please help analyze Hijackthis

Hi,
This will sound really dumb that I don’t know how to fix this, but…
Every couple days I get an email from yasfela@yahoo.com into Outlook, which keep coming although I try to tell the program it is spam. Each seems to have a different virus or trojan, and I try to delete them as Avast says, but every time, after I press delete, Avast starts the alarm over and I have to try to delete it again and again. After a couple tries a little gray box pops up saying the file is no longer available. I think that it is at that point that Outlook has decided to block the jpeg pictures in which these viruses are transported, from appearing on my computer. So I close the Avast warning by the little button on the top right corner and go about my business. However, when I run a thorough system cleaning, Avast keeps finding things that it says it cannot move or resolve. For example, in C/ Documents and Settings (also several in System Volume Information) … Embedded # DODGY… then Win:32T… Error Occurred During…

Unfortunately I am relating all of this from a snapshot I printscreened last time, and it doesn’t show the full messages, and I can’t get this to happen again today. But several times, I have had a long list of viruses or problems that AVAST seems unable to move to the chest! I am wondering: is that because a few months ago I had some viruses removed using Dr Web, and AntiMalWare, which is still on my desktop?

BUT I have developed wierd symptoms. First, my browser is pretty slow now (and it’s IE so vulnerable), occasionally REALLY slow (like I once had to slow my typing to one key per second in order to get it to appear onscreen). Second, when I send documents to another computer and open them on my own email account, they no longer show up as word but as unopenable Winmail.exe files.!!!

Third, and possibly unrelated, my Access program no longer allows me to output reports to text documents. When I try to output a report, it complains that I need to connect to a printer.

I can’t help thinking that if I were a virus and my life’s purpose were to spread myself around, I too would try to make my victims connect to a network printer.

So today Avast doesn’t seem to see anything wrong with my computer, but - I am attaching my HiJack this file and I would really appreciate if it an expert or two could reassure me that nothing odd is going on.

Apart from Hijack this, what else should I do?

Thank you!!

Looks like you got MyWebSearch, which is a very nasty adware program.

I suggest:

SuperAntiSpyware Free
Spybot - Search & Destroy
Spyware Terminator (exclude the crawler toolbar, add ons, and the ClamAV module)

:slight_smile:

And your Adobe Reader is way-out-of-date ; would be wise to uninstall it and
use the safer “Foxit Reader” from www.foxitsoftware.com/pdf/rd_intro.php .

Hi Sonichko,

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.

Fix these following entries using HijackThis:

C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe Nasty (1.94 / 5.00)

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Nasty Should be fixed. This entry was classified from our visitors as bad.

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Neutral Must be fixed! MWSSRCAS.DLL - MyWebSearch, hxxp://www.doxdesk.com/parasite/MySearch .html

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Neutral Must be fixed! Mwsbar.dll - MyWebSearch, hxxp://www.doxdesk.com/parasite/MySearch .html

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Safe Unnecessary (deactivated) entry that can be fixed. This entry was classified from our visitors as good.

O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Must be fixed! Mwsbar.dll - MyWebSearch

O4 - HKLM..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF Extremely nasty Nasty (1.82 / 5.00) Visitor’s assessment Analyzerdetails

O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] “C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe” /m=2 /w Nasty (2.05 / 5.00) Visitor’s assessment Analyzerdetails

O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe Nasty Nasty Must be fixed! This entry was classified from our visitors as bad.

O4 - HKCU..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe Nasty Nasty Must be fixed! This entry was classified from our visitors as bad.

O8 - Extra context menu item: &Search - hxxp://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm025YYUS The entry &Search has been identified as nasty.

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/ZwinkyInitialSetup1 .0.1.0.cab Should be fixed. This entry is infected with Adware/MyWebSearch. ref …

O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe Nasty (1.98 / 5.00)

polonus

dear poster
you need to do BOTH what jtaylor suggests
Super Anti Spy
Spybot search and destroy please install SD-Helper but NOT T-timer and please update and Immunize
new definitions for both today

AND THEN what polonus suggests- or the other way around
Fix those HJT entries

Malware bytes Anti Malware is also a great scanner
then run an Avast Full scan rt click on the ball and update PROGRAM first (just to be sure)
then post the logs and a new HJT

Then you can install spyware Terminator - see Jtaylor83s post for the link - without the extras he mentions for some real time protection

Then run Secunia Software inspector and get updated
if your java is out of date please run JAVARA to remove all old versions- they are still vulnerable

Have a nice day :slight_smile:

This entry is Windows Live Call so if you use it and its working keep it.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Wow,
thanks everyone. I have been able to do the first 2 suggestions about Spyware but I haven’t been able to fully get rid of MyWebSearch and related problems. I will keep working on all your suggestions.

I’m really surprised to hear that you don’t detect a firewall. I went to my XP firewall and it says it’s on. I looked at the settings for what it allows, which I had never touched, and there were some things on there I never use like AOL, many hp files that hopefully were just normal applications, and also Internet Explorer was checked as something Windows doesn’t really use my firewall on… So I fixed those, hopefully you would now be able to see a firewall. I have a feeling that some other program messed it up, because I would not turn off my firewall.

Thanks… I’ll keep working on these…

Hi Sonichko,

There may be remnants of MyWebSearch,

Get them off, Disable any System Restore or Goback type software that you may have running.
Turn on “Show all files” etc in Windows Explorer.
Empty all temp folders including temporary internet files.
Empty your Recycle Bin.

Ensure that your AV is up to date and run a full scan. A

Close all unnecessary programs, particularly any browser sessions.

Update and run MBAM and SAS and fix anything that it finds. Reboot and run it again until it gives the all clear.

Now install, update and run Spybot S&D. Fix anything that it finds, reboot and run again. Repeat this until it’s all clear.

Now reboot, run HijackThis! and attach your log file in a new posting.

Turning on “Show all files”:

Windows XP

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Turning off and on System Restore: http://www.pchell.com/virus/systemrestore.shtml

polonus

By active firewall it means one that provides outbound protection and the XP firewall has zero outbound checking.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

  • There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.