jwbirdsong

Experts
  • Content count

    102
  • Joined

  • Last visited

About jwbirdsong

  • Rank
    Advanced Member

Contact Methods

  • ICQ
    0
  1. Absolutely fine.... It SHOULD also be removed by Spybot Search and Destroy and AdAware...Two tools you should have in your arsenal anyway for regular maintenance. Link for both progs are in my signature
  2. Yes that IS from the My Web search tool bar not really a severe issue but many people remove it while others choose to keep it. .....read more on this (non)threat HERE If you do wish to rid your self of this...use the Control Panel>Add/Remove and just uninstall any/all MyWeb and MyWebSearch items.... Did you run the Ewido in SafeMode...I was thinking it can/will remove this for you. Also update your Java to latest version by following the procedure HERE
  3. Just glanced over before work this am. Nothing obvious in your log to cause this..... Is Ewido the only web site you can't get to?? Check you hosts file ...browse to C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS and open it with Notepad......make sure that www.ewido.net is NOT in the list......the file MAY be mostly empty ..a default hosts file contains single line 127.0.0.1 localhost and a few comment lines.... More info on the hosts file can be found HERE I'll dig a little deeper after work today also.
  4. Well NPMySrWB.dll is usally from MyWeb... If you don't have it already D/L HijackThis version 1.99.1 from HERE; make sure to unzip and to it's own, permanent folder. Help with unzipping files is HERE To run HijackThis click Do a System Scan and Save log file, Post the resulting log in a reply to this thread. Use AddReply button at top of message. I would be happy to take a look at it.
  5. As long as you have no issue not shown in your logs then we can say.... Congratulations, your log is clean. First, you should clean your restore points and set a new one: Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected) 1. Turn off System Restore.On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Restart your computer. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check Turn off System Restore. Click Apply, and then click OK. System Restore will now be active again. Delete the C:\!Killbox folder To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad. SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts. IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free. More info and download is available at link in my signature Make SURE to read AND follow the advise in How Did I Get Infected in the First Place??
  6. Little easier to manage list this time huh? Download KillBox http://www.downloads.subratam.org/KillBox.zip Place it in a folder on your Desktop. Help with unzipping files is HERE In the main screen of KillBox, go to Tools in the top menu bar, and select: Delete Temp Files. Use the drop down box and clear ALL profiles this way. Back at the main Killbox screen check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Click the button marked ALL FILES(lower right of Killbox) Left click and drag cursor to hilight ALL files listed in the quote box below, right click and choose copy click. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes: If you get a PendingOperations message, ignore/close it and restart your computer manually. After it rebbots post a final(?) HijackThis log along with any further comments/concerns about how it is running.
  7. Go to Start>Run then copy/paste the following line in and hit Enter sc delete ".NET Connection Service" Now Empty your Norton recyucle bin , directions are HERE Clean your TIF's and Cookies for IE: Make sure IE and OutlookExpress are closed Go to Control Panel > Internet Options > General(tab) Click the "Delete Cookies" button Next to it, Click the "Delete Files" button When prompted, place a check in: "Delete all offline content", click OK Clean other Temporary files & Recycle bin Go to start > run and type: cleanmgr then click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are checked. Press OK to remove them. If you have FireFox /Mozilla installed Clean your Cache and Cookies in Firefox: Go to Tools > Options. Click Privacy in the menu on the left side of the Options window. Click the Clear button located to the right of each option (History, Cookies, Cache). Click OK to close the Options window Alternatively, you can clear all information stored while browsing by clicking Clear All. A confirmation dialog box will be shown before clearing the information. Then please re-run the Kaspersky Online scan and post the results here...Thanks
  8. If you still need help post a new HijackThis log
  9. Somehow my Email setting were changed and I got no notice of your last reply...I am REALLY sorry. If you still need assistance post a fresh HijackThis log. Again Sorry
  10. Please download HijackThis version 1.99.1 from HEREand make sure to unzip and to it's own, permanent folder. Help with unzipping files is HERE To run HijackThis click Do a System Scan and Save log file, Post the resulting log in a reply to this thread. Use AddReply button at top of first message. I would be happy to take a look at it.
  11. See if you can get any results from a different scan And yes the formatting of word wrap is correct now, thanks Please perform this online scan: Kaspersky Webscan 0. Make sure to click button for ONLINE SCANNER and NOT File scanner 1. Read the Requirements and Privacy statement, then select "Accept" 2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab 3. Select "Install" to download the ActiveX controls that allows ActiveScan to run. 4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow" 5. When the download is complete it will say ready, click "Next" 6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK" 7. Select a target to scan: Click on "My Computer" 8. When the scan is complete choose to save the results as "Save as Text" Post the Kaspersky scan results in your next reply together with a new hijackthis log.
  12. First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix Please download Ewido Anti Malware, it is a free version of the program. Install ewido security suite When installing the program, under "Additonal Options" uncheck... Install background guard Install scan via context menu [*] Launch ewido, there should now be an icon on your desktop, double-click it. [*] The program will now open to the main screen. [*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. [*] You will need to update ewido to the latest definition files: On the left hand side of the main screen click update. Then click on Start Update. [*] The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display "Update successful") [*] Close Ewido If you are having problems with the updater, you can use this link to manually update ewido. Ewido manual updates Next, please reboot your computer in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Start Ewido Anti-Malware Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning) Click on Complete System Scan, the scan will now begin. While the scan is in progress you will be promted to clean files, click OK. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report. Click Save Report. Now save the report .txt file to your desktop. Close Ewido When Ewido is finished scanning; reboot back to normal mode and run this online virus scan:(MUST use IE) ActiveScan Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button - Enter your Country - Enter your State/Province - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this) - Select either Home User or Company Click the big Scan Now button If/when you get a notice that Panda wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on Local Disks to start the scan When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop. . Post The Ewido log A new HijackThis log Panda results in your next reply here. When you have Hijackthis log open in Notepad please click Format>Word Wrap..it makes the log much easier to read
  13. First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix Please temporarily disable MSAS by doing the following: It may interfere with the fix. Open Microsoft AntiSpyware. Click on Options -> Settings. In the left pane, click on Real-time Protection. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended). Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended). After you uncheck these, click on the Save button and close Microsoft AntiSpyware. Restart your computer. Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware Make sure the settings are changed back when we are done. Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe Save it on your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish. After the fix begins just follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. After your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please run it by clicking Scan Only, and check the following items: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) O2 - BHO: winapi32.MyBHO - {62E2E094-F989-48C6-B947-6E79DA2294F9} - C:\WINDOWS\system32\winapi32.dll (file missing) O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file) O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing) O17 - HKLM\System\CCS\Services\Tcpip\..\{29F9E830-D513-456C-89BC-D31732E7B9A7}: NameServer = 85.255.114.22 O17 - HKLM\System\CCS\Services\Tcpip\..\{2B52A889-83D5-44E9-856C-FFF406AFAD49}: NameServer = 85.255.114.22 O17 - HKLM\System\CCS\Services\Tcpip\..\{791D1283-194E-4D78-8103-6E9C5869A50F}: NameServer = 85.255.114.22 Click Fix Checked. Close HijackThis, and click OK to proceed. Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml Run the program, accept statement>next>click> scan>next. If any items are detected have blacklite rename them except for "wbemtest.exe". Do not rename "wbemtest.exe" its a windows file. If there are any other files you THINK may be valid don't rename them. Help is available HERE The tool will ask if you want to reboot (restart) choose yes. Finally, please post the contents of report.txt (it should open; If it does not open or you close it..find a copy in c:\fixwareout folder.) a new HijackThis log log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20051213134642.log. Note: IF you are having connection problems after the removal of the 017's with HijackThis then follow the directions below (These instruction's are basically for home users.) Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them. In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically Press OK twice to get out of the properties screen and reboot if it asks. That option might not be available one some systems
  14. First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix I see Viewpoint is installed. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This had changed from what we knew ; read this article: http://www.clickz.com/news/article.php/3561546 I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present. * Viewpoint * Viewpoint Manager * Viewpoint Media Player Reboot afterwards. Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe Save it on your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish. After the fix begins just follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. After your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please run it by clicking Scan Only, and check the following items: O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\jtpoe.dll (file missing) O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\jtpoe.dll (file missing) O17 - HKLM\System\CCS\Services\Tcpip\..\{EF48425A-B70B-4AD5-8D62-97942AB0CC1A}: NameServer = 85.255.115.74,85.255.112.129 O17 - HKLM\System\CCS\Services\Tcpip\..\{FAB425BD-F741-49C0-8D87-6F47D5FF7717}: NameServer = 85.255.115.74,85.255.112.129 O17 - HKLM\System\CS2\Services\Tcpip\..\{3125AC76-D5A7-4705-988A-048617D4E5EA}: NameServer = 85.255.115.74,85.255.112.129 Click Fix Checked. Close HijackThis, and click OK to proceed. Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml Run the program, accept statement>next>click> scan>next. If any items are detected have blacklite rename them except for "wbemtest.exe". Do not rename "wbemtest.exe" its a windows file. If there are any other files you THINK may be valid don't rename them. Help is available HERE The tool will ask if you want to reboot (restart) choose yes. Finally, please post the contents of report.txt (it should open; If it does not open or you close it..find a copy in c:\fixwareout folder.) a new HijackThis log log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20051213134642.log. You should also update your Java by following the procedure HERE Note: IF you are having connection problems follow the directions below (These instruction's are basically for home users.) Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them. In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically Press OK twice to get out of the properties screen and reboot if it asks. That option might not be available one some systems
  15. Everyone who answers logs/helps on this (and most other Malware help) forum are volunteers. Most forums, including this one, have a policy about who may and may not respond to logs......Forums rank/permissions are generally granted by forum owner (in this case Rubberducky). For people who would like to learn about malware removal there are several "Boot camp"/Training forums where many; most in fact, of us that do responds to these logs have been at one time or another. There are always exceptions...some people with a good knowledge/background in Malware/computer troubleshooting can be given rank with the training..it's all up the individual forum Moderator