also @ TechSpot: Samsung announces Galaxy Tab 2 with Android 4.0 ICS
Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Sign up or Login to participate.

Go Back   TechSpot OpenBoards > Tech Support > Virus and Malware Removal

Begin your free trial now Pay-as-you-go options starting at $10/user/month

Plagued by Win32.Myzor.FK@yf

Thread Tools Search this Thread
  #1  
Old 05-07-2006
Newcomer, in training
 
Member since: May 2006, 7 posts
Plagued by Win32.Myzor.FK@yf

My son managed to infect our desktop with this trojan-downloader and all that came with it. I have been battling it for two days without success. I followed the steps offered in a thread I saw and this is the result so far:
Scanned with e-trust - found no viruses
Scanned with bitdefender - found 2
Ran TrojanRemover and removed 2 trojan-downloader files and tracking cookies
Ran SpySweeper and found 140 traces and removed
Ran the Look2Me-Destroyer and removed
Ran the VundoFix and found nothing
Went to the how to remove Trojans, Begin2 and Coolwebsearch and found nothing when I ran AboutBuster, CWShredder, SmartKiller, AdAware and Spybot.
Followed RealBlackStuff's instructions about removing items in Safe Mode and ran Hijackthis log. Deleted items found on list and rebooted. Installed Firefox. System seemed to be okay and then "System Alert" popups returned telling me system was infected with spyware managing popups and several popups actually appeared.

Needless to say I am getting quite frustrated. Attached is my Hijackthis.txt file.
Attached Files
File Type: txt hijackthis.txt (5.9 KB, 9 views)
  #2  
Old 05-07-2006
TechSpot Evangelist
 
Member since: Aug 2004, 25,949 posts
Hello and welcome to Techspot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programme in your control panel and uninstall anything to do with(if there).

The Weather Channel FW\Desktop Weather

Close control panel.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

atmclk.exe
dcomcfg.exe
DesktopWeather.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpE773.tmp

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

C:\WINDOWS\system32\hpE773.tmp

C:\WINDOWS\system32\atmclk.exe

C:\WINDOWS\system32\dcomcfg.exe

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard
  #3  
Old 05-08-2006
Newcomer, in training
 
Member since: May 2006, 7 posts
Phase Two

Thanks for the welcome and the help. I followed your steps and am attaching the new HJT log. How will I be able to tell if I've cleaned every bit of this mess up? My computer seems to be running okay right now...but as you can imagine, I'm a little jittery.

Tir
Attached Files
File Type: txt hijackthissecond.txt (5.3 KB, 1 views)
  #4  
Old 05-08-2006
TechSpot Evangelist
 
Member since: Aug 2004, 25,949 posts
Have HJT fix the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Post a fresh HJT log please.

Regards Howard
  #5  
Old 05-08-2006
Newcomer, in training
 
Member since: May 2006, 7 posts
Phase Three

Okay had HJT fix the seven you had listed and attaching the newest log.

Tir
Attached Files
File Type: txt hijackthisthird.txt (4.9 KB, 2 views)
  #6  
Old 05-08-2006
TechSpot Evangelist
 
Member since: Aug 2004, 25,949 posts
You still have these two entries in your HJT log.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Go and download these three programmes. Update them to the latest deffinitions and then run them in safe mode, with system restore turned off.

http://www.intermute.com/products/cwshredder.html

http://www.majorgeeks.com/download4113.html

http://www.spychecker.com/program/aboutbuster.html

Run AboutBuster first.

Next run CWShredder.

Then run CoolWWWSearch.SmartKiller.

Run HJT and have HJT fix all R0 and R1 entries.

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard

Last edited by howard_hopkinso; 05-08-2006 at 10:26 PM..
  #7  
Old 05-08-2006
Newcomer, in training
 
Member since: May 2006, 7 posts
And Yet Again

okay, I ran About Buster, CWShredder and the CoolWWWSearch.SmartKiller and they found nothing on my system. I ran the HJT and checked all the R0 and R1 entries, rebooted and when I ran the new log, these were still there:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

newest HJT log is attached

Tir
Attached Files
File Type: txt hijackthisfourth.txt (4.9 KB, 2 views)
  #8  
Old 05-08-2006
TechSpot Evangelist
 
Member since: Aug 2004, 25,949 posts
You have a new variant of smitFraud.

I want you to click on this link. http://www.atribune.org/ccount/click.php?id=10

It will download a file called SysProtect Remover.exe'

Simply Download and run SysProtect Remover.exe. Once it is running click the "Remove Now" button and follow the on screen instructions.

Once done, please post a fresh HJT log.

I can`t guarantee this will work. If it doesn`t we`ll have to try something else.

Regards Howard

Last edited by howard_hopkinso; 05-08-2006 at 11:41 PM..
  #9  
Old 05-08-2006
Newcomer, in training
 
Member since: May 2006, 7 posts
Again

Downloaded and ran this and these two lines are still there. New log attached.

Tir
Attached Files
File Type: txt hijackthisfive.txt (4.9 KB, 3 views)
  #10  
Old 05-09-2006
TechSpot Evangelist
 
Member since: Aug 2004, 25,949 posts
Ok. I`ve just had someone fix this problem.

Go HERE and follow the instructions in step 3 please. I have only just updated these instructions.

Post a fresh HJT after doing that.

Regards Howard
  #11  
Old 05-10-2006
Newcomer, in training
 
Member since: May 2006, 7 posts
Final I hope...

Okay, I followed the fix instructions and here is the latest HJT log. Am I clean? If so, you have my heartiest thanks! This has been an interesting learning experience. If not...what's my next step?
Attached Files
File Type: txt hijackthisfinal.txt (4.8 KB, 3 views)
  #12  
Old 05-10-2006
TechSpot Evangelist
 
Location: Bridgend
Member since: Nov 2003, 2,371 posts
You are completely clean Congrats to you, and maybe a thankyou to Howard would be nice
  #13  
Old 05-10-2006
Newcomer, in training
 
Member since: May 2006, 7 posts
Thanks to all of you

Thanks, Spike, that's good to know. I was determined to try to work through this without having to wipe my hard drive. Howard made all that possible with precise and clear instructions and very timely responses to my posts. I am most favorably impressed with all of you here at TechSpot and will highly recommend this site to others who run into virus/trojan trouble. Thank you again.

Tir
  #14  
Old 05-10-2006
TechSpot Evangelist
 
Member since: Aug 2004, 25,949 posts
I`ve just received your pm.

Thanks for your kind words.

Glad we could help.

Because the infection you had was a new variant, I had to do some research to find a fix that worked, hence the various instruction changes. It appears that Step 3 in my instructions finally did the trick.

I thank you for your feedback, as this will help many more members who are unfortunate enough to find themselves with the same infection.

Regards Howard
  #15  
Old 02-07-2009
Newcomer, in training
 
Member since: Feb 2009, 1 posts
Hi Howard,
I am having the same problem
I followed the link you provided but I can't find the thread and an error message is displayed:
"No Thread specified. If you followed a valid link, please notify the administrator"
Can you please provide the steps?
Thanks a lot
Closed Thread

Similar Topics
Topic Replies Forum
Win32 myzor, virus trigger, etc. 15 Virus and Malware Removal
Help! trojan-spy.win32@mx, W32.Myzor.FK@yf, and SpyBot@MXt 4 Virus and Malware Removal
Win32.myzor--need help please!! 5 Virus and Malware Removal
Help with Win32.Myzor.FK@yf 1 Virus and Malware Removal
win32.myzor.fk@yf need Help!! 1 Virus and Malware Removal

Thread Tools Search this Thread
Search this Thread:

Advanced Search
All times are GMT -4. The time now is 03:47 AM.