• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1002
  • Last Modified:

How do I remove MAL/BHO-D Malware detected by Spyweeper (quarantine failed)

I have a customer's computer. This is a Dell Optiplex GX240 running XP Pro. This computer got infected with a lot of trojans, adware, behavioral etc. The version of Spyweeper w/antivirus detected and delete most of them. There is only one that quarantine failed, this MAL/BHO-D malware. I tried information online but not success. please I need to know if there is away to delete this malware. My last option could be fresh installation but I want to use any resources before do that. Thanks
0
pentiumsale
Asked:
pentiumsale
  • 13
  • 13
1 Solution
 
IndiGenusCommented:
Post a HijackThis log so we can see what's going on. Sounds like just a malicious BHO, which shouldn't be too hard to remove.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php
0
 
pentiumsaleAuthor Commented:
this is what I got:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:29 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: (no name) - {899B0EF2-E0BE-41BA-BB41-0ABFB232813C} - (no file)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [YourPrivacyGuard] C:\Program Files\YourPrivacyGuard\GDC.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: UPnPService - Unknown owner - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: Privacy Protection - about:home

--
End of file - 6752 bytes
0
 
IndiGenusCommented:
I can see one of the bad toolbars but doesn't look to be active any more. But there are other concerns.

I would run a check for Smitfraud here:

Just option 1 to see if present. Upload the log if you're not sure. If present run option #2 in Safe Mode.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Then, Combofix:

Download and Run ComboFix

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
pentiumsaleAuthor Commented:
SmitFraudFix v2.240

Scan done at 17:37:37.92, Wed 10/17/2007
Run from C:\Documents and Settings\Eduardo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\msvb.dll FOUND !
C:\WINDOWS\wsremover.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eduardo


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eduardo\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Eduardo\FAVORI~1

C:\DOCUME~1\Eduardo\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Eduardo\FAVORI~1\Privacy Protector.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:home"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="about:home"
"SubscribedURL"="about:home"
"FriendlyName"="my current home page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F02E4BB4-A8F1-499D-8368-D23867068098}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F02E4BB4-A8F1-499D-8368-D23867068098}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F02E4BB4-A8F1-499D-8368-D23867068098}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

0
 
IndiGenusCommented:
Bingo there. Run option #2 (clean) on the Smitfraudfix tool in Safe Mode. It will ask if you want to clean the registry, select yes. Also confirm anything else it asks.

Reboot and post a fresh HJT log.
0
 
pentiumsaleAuthor Commented:
SmitFraudFix v2.240

Scan done at 18:08:58.10, Wed 10/17/2007
Run from C:\Documents and Settings\Eduardo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1       localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\msvb.dll Deleted
msvb not found.
C:\WINDOWS\wsremover.exe Deleted
C:\DOCUME~1\Eduardo\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Eduardo\FAVORI~1\Privacy Protector.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F02E4BB4-A8F1-499D-8368-D23867068098}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F02E4BB4-A8F1-499D-8368-D23867068098}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F02E4BB4-A8F1-499D-8368-D23867068098}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

0
 
pentiumsaleAuthor Commented:
This is a log from COMBOFIX:

***Combofix log removed by rpggamergirl, Zone Advisor***
0
 
IndiGenusCommented:
OK...I'll take a look and get back to you soon. Do me a favor, I should have told you earlier but forgot. Upload any logs to this link and post back letting us know it's there. The staff here would rather us work it that way.

http://www.ee-stuff.com

Thanks,
Dave
Sorry rpg...
0
 
IndiGenusCommented:
That's another combo log. Can you run HJT and give us a fresh log. Upload it to the link I gave you please.
0
 
pentiumsaleAuthor Commented:
Ok, thanks for your help, I ran again Spyweeper and the MAL/BHO-D still failing quarantine. One thing that i want to mention is that when I ran smithfraud and chose the 2nd option(safe mode), windows was in real mode at that moment. Did I do this right? Now, I am going to post a fresh hijackthis log to see what needs to be done. Thanks again.
0
 
IndiGenusCommented:
No, it should have been run in Safe Mode as I had advised. Looks like it worked for the most part although it reported one file not found. Please post a fresh HJT log.
0
 
pentiumsaleAuthor Commented:
ok, that is what I thought. Let me send you a fresh log.
0
 
pentiumsaleAuthor Commented:
oK, I ran smithfraud in Safe Mode and then I ran Combofix again(normal mode). Then I ran spyweeper again and still showing this MAL/BHO-D fail quarantine. Now After I ran ComboFix, Spysweeper shows an alert :it detects a change in the service configuration ,for example: svchost.exe is attempting to delete xxxxxxx then spysweeper recomends Allow this action, just I want to mention that I allow all alerts that Spysweeper recommends.Here is the link for the file uploaded :  https://filedb.experts-exchange.com/incoming/ee-stuff/5074-hijackthis1018.txt
0
 
IndiGenusCommented:
I suggest you do the following:

Using Add or Remove Programs from Control Panel remove the following programs if they exist:

AskSBar
YourPrivacyGuard

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
[b]
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKCU\..\Run: [YourPrivacyGuard] C:\Program Files\YourPrivacyGuard\GDC.exe
[/b]
Then close all windows except this one and press Fix checked.

Using Windows Explorer delete the following folders if they are still present:

C:\Program Files\AskSBar
C:\Program Files\YourPrivacyGuard

Upload a fresh HJT log and let us know how it's doing.
0
 
pentiumsaleAuthor Commented:
This is a fresh log of Hijackthis after fixed.
https://filedb.experts-exchange.com/incoming/ee-stuff/5076-hijackthis03.txt 
0
 
IndiGenusCommented:
Okay...although it doesn't look like you rebooted after running the fix it looks like it worked. Question is...how's it running? Is Spysweeper still alerting you?
0
 
pentiumsaleAuthor Commented:
Well unfortunally spyweeper still alerting me and the MAL/BHO-D still there . What do you think I miss to do? Do you think I can do something else?
0
 
IndiGenusCommented:
Well, I certainly don't see anything else in your HJT log. I would advise a Kaspersky scan at this point to see what is found. Kaspersky won't fix anything but is very thorough and will produce a log that we can review. The scan will take a while so please be patient.

Using Internet Explorer, run Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
   
* Click 'Accept' in the window that pops up.
* You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
          o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
          o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save Report As...' button:
* Make sure it says Save as a text file - change it if not
* Save the file to your desktop.

Please upload the Kaspersky report and post the link so we can review it.
0
 
pentiumsaleAuthor Commented:
Hello good morning, here I am again . I ran last night the Kaspersky Onlinre Scanner and this is the report:
https://filedb.experts-exchange.com/incoming/ee-stuff/5086-KASPERSKY-REPORT.txt 
0
 
IndiGenusCommented:
Okay I think we found it. Also, your restore points are infected and should be reset.

Download the Killbox
http://www.downloads.subratam.org/KillBox.zip 
Unzip it to the desktop
Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in the "Full Path of File to Delete" box in Killbox:

C:\WINDOWS\bndsrsvk.dll
 
Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt.  
If your computer does not restart automatically, please restart it manually.

Now turn off and back on your system restore, and set a new restore point. This should clear out those infections in there. Let me know if you're not sure how to do this.
0
 
pentiumsaleAuthor Commented:
Hi, I followed exactly your steps and then I ran Spysweeper and still there. So  I am sending you a fresh report of Kaspersky,please see what else can be done.
https://filedb.experts-exchange.com/incoming/ee-stuff/5089-KASPERSKY-REPORT2.txt 
0
 
IndiGenusCommented:
Where did Spysweeper find it? The file is still in the Killbox folder. Let's do this:

Delete the Killbox folder:
C:\!KillBox

Delete the Smitfraudfix tool and folder:
C:\Documents and Settings\Eduardo\Desktop\SmitfraudFix
C:\Documents and Settings\Eduardo\My Documents\SmitfraudFix.exe

Empty the recycle bin.

Now, see if still detecting. Does Spysweeper give you the name of the file? Or just the infection?
0
 
pentiumsaleAuthor Commented:
OK, finally spyweeper does not detect it anymore, which I thinks it means that is no longer in the system right? . Now First of all I want to thank you for your espectacular help you provided me.I wish I can learn how to read HijackThis and solve many problems. Now I ran again the Kaspersky online scanner and still found 2 viruses and 2 infected objects, do you think there is something that you can do for clean this infections, if not I am more than happy that the MAL/BHO-D is gone and I will accept this as solution and provid you the points you deserve. Please let me know. This is the latest report from Kasprsky: https://filedb.experts-exchange.com/incoming/ee-stuff/5095-kaspersky-report4.txt 
0
 
IndiGenusCommented:
Those files are in your restore points again. No big deal, just reset system restore again, making sure to turn it back on. You should be free and clear here.

Regards,
Dave

PS...
If you're interested in learning how to read HJT logs and fighting Malware there are good free online schools. Here are a couple:

http://forum.malwareremoval.com/viewtopic.php?t=233
http://www.geekstogo.com/forum/Would-like-to-learn-to-fight-malware-t4817.html
0
 
pentiumsaleAuthor Commented:
IndiGenus, thanks for helping me to solve this problem and for your patient. I reset the system restore again and ran Kaspersky again and the results were that no malware found. Again this problem took a lot of time for me but it was worth it thanks to you. And I will take a look to those links about free online schools. Thank you Dave.
0
 
IndiGenusCommented:
You're quite welcome. Good luck in your future ventures.

Dave
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 13
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now