John_McKenna
(HijackThis Helper)
Wed May 10 2006 09:09 AM
Re: hijack log please check

You may wish to save these instructions to notepad or print them out for use while in Safe Mode.


Step # 1

Configure Windows to Show all hidden files & folders:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/50/

Ensure you're familiar with rebooting into Safe Mode:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/54/

Download and install Ewido Anti-Malware from here:
http://www.ewido.net/en/download/

  • When installing Ewido, under "Additonal Options" uncheck "Install Background Guard" and "Install Scan Via Context Menu".
  • Launch Ewido by double-clicking the desktop icon and click 'OK' at the "Database could not be found!" warning.
  • Click "Update" on the left side of the main screen to update the definitions file.
  • Then click "Start Update".
  • When you receive the "Update successful" prompt, close the program for use later.


Step # 2

Go to Start > Control Panel > Add/Remove Programs and remove the following:

Ebates Moe Money Maker
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
Viewpoint Manager (Remove Only)
Viewpoint Toolbar V35 (Remove Only)

* versions of Sun Java older than v1.5.6 are vulnerable to infection whether you have the latest version installed or not.


Step # 3

Reboot into Safe Mode now please.

Scan with HijackThis again and place a checkmark in the boxes before the following entries:-

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe

O4 - HKLM\..\Run: [ViewpointPhotosDeviceConnect] C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab

O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28911fa862ced91eb817/netzip/RdxIE601.cab

Close ALL OTHER OPEN WINDOWS (inc. this one) and click the "Fix Checked" button.


Step # 4

Use Windows Explorer to locate & delete the following files/folders in bold:

C:\Program Files\MyWebSearch\
C:\Program Files\Viewpoint\
C:\Program Files\Ebates_MoeMoneyMaker\

*Right click the file or folder and select delete.


Step # 5

Clean your Cache and Cookies in IE:

Go to Control Panel > Internet Options > General tab.

Click the "Delete Cookies" button and then the "Delete Files" button nest to it.

When prompted, place a check in: "Delete all offline content", click OK.

Clean your Cache and Cookies in Firefox (if you also have Firefox installed):

Go to Tools > Options.

Click Privacy in the menu on the left side of the Options window.

Click the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to close the Options window.

Alternatively, you can clear all information stored while browsing by clicking "Clear All".

A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

Go to start > run and type: cleanmgr and click ok.

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

Press OK to remove them.


Step # 6

Now open Ewido Anti-Malware.

Click on Scanner.

Click on Complete System Scan and the scan will begin.

Warning: Do NOT open any other windows or your Control Panel while scanning as it may prevent scan completion!!

At the first infection, select "Remove" and checkmark the boxes beside "Perform action on all infections" and "Create encrypted backup in the quarantine" in the left corner.

Upon scan completion, click the Save report button and save the report.txt to your desktop.


Step # 7

Reboot and run either of the following online virus scans with Internet Explorer (saving the scan report when complete):

Kaspersky On-line Scanner
  • Accept the Active X object and download the latest definitions.
  • When the scanner is ready, click Scan Settings.
  • Select the Extended anti-virus database.
  • Select Scan Archives & Scan Mail Bases and then ok.
  • Click My Computer to run a full system scan.
  • When complete, choose Save as Text and save the log to your desktop.

Panda ActiveScan
  • Once on the Panda site click the Scan your PC button and then the Check Now button on the next screen.
  • Enter your details in the required fields.
  • Then click the big Scan Now button.
  • Allow the Active X component to install and download the necessary files. (Note: It may take a couple of minutes)
  • When the download is complete, click on Local Disks to start the scan.
  • Upon scan completion, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Step # 8

Then post the following in your next reply please:
  1. New HijackThis log.
  2. Ewido scan results.
  3. Online scan results.
  4. Any problems you encountered.

Contact Us | Privacy statement Main website

Webuser.co.uk

Web User Alerts

Web User Network

Site Policies

Magazine Subscription

Contacts


Search

© Copyright IPC Media Limited 2009, All rights reserved