TechSpot

NPMySrWB.dll infected by Win32:Adware-gen

By Onus
Mar 29, 2007
Topic Status:
Not open for further replies.
  1. I am posting the HJT. The infection occurred in the Mozilla Firefox\plugins folder.

    This was most likely from a chat session with AdAware Alert and Error Killer. They have emailed me for an HJT and sent a link. I remembered to run the programs from your forum instead. I also had a keylogger virus, a repeating virus, which I had isolated to the Avast "chest" when I started because I was having trouble with CounterSpy anti-virus and had uninstalled a registered version. I was running SpywareGuard and several others, but Kerio Personal Firewall kept popping up balloons that interferred with my work. I deleted almost all antivirus and spyware programs before downloading AdAware Alert. The person on the chat line sent a registry entry and I wrote them up (bad recommendation for tech rep) for not alerting me and giving me notice that they were going to send a fix.

    Housecall would not run for me. And Smitfraud was interrupted by "Disk Cleanup" and a window about "Windows is running in safemode" do you want to continue or something like that. I don't think the wininet.dll file ran.

    It seemed like one of the 4 tools fixed the Kerio Firewall error: Windows Logon UI, Windows NT Logon Application; it won't allow me to log off and "End Now" is the only option. After rebooting, though, the problem came back. This might be related to the Error Killer problem because the Kerio balloon showed "Application is launching another application Windows Task Manager, Windows NT Logon Application". (I hope that is right.)

    The other error from AdWare Alert was because I opened 'My Computer', System Restore to delete a schedule task set up by AdWare Alert. Kerio would not allow the operation and opened 2 Generic Host Process files and 2 Image Mastering API files. Strangely, I typed "sendto" in "run" box and tried to use the right click to move, copy, create a shortcut, there were no options for these actions; however, when I clicked on the folder I wanted to copy (a Firefox plugin), it gave an error message that "windows cannot open PhotoStory3" for (?) 'type of file'. Very unusual!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    wmplayer.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe

    O2 - BHO: (no name) - h?›49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

    O2 - BHO: (no name) - ¨›¨›E-81EF-470C-9057-481BA8380DBA} - (no file)

    O2 - BHO: (no name) - è?›8ED58-01DD-4d91-8333-CF10577473F7} - (no file)

    O2 - BHO: (no name) - ˜?›64306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)

    O9 - Extra button: Add to Local Website Archive - {2ADE3C45-ED83-4F37-856C-40161DE121A6} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)

    O9 - Extra button: Start Local Website Archive - {7A1D09E3-177C-45C4-8302-28EA840B146E} - C:\Program Files\Local Website Archive\wsarc.exe (file missing) (HKCU)

    O9 - Extra button: Start Local Website Archive - {DD317311-147C-474E-858D-1C494F2276A9} - C:\Program Files\Local Website Archive\wsarc.exe (file missing) (HKCU)

    O9 - Extra button: Add to Local Website Archive - {E61CB1B2-4B34-4AF5-A478-F376E7B173D0} - C:\Program Files\Local Website Archive\wsarc_add.exe (file missing) (HKCU)

    Click on the fix checked button.

    Close HJT.

    Reboot into normal mode and rehide your protected OS files.

    I want you to have a file checked over at Jotti`s.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\Program Files\FWI\FraudShield\FWIFraudShield.exe
    * Click Open
    * Please let me know the results and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Onus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Onus

    Onus TS Rookie Topic Starter Posts: 25

    HJT 2 and pic for questions

    I ran the HJT but could not post because my link said I already posted to this thread. I'm trying again. PS. I had to zip; file was "invalid".

    The FWIFraudShield file was clean ("nothing found"). Status: OK. Packers detected: ARMADILLO.

    Questions: picture attached
    1) java runtime should be version 1.5.0_9 not 11 (bottom pic). I have the PATCH file attached for version 9 and the changes file for 11-b03. I read something that said I should run version 9. And I found that version 9 does not check off TLS 1.0. So I checked and changed back to version 9. I don't know the technical details, but I am using Firefox and plugins and suspect that is right, since I went through a lot of changes.
    2) PhotoStory3 error: "Photo Story cannot open the selected project because the project is corrupted. Try opening a different project." "OK" opens Photo Story 3. The file was a "readme" file in the Real Archade folder. (top 2 pics) The pics show that the date (above the system tray clock) was displayed in the 1st pic. To display the date in the 2nd pic, I had to open display properties, desktop tab, customize desktop... button, clear list (recent documents). The black, clear list, letters take a while to clear to grey.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log has been run from safe mode. I need to see one that`s been run from normal mode.

    I have removed your other log files, so you shouldn`t have any trouble attaching the .log.

    You should update your Java to the latest version. version 5, update 11, then uninstall all older versions from add remove programmes in your control panel.

    Did you deliberately install FWIFraudShield? The reason I ask, is I can`t find any useful info on the programme.

    Regards Howard :)

    This thread is for the use of Onus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.