see where we stand. While all 3???? pages about this was interesting they did move from a false indication to a valid problem know under a dozen names. I found one site and the guy had to jump through hoops. Hopefully we do not need to do this here. And will you people STOP downloading those stupid browser helper programs. If I did a math study of people infected 80% have those helper bars. Nothing is ever free. Keep thinking and we will keep watching and in the end it will be us that learn something from you and you will be solid with how to deal with yet another bug. Thanks Jan for getting involved also! Bk
don't put yourself down, heck i've never seen somebody so dedicated to finding information on stuff like you do haha i reckon. you now what else i have realised. EVERYBODY's hjt log i have seen (who have nortan), has an infection this has gone way off track. @geoff007: any luck with ewido in safe mode?
Hello Interestingly i scanned using ewido and now it says that there's no problem. it says that the system is clean. i'm not sure why its not showing the problem now. i didnt do any cleaning except the one when u told me to clean the cookies in a folder. when i scanned with ad-aware it didnt show me any malware, so i guess its good news. in 3 days i'll scan once again and i'll let u know if there's any problem, OK.
Thanks Kateman: When you sit here wondering if you going to live or die in 6 months it gives me something usefull to do. My consols would still be scanning using some of the free programs just to make sure. Your a good person Kateman! Bk
