Use hijackthis to fix those entries,run a scan, put a tick in the box next to those entries ( be careful ) Then choose 'FIX CHECKED 'Then run again and post another log.
Then you need to remove mcafee http://service.mcafee.com/FAQDocument.aspx?id=TS100507
Then download, install Malwarebytes Antimalware and Superantispyware ( both free )
DEAR GOD its taken me this long just to get back here…I ran malwarebytes in safe mode. there is still an autostart run dll I can’t figure out. I am really sorry. here:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
O4 - HKUS\S-1-5-19..\Run: [beliyagohe] Rundll32.exe “C:\WINDOWS\system32\kamileva.dll”,s (User ‘LOCAL SERVICE’)
???
my system restore is screwed up too.
Run MBAM again , it should be able to remove these.Sometimes it takes more than one scan.Also did you try SAS ? Try MBAM in normal mode, and SAS in safe mode. Also some of the original threats were in system restore, so I personally would turn SR off for the moment,or at least not try using it Pleass post the mbam and sas logs Regarding the O4 - HKUS\S-1-5-19..\Run: [beliyagohe] Rundll32.exe “C:\WINDOWS\system32\kamileva.dll”,s (User ‘LOCAL SERVICE’
Is another user logged onto the pc ?
I did finally get super antispy, I have to pick up my children from school and run errands while the pc scans both, mcaffee hasn’t been uninstalled yet and picks up POLY WIN 32 virus. but can not quarintine , delete, clean…I will post asap, at least I am not having as much problem to get on here…thankfully…thanks to your help.
Its not a good idea having two AV’s on the pc, even though mcafee hasn’t been updated for a while, its still active.This can cause conflicts and false alarms.If you think you have something that Avast is missing, report the infected files name and locations from Mcafee, here .Are your Avast scans clean ? Is Avast finding anything that it cannot deal with or returns after you have dealt with ? Did you do an Avast boot time scan
Time elapsed: 3 hour(s), 1 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
This is the malware log. rebooting after this post
That looks reasonable if all it found were mywebsearch keys and no malware files.
Now you need to deal with McAfee, uninstall using windows add remove programs and for good measure another tool to ensure all remnants are gone, since you didn’t say what version of McAfee I have listed all of them.
McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe Or http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525
Okay so I removed mcafee…running Hijack this and…the winner is???
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
–
End of file - 2544 bytes
however…the INNI kamileva file is still picking up on the scan>>> :o ???
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) → Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) → Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.google.com/) → Quarantined and deleted successfully.
I have no clue what this crap is…this is a screen shot of the info that HJT gives me including what I assume is the path
http://s293.photobucket.com/albums/mm49/glory2hizname/?action-view¤t=kamileva.jpg&t=1237414658093
http://s293.photobucket.com/albums/mm49/glory2hizname/?action=view¤t=kamileva.jpg&t=1237414658093
well that didn’t work. I tried inserting an image just click on the link I guess and where it gives you options click on full size. I am sorry.
http://i293.photobucket.com/albums/mm49/glory2hizname/kamileva.jpg
ok there it is. i am sorry AGAIN…but I am always learning
Well your new HJT log is incomplete so we can’t see the entry is still there.
Did you not fix it in HJT ?
Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.
You don’t really need to know what they were as you have gone ahead anyway and removed them. They relate to search hijacking and your searches would be redirected or the content highly dubious.
I think what Mom24 means, is that entry is still there after it has been fixed, although a large part of the last hjt log is missing. Also there are bits of logs from different scanners,which appear a little mixed up.The last FULL mbam log showed only Adware.MyWebSearch, then later what appears to be part of another mbam log http://forum.avast.com/index.php?topic=43475.msg363748#msg363748
I presume this log is from Avast http://forum.avast.com/index.php?topic=43475.msg363640#msg363640
Its all a bit confusing. Also the op hasn’t stated whether Avast scans are now clean ( as there was the win poly,from Macafee )
I realise that all this scanning is tedious,especially when one of your mbam scans took 3 hours. So if you could scan again, boot time scan with Avast, and full scans with MBAM and SAS, and post the full logs,
example SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/14/2009 at 01:50 PM
Application Version : 4.25.1014
Core Rules Database Version : 3795
Trace Rules Database Version: 1751
Scan type : Quick Scan
Total Scan Time : 00:09:47
Memory items scanned : 419
Memory threats detected : 0
Registry items scanned : 379
Registry threats detected : 0
File items scanned : 9367
File threats detected : 0
Thank you
Ok. Let me try this again.
(I thot I posted a reply already. it didn’t take apparently or it was an ID 10 t error. :P)
Ok No more pop ups, hijacks, or slow downs. THANK YOU THANK YOU THANK YOU, to all who helped.
I will attempt to do a boot scan with avast, and post the log…the question is can I do it.
I posted my newest problem on a different topic, because I know people like reading about problems in their appropriate sectors, so I posted the BackUp error message problem in General Topics , which I hope I can link to from here…
http://forum.avast.com/index.php?topic=43511.0
preview…YAY ! ok. so I know I may get on your nerves with how obvious these fixes are compared to the ones many people have on here, but the problem is only as easy as your knowledge about it. I am learning a lot on here.
Hi :
In One of the Logs you posted, I saw a seriously outdated “Java” program;
not know HOW many “version(s)” of this program you MAY have on your
computer, I recommend you run the FREE “JavaRa” program from
http://raproducts.org .
After doing this and not know HOW many other programs may be outdated
on your computer, at some point in time you should run the FREE “Software
Inspector” available at http://secunia.com/vulnerability_scanning .
thanks I am doing this now. I get so overwhelmed by what needs to be updated, removed, and what programs are just useless. I don’t want to load up my computer with “crap”. But scans and this and that confuse me, and take up time I don’t want to be spending on my computer, but with my family, but when I or my family need the computer, I want it to be in working, close to perfect, order.
If you don’t use Java, or you don’t want to update it, just uninstall it.
Old Java installations could be a source of exploitation from malware.
Stick at it, take it a step at a time and once you are on top of it, periodically pay a visit to the Secunia site.
MALWAREBYTES LOG: non detected
Malwarebytes’ Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3
3/19/2009 5:51:24 PM
mbam-log-2009-03-19 (17-51-24).txt
Scan type: Quick Scan
Objects scanned: 74981
Time elapsed: 6 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D