HJT analysis - help please

Discussion in 'Malware Help (A Specialist Will Reply)' started by alma, Jun 15, 2006.

  1. alma

    alma Private E-2

    Thanks in advance,

    I have a problem , I have my homepage changed and new things appeared in my favorites and I was not able to remove them also I have alot of popups and most of them related to shopping and Ipod and some times www.shop.com also about poker , pokerparty ,sometime antiviruse and monacogoldcasino.com as will ... etc

    I followed the instruction in "READ & RUN ME FIRST Before Asking for Support" and I was able to restore my homepage but I wasn't able to remove the stuff in my favorites and the popups .... I will appreciate any help

    I did the scans according to the insturctions but the Microsoft Windows Defender 1051 (Beta 2) did not work so I scan with CounterSpy

    attached you will find the reports I was able to get from those scans and form HJT.


    Many thanks
     

    Attached Files:

    alma, Jun 15, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    The READ ME specifies to attach your CounterSpy log if you run CounterSpy. Please attach the log.

    Do you still have Mass Downloader installed? It appears to be broken.
    O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: waynet - {CAE916D2-880A-4198-BB83-9E9DBD9615DC} - C:\Program Files\waynet\waynet.dll (file missing)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
    O2 - BHO: (no name) - {2FEEF245-E900-6A32-158B-0CBD548A601E} - C:\DOCUME~1\Mohammed\APPLIC~1\BOWSPLAY\BEEP FOR.exe (file missing)
    O2 - BHO: XBTB02205 - {380D01CA-D5F0-4481-A733-B983CA3CDFBB} - C:\PROGRA~1\waynet\waynet.dll (file missing)
    O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
    O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
    O3 - Toolbar: waynet - {CAE916D2-880A-4198-BB83-9E9DBD9615DC} - C:\Program Files\waynet\waynet.dll (file missing)
    O3 - Toolbar: (no name) - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - (no file)
    O4 - HKLM\..\Run: [one thunk time file] C:\Documents and Settings\All Users\Application Data\Blah Admin One Thunk\Ball 16.exe
    O4 - HKCU\..\Run: [Settings Each] C:\DOCUME~1\Mohammed\APPLIC~1\STOREJ~1\Birdgplbuild.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\Documents and Settings\All Users\Application Data\Blah Admin One Thunk <--- delete the whole folder
    C:\Documents and Settings\Mohammed\Application Data\BOWSPLAY <--- delete the whole folder
    C:\Documents and Settings\Mohammed\Application Data\storejugs <--- delete the whole folder
    C:\Program Files\waynet <--- delete the whole folder

    Since you do not appear to ave Symantec installed anymore, you should also delete the below folder:
    C:\Documents and Settings\All Users\Application Data\Symantec

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 15, 2006
    #2
  3. alma

    alma Private E-2

    Thanks again,

    I did exactly as you told me and things seems to be good my favorites went back as it was and I do not see any popup so far ..

    I was able to remove all the folders you told me to remove, however I did not find the folders called "BOWSPLAY" &"storefugs" just they were not there !!

    I will attatche a HJT log from a new scan I did after I finshed your instructions

    also I will attatche a counterspy report from the scan I did earlyer not from today but from when I was doing READ ME FIRST

    I did not do the "disable system restore" yet , I will wait for your instructions

    Also, I need to know if I need to keep the software I got during READ ME FIRST or should I remove them .

    I have Mcafee internet security is that enough for my future protection ??

    I appreciate your help
    Many thanks
     

    Attached Files:

    alma, Jun 15, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to let CounterSpy fix what it found. You told it to ignore the problems.

    You need to uninstall Bearshare. It is bundle with malware.
    Also according to CounterSpy, you got infected when you installed Messenger Plus which is also bundled with malware. Uninstall it too!

    PalTalk is up to you but it is known to serve ads since that is how it is supported.

    You should keep everything from the READ ME. If McAfee were good enough, you would not have been coming here for help. However you can uninstall CounterSpy after letting it fix everything it found.
     
    chaslang, Jun 15, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jun 15, 2006
    #5
  6. alma

    alma Private E-2

    I appreciate your help , sure I will do that
    thanks
     
    alma, Jun 15, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Jun 16, 2006
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds