Smartfinder virus..or whatever it is..urgent help pls

chef_wee_wah · Jul 5, 2005

Hi,

I'm sorry, but I've tried everything you guys have listed on your main help posts and nothing has helped.. the damned virus is still on my pc.. I've tried all the listed and recommended spybots, virus scanners and trojan detectors etc.. I have d/loaded Hijack This and do have a log file if you want it.

I need help quite urgently.. this is quite a serious problem and is instituting an increasing number of processes to my tast manager and making my pc slow up and freeze etc..

I will wait for a response, and thanks in advance I hope someone can help me.. I'm not very computer literate when it comes to regedit etc etc so pls bare that in mind.

Thanks,

Dan.

chaslang · Jul 5, 2005

If you have run ALL the steps in the READ ME FIRST sticky thread, follow the steps below exactly as written to install and use HijackThis properly:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

chef_wee_wah · Jul 5, 2005

Thanks, I really appreciate any help you can give me - I'm temporarily (actually, I'll probably keep it since it's great) using Firefox - no problems with that platform - but I need this fixed irrespective.. I direct your attention, if not previously read before, to the forum post: Geeks to go - trojans info

If we can't fix it by editing reg files/removing them etc, will it disappear if I reinterface my whole computer? It's due for a whole makeover anyways - so I wonder...

Let me know, I thank you sooooo much.

Dan.

chaslang · Jul 6, 2005

Okay! You have an HSA hijacker problem! Did you run the steps in the READ ME FIRST related to this?

It appears like your Norton Antvirus installation may be broken. You will need to fix this later. It may require a reinstall. The below line is what I'm referring to.
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

First see step 2 in the READ ME FIRST and make sure the Workstation NetLogon Service (or the others mentioned) have been stopped and disabled. Your current log had this service but they do rename themselves on the fly (after reboots).

Note: If you have powered down or rebooted since posting your log, it is possible that the infection has mutated (changed file names) and spread. If it has you may not find all of what I have below and the fix will not work.

Please download the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\WINDOWS\mfcwc32.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jzhdv.dll/sp.html#18463
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jzhdv.dll/sp.html#18463
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jzhdv.dll/sp.html#18463
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jzhdv.dll/sp.html#18463
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jzhdv.dll/sp.html#18463
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jzhdv.dll/sp.html#18463
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jzhdv.dll/sp.html#18463
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F44B61BD-741C-710C-AE71-A8D36A20716A} - C:\WINDOWS\system32\apiyu32.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mfcwc32.exe] C:\WINDOWS\mfcwc32.exe
O4 - HKLM\..\RunOnce: [msqi.exe] C:\WINDOWS\system32\msqi.exe
O4 - HKLM\..\RunOnce: [ntgv32.exe] C:\WINDOWS\system32\ntgv32.exe
O4 - HKLM\..\RunOnce: [msjj.exe] C:\WINDOWS\system32\msjj.exe
O4 - HKLM\..\RunOnce: [adduz.exe] C:\WINDOWS\system32\adduz.exe
O4 - HKLM\..\RunOnce: [appcl32.exe] C:\WINDOWS\system32\appcl32.exe
O4 - HKLM\..\RunOnce: [wingv32.exe] C:\WINDOWS\system32\wingv32.exe
O4 - HKLM\..\RunOnce: [d3fi32.exe] C:\WINDOWS\d3fi32.exe
O4 - HKLM\..\RunOnce: [addpz32.exe] C:\WINDOWS\system32\addpz32.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msqi.exe" /s (file missing)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.
C:\WINDOWS\system32\addpz32.exe

Now, Copy and Paste C:\WINDOWS\system32\jzhdv.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\apiyu32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\mfcwc32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msqi.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\ntgv32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msjj.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\adduz.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\appcl32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\wingv32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\d3fi32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\addpz32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself.

Now get a new HJT log and post it here. And tell us how these steps went and how things are working.

PLEASE DO NOT REBOOT after posting your log. If you are still infected, it could mutate making the next steps I would post ineffective.

chef_wee_wah · Jul 10, 2005

ok, thanks.

I've done what you said, and it appears to have been removed - no R1 or R0 entries in hijackthis log which I have attached.

Further, no more internet explorer popups for "only the best"!

Thanks! However, now IE opens automatically when my cable connects to the net.

I reset the web settings, but this didn't fix it.. how can I make it so IE doens't open automatically?

Thanks! Dan.

PS: i know I still have to fix the norton antivirus broken file you mentioned.. just havne't gotten around to it as yet.

chaslang · Jul 10, 2005

Why do you now have HijackThis installed improperly in:
C:\Documents and Settings\Daniel\Desktop\HijackThis.exe

You had it correct before. Please only use the properly installed one and get rid of this one.

In my previous message, one of the lines I asked you to fix was:

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

You must have missed it. This is why IE is opening at startup. Have HJT fix that line.

Log in or Sign up

Smartfinder virus..or whatever it is..urgent help pls

chef_wee_wah Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chef_wee_wah Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chef_wee_wah Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

Smartfinder virus..or whatever it is..urgent help pls

chef_wee_wah Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chef_wee_wah Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chef_wee_wah Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches