1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Homepage hijacked..

Discussion in 'Virus & Other Malware Removal' started by dbm1987, Jun 21, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. dbm1987

    dbm1987 Thread Starter

    Joined:
    May 22, 2005
    Messages:
    39
    My homepage has been hijacked. It is programmed to go to comcast.net
    WHen I open it, the address box says comcast.net but it is showing me an E search website with a search box and little links underneath it. How do I fix this?

    this is my log from hijack this
    Logfile of HijackThis v1.99.1
    Scan saved at 11:54:15 PM, on 6/21/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\OCQZQXJL.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netcenter.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
    O2 - BHO: Internet Explorer Hot Fix - {C4C60A40-E2A3-11D9-9956-000C41286B68} - C:\WINDOWS\SYSTEM\FBVST.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
    O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ocqzqxjl] c:\windows\system\ocqzqxjl.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14914ffa35ec93768223/netzip/RdxIE601.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

    Help!
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Print this and boot to safe mode (Start tapping F8 at the first black screen after power up)
    Fix these with HJT

    O2 - BHO: Internet Explorer Hot Fix - {C4C60A40-E2A3-11D9-9956-000C41286B68} - C:\WINDOWS\SYSTEM\FBVST.DLL

    O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

    O4 - HKLM\..\Run: [ocqzqxjl] c:\windows\system\ocqzqxjl.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14914ff...ip/RdxIE601.cab

    O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web...hm::/update.exe

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Uncheck hide extensions
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files

    c:\windows\system\ocqzqxjl.exe
    C:\WINDOWS\SYSTEM\FBVST.DLL


    START – RUN – type in %temp% OK - Edit – Select all – File – Delete
    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
    Empty the recycle bin
    Boot

    Run ActiveScan online virus scan

    http://www.pandasoftware.com/activescan/

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJackThis log along with the results from ActiveScan


    Please give feedback on what worked/didn’t work and the current status of your system
     
  3. dbm1987

    dbm1987 Thread Starter

    Joined:
    May 22, 2005
    Messages:
    39
    Ok, I did everything and these are my new log files..

    Logfile of HijackThis v1.99.1
    Scan saved at 12:18:40 AM, on 6/23/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netcenter.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
    O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

    And for active scan..

    Incident Status Location

    Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
    Adware:Adware/GloboSearch No disinfected C:\Program Files\WareOut
    Virus:Trj/Clicker.GM Disinfected C:\WINDOWS\SYSTEM\cisvvc.exe
    Adware:Adware/SBSoft No disinfected C:\WINDOWS\SYSTEM\inqhg.dll
    Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
    Adware:Adware/StartPage.XX No disinfected C:\Program Files\WareOut\wocount.exe
    Adware:Adware/Startpage.ZN No disinfected C:\Program Files\backups\backup-20050622-165008-268.dll
    I deleted the ones that weren't deleted with activescan.

    What now? I still get a little icon popping up on my taskbar that looks like a balloon or a shield saying that windows says I am in danger of spyware or a virus or something, and to click yes to learn more about how to protect myself. I click no.

    I also am getting popups out of nowhere going to a "Real money and bonuses" website that is all green and has a link to poker.

    What can I do?
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix this in normal mode - mark it, close IE, click fix checked

    SpywareBlaster 3.4 http://majorgeeks.com/download2859.html
    SpyBot V1.4 http://www.majorgeeks.com/download2471.html * NEW *
    AdAware SE 1.06 http://www.majorgeeks.com/download506.html - * NEW *
    MS AntiSpy -
    DL them (they are free), install them, check each for their
    definition updates
    and then run AdAware and Spybot, fixing anything
    they say.

    In SpywareBlaster - Always enable all protection after updates
    In SpyBot - After an update run immunize


    Boot and a new log
     
  5. dbm1987

    dbm1987 Thread Starter

    Joined:
    May 22, 2005
    Messages:
    39
    I'm trying to open Spyware blaster and i get an error saying,

    "error while unpacking program, code 4. Please report to author".

    And my homepage got hijacked again. So i'm running activescan right now and its taking forever, but I'll post the log on that, and I'll post the log for hjt.
     
  6. dbm1987

    dbm1987 Thread Starter

    Joined:
    May 22, 2005
    Messages:
    39
    Ok lets start over,

    here is the log from my most recent HJT,
    what do I get rid of?

    --

    Logfile of HijackThis v1.99.1
    Scan saved at 10:44:54 PM, on 6/23/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM32\SVCNUT32.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpv.dll/security.htm#subID=PSFV;6384
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpv.dll/asst.htm
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
    O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home
    O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\SYSTEM\hgqhp.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web/axe/x.chm::/update.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk:mad:mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.27/docs/xxx/html.chm::/html.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.85,195.225.176.31
     
  7. dbm1987

    dbm1987 Thread Starter

    Joined:
    May 22, 2005
    Messages:
    39
    Here is my adaware log..

    Ad-Aware SE Build 1.06r1
    Logfile Created on:Thursday, June 23, 2005 10:50:25 PM
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R51 21.06.2005
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    MRU List(TAC index:0):7 total references
    Tracking Cookie(TAC index:3):3 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Ad-Aware SE Settings
    ===========================
    Set : Search for negligible risk entries
    Set : Search for low-risk threats
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Include alternate data stream details in log file
    Set : Play sound at scan completion if scan locates critical objects


    6-23-05 10:50:25 PM - Scan started. (Smart mode)

    Listing running processes
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    #:1 [KERNEL32.DLL]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4293882871
    Threads : 7
    Priority : High
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Win32 Kernel core component
    InternalName : KERNEL32
    LegalCopyright : Copyright (C) Microsoft Corp. 1991-1999
    OriginalFilename : KERNEL32.DLL

    #:2 [MSGSRV32.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294921515
    Threads : 1
    Priority : Normal
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows 32-bit VxD Message Server
    InternalName : MSGSRV32
    LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998
    OriginalFilename : MSGSRV32.EXE

    #:3 [MPREXE.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294949819
    Threads : 2
    Priority : Normal
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : WIN32 Network Interface Service Process
    InternalName : MPREXE
    LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
    OriginalFilename : MPREXE.EXE

    #:4 [mmtask.tsk]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294946319
    Threads : 1
    Priority : Normal
    FileVersion : 4.03.1998
    ProductVersion : 4.03.1998
    ProductName : Microsoft Windows
    CompanyName : Microsoft Corporation
    FileDescription : Multimedia background task support module
    InternalName : mmtask.tsk
    LegalCopyright : Copyright © Microsoft Corp. 1991-1998
    OriginalFilename : mmtask.tsk

    #:5 [VSMON.EXE]
    FilePath : C:\WINDOWS\SYSTEM\ZONELABS\
    ProcessID : 4294941579
    Threads : 17
    Priority : Normal
    FileVersion : 5.5.094.000
    ProductVersion : 5.5.094.000
    ProductName : TrueVector Service
    CompanyName : Zone Labs, LLC
    FileDescription : TrueVector Service
    InternalName : vsmon
    LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
    OriginalFilename : vsmon.exe

    #:6 [ASHSERV.EXE]
    FilePath : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\
    ProcessID : 4294940763
    Threads : 28
    Priority : Normal
    FileVersion : 4, 6, 602, 0
    ProductVersion : 4, 6, 0, 0
    ProductName : avast! Antivirus
    FileDescription : avast! antivirus service
    InternalName : aswServ
    LegalCopyright : Copyright (c) 2005 ALWIL Software
    OriginalFilename : aswServ.exe

    #:7 [MSTASK.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294847807
    Threads : 2
    Priority : Normal
    FileVersion : 4.71.1972.1
    ProductVersion : 4.71.1972.1
    ProductName : Microsoft® Windows® Task Scheduler
    CompanyName : Microsoft Corporation
    FileDescription : Task Scheduler Engine
    InternalName : TaskScheduler
    LegalCopyright : Copyright (C) Microsoft Corp. 2000
    OriginalFilename : mstask.exe

    #:8 [EXPLORER.EXE]
    FilePath : C:\WINDOWS\
    ProcessID : 4294856835
    Threads : 6
    Priority : Normal
    FileVersion : 4.72.3110.1
    ProductVersion : 4.72.3110.1
    ProductName : Microsoft(R) Windows NT(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997
    OriginalFilename : EXPLORER.EXE

    #:9 [ZLCLIENT.EXE]
    FilePath : C:\PROGRAM FILES\ZONE LABS\ZONEALARM\
    ProcessID : 4294770895
    Threads : 6
    Priority : Normal
    FileVersion : 5.5.094.000
    ProductVersion : 5.5.094.000
    ProductName : Zone Labs Client
    CompanyName : Zone Labs, LLC
    FileDescription : Zone Labs Client
    InternalName : zlclient
    LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
    OriginalFilename : zlclient.exe

    #:10 [ASHWEBSV.EXE]
    FilePath : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\
    ProcessID : 4294801095
    Threads : 16
    Priority : Normal


    #:11 [REALSCHED.EXE]
    FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
    ProcessID : 4294831163
    Threads : 2
    Priority : Normal
    FileVersion : 0.1.0.3292
    ProductVersion : 0.1.0.3292
    ProductName : RealPlayer (32-bit)
    CompanyName : RealNetworks, Inc.
    FileDescription : RealNetworks Scheduler
    InternalName : schedapp
    LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
    LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
    OriginalFilename : realsched.exe

    #:12 [SVCNUT32.EXE]
    FilePath : C:\WINDOWS\SYSTEM32\
    ProcessID : 4294805107
    Threads : 2
    Priority : Normal


    #:13 [AIM.EXE]
    FilePath : C:\PROGRAM FILES\AIM\
    ProcessID : 4294730179
    Threads : 2
    Priority : Normal
    FileVersion : 5.9.3797
    ProductVersion : 5.9.3797
    ProductName : AOL Instant Messenger
    CompanyName : America Online, Inc.
    FileDescription : AOL Instant Messenger
    InternalName : AIM
    LegalCopyright : Copyright © 1996-2004 America Online, Inc.
    OriginalFilename : AIM.EXE

    #:14 [SPOOL32.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294822123
    Threads : 2
    Priority : Normal
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler Sub System Process
    InternalName : spool32
    LegalCopyright : Copyright (C) Microsoft Corp. 1994 - 1998
    OriginalFilename : spool32.exe

    #:15 [IEXPLORE.EXE]
    FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
    ProcessID : 4294646587
    Threads : 3
    Priority : Idle
    FileVersion : 6.00.2800.1106
    ProductVersion : 6.00.2800.1106
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : IEXPLORE.EXE

    #:16 [RPCSS.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294676679
    Threads : 5
    Priority : Normal
    FileVersion : 4.71.2900
    ProductVersion : 4.71.2900
    ProductName : Microsoft(R) Windows NT(TM) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Distributed COM Services
    InternalName : rpcss.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1998
    OriginalFilename : rpcss.exe

    #:17 [DDHELP.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294594039
    Threads : 3
    Priority : Realtime
    FileVersion : 4.06.03.0518
    ProductVersion : 4.06.03.0518
    ProductName : Microsoft® DirectX for Windows® 95 and 98
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft DirectX Helper
    InternalName : ddhelp.exe
    LegalCopyright : Copyright © Microsoft Corp. 1994-1999
    OriginalFilename : ddhelp.exe

    #:18 [YMSGR_TRAY.EXE]
    FilePath : C:\PROGRAM FILES\YAHOO!\MESSENGER\
    ProcessID : 4294521275
    Threads : 1
    Priority : Normal


    #:19 [AD-AWARE.EXE]
    FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
    ProcessID : 4293359003
    Threads : 2
    Priority : Normal
    FileVersion : 6.2.0.236
    ProductVersion : SE 106
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft AB Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    Memory scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Registry Scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Deep registry scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started Tracking Cookie scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : [email protected][2].txt
    TAC Rating : 3
    Category : Data Miner
    Comment : Hits:4
    Value : Cookie:[email protected]/
    Expires : 12-31-09 8:00:00 PM
    LastSync : Hits:4
    UseCount : 0
    Hits : 4

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : anyuser@tribalfusion[2].txt
    TAC Rating : 3
    Category : Data Miner
    Comment : Hits:2
    Value : Cookie:[email protected]/
    Expires : 12-31-37 8:00:00 PM
    LastSync : Hits:2
    UseCount : 0
    Hits : 2

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : anyuser@questionmarket[1].txt
    TAC Rating : 3
    Category : Data Miner
    Comment : Hits:1
    Value : Cookie:[email protected]/
    Expires : 8-14-06 2:42:04 PM
    LastSync : Hits:1
    UseCount : 0
    Hits : 1

    Tracking cookie scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 3
    Objects found so far: 3



    Deep scanning and examining files...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Disk Scan Result for C:\WINDOWS
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 3

    Disk Scan Result for C:\WINDOWS\SYSTEM
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 3

    Disk Scan Result for c:\windows\TEMP\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 3

    MRU List Object Recognized!
    Location: : software\microsoft\directdraw\mostrecentapplication
    Description : most recent application to use microsoft directdraw


    MRU List Object Recognized!
    Location: : .DEFAULT\software\microsoft\internet explorer
    Description : last download directory used in microsoft internet explorer


    MRU List Object Recognized!
    Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
    Description : list of recently entered addresses in microsoft internet explorer


    MRU List Object Recognized!
    Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
    Description : list of recent skins in realplayer


    MRU List Object Recognized!
    Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
    Description : list of recent clips in realplayer


    MRU List Object Recognized!
    Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
    Description : last login time in realplayer


    MRU List Object Recognized!
    Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
    Description : windows media sdk



    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Conditional scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 10

    10:53:40 PM Scan Complete

    Summary Of This Scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Total scanning time:00:03:15.430
    Objects scanned:31987
    Objects identified:3
    Objects ignored:0
    New critical objects:3



    And I let it delete what it found.
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Print this and boot to safe mode (Start tapping F8 at the first black screen after power up)
    Fix these with HJT

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpv.dll/security.htm#subID=PSFV;6384

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpv.dll/asst.htm

    O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home

    O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\SYSTEM\hgqhp.exe

    O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web...hm::/update.exe

    O16 - DPF: {11010101-1001-1111-1000-110112345678} - mk:mad:mSItSTORE:Mhtml:FiLE://C:\html.mHT!http://205.177.122.27/docs/xxx/html.chm::/html.exe

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.85,195.225.176.31


    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Uncheck hide extensions
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files – careful of the spelling

    C:\WINDOWS\system32\shdocpv.dll
    C:\WINDOWS\system32\svcnut32.exe
    C:\WINDOWS\SYSTEM\hgqhp.exe


    START – RUN – type in %temp% OK - Edit – Select all – File – Delete
    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
    Empty the recycle bin
    Boot and post a new log

    Please give feedback on what worked/didn’t work and the current status of your system
     
  9. dbm1987

    dbm1987 Thread Starter

    Joined:
    May 22, 2005
    Messages:
    39
    new log
    Logfile of HijackThis v1.99.1
    Scan saved at 4:07:49 PM, on 6/24/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\POP-UP NO-NO\PUNN.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\ARES LITE EDITION\ARES.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
    O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSAVER\USSSHREG.EXE /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PopUpNoNo] "C:\Program Files\Pop-Up No-No\punn.exe" -startup
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ares] "C:\PROGRAM FILES\ARES LITE EDITION\ARES.EXE" -h
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

    ---

    I'm still getting pop ups to a poker site and a porn site, and I still get that alert on my taskbar near the clock that says my system is in danger or something, it shows up as a shield then a message pops up from it. I also am getting "windows security center" message box that says my computer has spyware on it and it asks if i want to learn how to get rid of it.

    How do I stop these things!?!?!
     
  10. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    It appears you are adding programs while we are try to fix this, like pop up no no and Ares lite

    Any P2P is an open target for infections - remove Ares Lite

    Run ActiveScan online virus scan

    http://www.pandasoftware.com/activescan/

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJackThis log along with the results from ActiveScan
     
  11. dbm1987

    dbm1987 Thread Starter

    Joined:
    May 22, 2005
    Messages:
    39
    Ok, here is a new hjt log.

    Logfile of HijackThis v1.99.1
    Scan saved at 1:18:48 PM, on 6/26/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\POP-UP NO-NO\PUNN.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PopUpNoNo] "C:\Program Files\Pop-Up No-No\punn.exe" -startup
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ares] "C:\PROGRAM FILES\ARES LITE EDITION\ARES.EXE" -h
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.85,195.225.176.31

    ---
    O17 always reappears even if I get rid of it.

    now the active scan log.


    Incident Status Location

    Adware:Adware/GloboSearch No disinfected Windows Registry
    Adware:Adware/QuickWeb No disinfected C:\WINDOWS\SYSTEM\ntfsnlpa.exe
    Virus:Trj/Clicker.GM Disinfected C:\WINDOWS\SYSTEM\cisvvc.exe
    Adware:Adware/SBSoft No disinfected C:\WINDOWS\SYSTEM\inqhg.dll
    I could delete everythign but Adware/GloboSearch in the Registry because I couldn't find it.

    I am still getting the little bubble that pops up on the bottom right and the box that pops up from microsoft and asks if I want to learn how to protect my system.
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  13. dbm1987

    dbm1987 Thread Starter

    Joined:
    May 22, 2005
    Messages:
    39
    How do I get rid of
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.85,195.225.176.31


    without it coming back?

    and how do I get rid of the Globosearch adware that ActiveScan found?
     
  14. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Don't think you can and the other was disinfected so not to worry

    I'd be more concerned with Ares

    How is the system
     
  15. dbm1987

    dbm1987 Thread Starter

    Joined:
    May 22, 2005
    Messages:
    39
    Activescan said the globosearch wasn't disinfected.

    And I'm still getting the bubble on the bottom right.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/374026