HijackThis log!!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.


There are multiple steps to follow, you also should be ATTACHING BitDefender and PandaActiveScan logs. And when the READ & RUN ME has been fully completed, HijackThis logs must also be an attachment to you message (also covered in the instructions). It must not be posted inline.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

Also note that P2P programs like Kazaa and Bearshare (and others) are notorious spreaders of malware. That is why the first step in the READ & RUN ME recommends uninstalling them.

 

Which user account did you run the steps on?Frankie T or LocalService ?

I see stuff in the TIF folder that should have been cleaned when CCleaner was run. Was it run? Was it run on both accounts?

 

Your Bitdefender log does not look like a complete log. It shows no information about anything being fixed or not being able to fix it. Didn't you have it try to fix the problems or did you just run a scan. Please post the full log.

You need run the below procedure:

Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

And post the log from SmitRem.

Also boot into safe mode and delete the below files:
C:\Documents and Settings\Frankie T\1file.tmp
C:\Documents and Settings\Frankie T\Favorites\Spyware Removal.url
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81EB01AJ\drsmartload[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\ltndmain[1].dll
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GNU96RM3\sbot[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\ltndload[1].dll
C:\reccord.exe
C:\WINDOWS\drsmartload.dat
C:\WINDOWS\SYSTEM32\0wao7k9k.dll
C:\WINDOWS\SYSTEM32\msblank.html
C:\WINDOWS\SYSTEM32\P2P Networking v123.cpl
C:\WINDOWS\teller2.chk
C:\WINDOWS\warnhp.html
C:\WINDOWS\z00096.exe

Is the below something you installed:
Spyware:Spyware/LinkReplacer Not disinfected C:\Program Files\QL\uninstall.exe

 

Well actually SmitRem showed there was a problem file: Install.dat

Which it removed. The ending line just tells you that wininet.dll is clean.

Are the below URLs valid for you:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

 

Does the fact that Kazaa and Bearshare are still installed mean you are going to keep them even they they are know to be spreaders of malware? I would also add Blubster to that list too. And Blubster is really bad because you are ALWAYS connected to the whole world. As soon as you boot up, it runs and you are connected. Also Blubster is know to have:

Blubster 2.x aka Piolet (Blubster 2.0 and higher and Piolet are adware and bundle other adware)

What is the below XPbackup? If unknown, we will have to fix it.
O23 - Service: Windws Backup - Unknown owner - C:\WINDOWS\XPBackup.exe (file missing)

 

NO P2P programs are safe but at least some do not contain malware when you install them. But the fact that you are connected to other peoples PCs and downloading from them (and they could be infected which can infect you) and that since you are connected, they have access to you......well it is just like leaving the key in your backdoor for the burgular and saying come on in.

See this: http://www.denison.edu/computing/students/blubster.html

For better choices (we still don't recommend them), see: http://www.spywareinfo.com/articles/p2p/

You should uninstall Bearshare, Kazaa, and Blubster but Blubster probably has no uninstall in we will have to do it manually.

 

Here are my recommendations!

First goto Add/Remove Programs and uninstall KazaaLite and Bearshare (also Blubster if there).

Now click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windws Backup ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

If you cannot find it or get an error message, just continue!

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Windws Backup

Now exit HJT but do not reboot if it tells you it needs to. Just exit! We will reboot later after fixing more items. If you cannot find it or get an error message, just continue!


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [BearShare] C:\PROGRA~1\BEARSH~2\BEARSH~1.EXE /pause
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab
O23 - Service: Windws Backup - Unknown owner - C:\WINDOWS\XPBackup.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\Kazaa Lite K++ <--- the whole folder
C:\Program Files\Blubster <--- the whole folder
C:\Program Files\BEARSHARE <--- the whole folder
C:\Program Files\QL <--- delete the whole QL folder
C:\WINDOWS\about.htm
C:\WINDOWS\XPBackup.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You can find a few of the clean types of P2P programs here on MGs. It is just that in this forum, we do not recommend any P2P programs. However be assured that anything downloadable here has been tested and is clean.

See this file directory: http://www.majorgeeks.com/downloads17.html

You will see BitTorrent, a couple versions of Emule and maybe more.

 

You have some new stuff that showed up (possibly it was hiding before). It all probably originated with the P2P stuff. I'll post a fix in a few minutes but I also just noted that you have both Avast and McAfee antivirus running. You must use only on as stated in the READ ME. Look in Add/Remove programs and uninstall McAfee.

Let me know what you find so I can complete the rest of your fixes.

 

Nope! Take a look in you HJT log and you will see:
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

Complete fix to follow soon.

 

First double check in Add/Remove programs for the below and uninstall if found.
WhenU or WhenUsave or Usave

If it is found and uninstalled, the VVSN stuff below will no longer be present.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\VVSN\VVSN.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

Do you know what the below is? If not, fix it too otherwise leave it.
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} - http://www.funnytaf.com/fun/installer/Install.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\VVSN <--- the whole folder
c:\Program Files\mcafee.com <--- the whole folder

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Looks good! If everything is now working okay, work thru the below:

How to Protect yourself from malware!

 

You're welcome!

And you enjoy the Holidays too. And do it malware free!