computer has infected by malware WinAntiVirus2007

By cyc85
Apr 8, 2007
Topic Status:
Not open for further replies.
  1. my Firefox and IE keep suddenly pop out anonymous advertisement.... Some time it pop out ask me install WinAntiVirus2007.... I know this is a malware....

    Below this is my hijackthis....

    Some one pls help remove this malware

    thanks...
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    You`re running an outdated version of HijackThis.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of cyc85 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    It appears you have 'Megaupload Toolbar' installed. It has a questionable reputation. QUOTE From the Eula:

    "This toolbar integrates certain services from alexa internet,inc. ("Alexa"). The toolbar may exchange data with Alexa in order to provide: (a) information to you about the web pages you view (ranking information, for example) and basic information to alexa on your use of the toolbar, including the ip address of your computer, the url of the web pages you visit and, because the toolbar communicates via http, data typical of normal http communications such as user agent and operating system, will be communicated."

    I suggest uninstalling it. If you wish to uninstall Megaupload Toolbar, please do the following steps:

    Close running browsers. (You may wish to copy and paste the contents of this thread to notepad or something)
    Go to Start > Control Panel > Add or Remove Programs. Remove Megaupload Toolbar if found.
    Go to Windows explorer and navigate to D:\PROGRA~1\MEGAUP~1 and delete this folder and its contents.
    Run your HijackThis scan and place a check on the following and click 'fix', if found:
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    Also fix this, if found:
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

    Clean your cache and cookies in your browsers.
    For IE:
    Close all instances of outlook express and internet explorer.Go to Control Panel > Internet Options > General tab
    Click the "Delete Cookies" button
    Next to it, Click the "Delete Files" button
    When prompted, place a check in: "Delete all offline content", click OK

    For Firefox:
    Go to the Firefox browser, click Tools > Options.
    Click Privacy in the menu on the left side of the Options window.
    Click the Clear button located to the right of each option (History, Cookies, Cache)
    Alternatively, you can clear all information stored while browsing by clicking Clear All.

    I suggest you also download AVG Anti-Spyware 7 and rename your HijackThis.exe. Follow steps 5 and 6 as listed HERE
    After you have followed the above steps, please post a fresh HJT log and AVG log.
    PS. I may not be able to guide you through the entire solution, but the best you can do is to follow the above steps for now until a more experienced member replies you.
  4. cyc85

    cyc85 Newcomer, in training Topic Starter Posts: 29

    Thanks for help....:wave:

    About the AVG Antirootkit scan...nth was found.....
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    I have removed your Combofix and HJT logs, because they were posted as .doc files and therefore carry a risk of infection.

    Please repost Combofix and HJT logs as either .txt of .log files.

    Regards Howard :)

    This thread is for the use of cyc85 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. cyc85

    cyc85 Newcomer, in training Topic Starter Posts: 29

    i thought u want the file with .doc .... So,i changed it from .txt to .doc lolx

    Anyway i have uploaded the other 2 files....

    Btw, now i didn't see any pop up advertisement anymore....hope no more pop up...

    Thanks howard_hopkinso
  7. momok

    momok Newcomer, in training Posts: 2,272

    Hi

    Your system is infected with adware.

    I noticed that your AVG Antispyware log say all items have "No Action Taken". That`s because you didn`t tell AVG Antispyware to quarantine it`s results. I also see that you still have megaupload toolbar in your system. Let's settle that first.

    You might wish to copy this into notepad or print out this page for reference.

    First turn off system restore (XP/ME only). Learn how to do HERE.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE


    Run AVG antispyware scan and quarantine the items. See HERE for instructions.

    After that, run HijackThis and fix the following entries, if found:

    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: (no name) - {B94B2252-D2B3-4A2D-8C3C-1E11690F3B9F} - D:\WINDOWS\system32\ddayx.dll (file missing)
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

    Go to Windows explorer and navigate to and delete these folders and their contents.:
    D:\PROGRA~1\MEGAUP~1
    D:\DOCUME~1\CYC_KI~1\APPLIC~1\MegauploadToolbar

    Reboot into normal mode and rehide all your OS files.

    Please post fresh HJT logs and AVG antispyware logs only after doing the above.e
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    I agree with momok. You should get rid of the megaupload toolbar.

    In addition to the entries momok told you to fix. Have HJT fix these entries as well.

    O2 - BHO: (no name) - {513B749B-188A-4154-9041-BA2CA7EF781D} - (no file)

    O2 - BHO: (no name) - {B94B2252-D2B3-4A2D-8C3C-1E11690F3B9F} - D:\WINDOWS\system32\ddayx.dll (file missing)

    I`d also like you to have the following file checked out over at Jotti`s.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file D:\Program Files\PowerArchiver\PASTARTER.EXE
    * Click Open
    * Please let me know the results.

    See HERE for instructions on how to use AVG Antispyware.

    Post a fresh HJT log as well as another AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of cyc85 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. cyc85

    cyc85 Newcomer, in training Topic Starter Posts: 29

    But there is some file that i need 2 download from MegaUpload. Without the tool bar,i cannot download from that site. So, what should i do?

    Anyway,i will run AVG antispyware under safemode and post the log file here with hijackthis...
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    If you wish to keep the MegaUpload toolbar, that`s up to you. Just be aware that it`s of dubious repute.

    Regards Howard :)

    This thread is for the use of cyc85 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. cyc85

    cyc85 Newcomer, in training Topic Starter Posts: 29

    About the file that u ask me 2 scan at http://virusscan.jotti.org/ nth was found....

    I remembered that last time after i scan my computer with AVG antispyware, i forgot to click apply deletion... lolx
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    You have posted your HJT log from safe mode. Please post a fresh HJT log from normal mode.

    Delete all files in AVG Antispyware quarantine.

    can you tell me what this programmes is? It certainly wasn`t in any other of your previous HJT logs.

    O4 - HKLM\..\RunOnce: [.\PSpice Student 9.1\1] D:\WINDOWS\system32\REGSVR32.EXE /s D:\WINDOWS\system32\atl.dll

    Regards Howard :)

    This thread is for the use of cyc85 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. cyc85

    cyc85 Newcomer, in training Topic Starter Posts: 29

    I saw the tag in front is PSpice...so i think is a a software i installed few days ago...
    A software that is use in engineering course to draw circuit.....

    I wonder why Pspice will load in safe mode but it didnt load in normal mode cuz it was not appear in this hijackthis log....
     
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Have HJT fix this entry.

    O2 - BHO: (no name) - {513B749B-188A-4154-9041-BA2CA7EF781D} - (no file)

    Other than that, your HJT log is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of cyc85 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  15. cyc85

    cyc85 Newcomer, in training Topic Starter Posts: 29

    Glad to hear from you that my system is clean now....

    Thank you....:haha:
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.