1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Impossible IE Pop-Ups!

Discussion in 'Virus & Other Malware Removal' started by Aywren, Jun 16, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Aywren

    Aywren Thread Starter

    Joined:
    Jun 16, 2006
    Messages:
    12
    Hi! I'm new here -- noticed that a few people had the same problem I'm having with IE Pop-Ups, so I thought I'd look for some help. Spyware scans and pop-up stoppers couldn't cut it and my virus scanner finds nothing wrong.

    Though I can only check back here every now and then, and not on the weekends (I apologize in advanced for slow replies), I was hoping that someone might have some ideas on where to go to fix this!

    Thanks for your time!

    Logfile of HijackThis v1.99.1
    Scan saved at 8:58:20 AM, on 6/16/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    C:\WINDOWS\system32\LckFldService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\thiselt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Documents and Settings\VOLUNTEER\Desktop\HijackThis.exe

    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsyC.dll
    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmfizu.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
    O2 - BHO: (no name) - {FC027F23-593E-41E5-B96C-DDE4DF2E6A8B} - C:\Program Files\NetMeeting\meho.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\SYSTEM32\rundll32.exe C:\PROGRA~1\BELARC\ADVISOR\SYSTEM\NPBELV32.DLL,RunDll32_BelNotify
    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
    O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.judicial.state.sc.us/CFIDE/classes/CFJava.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/153e97dbf6eb628f4716/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101759720358
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132259677890
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PDC.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O20 - AppInit_DLLs: inicfg32.dll,iniwin32.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,563
    Hi and welcome to TSG,


    Please download E2TakeOut by Rubber Ducky from here:

    http://www.malwarebytes.org/E2TakeOut.zip
    • Extract the file to your Desktop
    • Double click E2TakeOut.exe
    • Click the Begin Removal button
    • Wait until the program is finished scanning
    • Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
    • Reboot your computer
    • Once your computer has rebooted E2TakeOut will open and produce a report
    • Please copy/paste that report into your next reply
     
  3. Aywren

    Aywren Thread Starter

    Joined:
    Jun 16, 2006
    Messages:
    12
    Okay. I did that. Here are both of my logs:

    E2TakeOut v1.00 [http://www.malwarebytes.org]

    Removed orphaned leftovers
    AppInit key reset


    Logfile of HijackThis v1.99.1
    Scan saved at 10:59:12 AM, on 6/16/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    C:\WINDOWS\system32\LckFldService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\thiselt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\VOLUNTEER\Desktop\HijackThis.exe

    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsyC.dll
    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmfizu.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
    O2 - BHO: (no name) - {FC027F23-593E-41E5-B96C-DDE4DF2E6A8B} - C:\Program Files\NetMeeting\meho.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\SYSTEM32\rundll32.exe C:\PROGRA~1\BELARC\ADVISOR\SYSTEM\NPBELV32.DLL,RunDll32_BelNotify
    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
    O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://webmail.durantchildren.org
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.judicial.state.sc.us/CFIDE/classes/CFJava.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/153e97dbf6eb628f4716/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101759720358
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132259677890
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PDC.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O20 - AppInit_DLLs: ,
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

    Thanks again!
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,563
    Download the trial version of Ewido Anti-Malware here.
    • Install ewido.
    • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido
    • It will prompt you to update click the OK button and it will go to the main screen
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.

    If you are having problems with the updater, you can use this link to manually update ewido:

    ewido manual updates


    Click here for info on how to boot to safe mode.


    Restart your computer into safe mode now. Perform the following steps in safe mode:


    Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop



    Restart back into Windows normally now.


    Run ActiveScan online virus scan here

    When the scan is finished, save the results from the scan!


    Come back here and post a new HijackThis log, as well as the logs from the Ewido and Panda scans.
     
  5. Aywren

    Aywren Thread Starter

    Joined:
    Jun 16, 2006
    Messages:
    12
    Thanks for your time and patience! Here are the logs:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 10:09:27 AM, 6/19/2006
    + Report-Checksum: EDA66B0A

    + Scan result:

    HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Error during cleaning
    HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Adware.E2G : Error during cleaning
    HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Adware.E2G : Error during cleaning
    HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Error during cleaning
    C:\WINDOWS\SYSTEM32\adrotate.dll -> Adware.Trafgen : Cleaned with backup
    C:\WINDOWS\SYSTEM32\owinpqez.exe -> Adware.ZenoSearch : Cleaned with backup
    C:\WINDOWS\SYSTEM32\irsmfizu.dll -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\SYSTEM32\nsyC.dll -> Adware.Ezula : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Adware.MediaMotor : Cleaned with backup
    C:\WINDOWS\thiselt.exe -> Trojan.Popuper : Cleaned with backup
    C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
    C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup
    C:\WINDOWS\mynexus.exe -> Trojan.Imiserv.c : Cleaned with backup
    C:\WINDOWS\ieunst.exe -> Adware.IEPlug : Cleaned with backup
    C:\WINDOWS\installer_2512.exe -> Downloader.Qoologic.at : Cleaned with backup
    C:\Program Files\NetMeeting\meho.dll -> Downloader.Small.ctp : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\BE478606-1335-46BD-AB83-DF102A\046B533F-EC83-474E-812B-ECE8A1 -> Adware.Zango : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\FDC360F0-B628-495B-868F-4D4829\AA6EA66C-03D8-480D-B101-418B48 -> Adware.Zango : Cleaned with backup
    C:\Program Files\Kayako\html\loader.html -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Local Settings\Temp\ICD5.tmp\amm06.ocx -> Adware.MediaMotor : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Web-stat : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Revenue : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][3].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][5].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Targetnet : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Adtrak : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Linksynergy : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][3].txt -> TrackingCookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Popuptraffic : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Top-banners : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Click2begin : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Revenue : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Click2begin : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Click2begin : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Bfast : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Grandonline : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Goldenpalace : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Enhance : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Grandonline : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Clickbank : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Findwhat : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\volu[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Web-stat : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Realtracker : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Qksrv : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Click2begin : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Commission-junction : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][4].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Hitslink : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][3].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Valuead : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Click2begin : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\VOLUNTEER\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\volunteer.PDC\Cookies\[email protected][2].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\volunteer.PDC\Cookies\[email protected][1].txt -> TrackingCookie.Tracking101 : Cleaned with backup
    C:\System Volume Information\_restore{F6020139-DBD1-4BDB-B508-2D465F164098}\RP719\A0054108.dll -> Adware.SideFind : Cleaned with backup
    C:\System Volume Information\_restore{F6020139-DBD1-4BDB-B508-2D465F164098}\RP717\A0053781.exe -> Downloader.Small.ajc : Cleaned with backup
    C:\System Volume Information\_restore{F6020139-DBD1-4BDB-B508-2D465F164098}\RP717\A0053877.exe -> Adware.MediaMotor : Cleaned with backup


    ::Report End
     
  6. Aywren

    Aywren Thread Starter

    Joined:
    Jun 16, 2006
    Messages:
    12
    However, I couldn't get the Panda Scan to work for me. I kept getting this error:

    "Not allowing the application's ActiveX control to be downloaded.

    Problems with the Internet connection."

    Not sure why.
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,563
    Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK.
    Now press "Custom Level."
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.


    Then run the Panda scan and post the results please.
     
  8. Aywren

    Aywren Thread Starter

    Joined:
    Jun 16, 2006
    Messages:
    12
    Incident Status Location

    Adware:adware/zenosearch Not disinfected C:\Documents and Settings\VOLUNTEER\Start Menu\Programs\Startup\Zeno.lnk
    Spyware:spyware/safesurf Not disinfected c:\windows\system32\irsmfizu.dll
    Adware:adware program Not disinfected c:\windows\system32\key.~
    Adware:adware/zenosearch Not disinfected C:\Documents and Settings\VOLUNTEER\Start Menu\Programs\Startup\Zeno.lnk
    Adware:adware/bravesentry Not disinfected c:\windows\wallpap.exe
    Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
    Adware:adware/commad Not disinfected c:\windows\uninstall_nmon.vbs
    Adware:adware/qoologic Not disinfected Windows Registry
    Potentially unwanted tool:application/winantivirus2006 Not disinfected hkey_local_machine\software\WinAntiVirus Pro 2006
    Adware:adware/popupsearches Not disinfected Windows Registry
    Adware:adware/adrotator Not disinfected Windows Registry
    Adware:adware/e2give Not disinfected Windows Registry
    Adware:adware/webhancer Not disinfected Windows Registry
    Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\UnIrimon.exe
    Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\vsl.exe[VSL.dl_]
    Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\vsl.exe[auxe.exe]
    Adware:Adware/CommAd Not disinfected C:\WINDOWS\VVNFUg\pphIo0.vbs
    Adware:Adware/DigInk Not disinfected C:\WINDOWS\Tagasuarus2.exe[gege15x.exe]
    Adware:Adware/DigInk Not disinfected C:\WINDOWS\Tagasuarus2.exe[CCZoop05.exe]
    Adware:Adware/DigInk Not disinfected C:\WINDOWS\Tagasuarus2.exe[uni_ehhh.exe]
    Adware:Adware/DigInk Not disinfected C:\WINDOWS\Tagasuarus2.exe[unin101.exe]
    Virus:Trj/Downloader.MO Disinfected C:\Documents and Settings\VOLUNTEER\Local Settings\Temp\ICD2.tmp\default.inf
    Adware:Adware/QoolAid Not disinfected C:\Documents and Settings\VOLUNTEER\Local Settings\Temp\tp7543.exe
    Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\VOLUNTEER\Local Settings\Temp\sos.c.exe
    Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\VOLUNTEER\Local Settings\Temp\s3qc.1.exe
    Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\VOLUNTEER\Local Settings\Temp\ExtractDLL.dll
    Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\VOLUNTEER\Local Settings\Temp\qms2.tmp
    Adware:Adware/QoolAid Not disinfected C:\Documents and Settings\VOLUNTEER\Local Settings\Temporary Internet Files\Content.IE5\NNTB90PX\rcverlib[1].exe
     
  9. Aywren

    Aywren Thread Starter

    Joined:
    Jun 16, 2006
    Messages:
    12
    Logfile of HijackThis v1.99.1
    Scan saved at 10:00:36 AM, on 6/21/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    C:\PROGRA~1\NORTON~1\DefWatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\LckFldService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\SYSTEM32\sistray.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\VOLUNTEER\Desktop\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmfizu.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
    O2 - BHO: (no name) - {FC027F23-593E-41E5-B96C-DDE4DF2E6A8B} - C:\Program Files\NetMeeting\meho.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\SYSTEM32\rundll32.exe C:\PROGRA~1\BELARC\ADVISOR\SYSTEM\NPBELV32.DLL,RunDll32_BelNotify
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [wshche] C:\WINDOWS\system32\wshche.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://webmail.durantchildren.org
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.judicial.state.sc.us/CFIDE/classes/CFJava.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/153e97dbf6eb628f4716/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101759720358
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132259677890
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PDC.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O20 - AppInit_DLLs: ,
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NORTON~1\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NORTON~1\Rtvscan.exe

    Okay, there's your logs! Thanks for all your help!
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,563
    • Download Brute Force Uninstaller to your C:\
    • Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
    • Download qoofix.bat (rightclick on this link and choose save as)
    • Place qoofix.bat in your C:\BFU - folder. (Important!)
    • Doubleclick qooFix.bat, Close all browsers and explorer folders.
    • Choose option 1 (Qoolfix autofix) and follow the prompts.
    • Please be patient, it will take about five minutes.
    • After the PC has restarted please post another hijackthis log.


    Then, also use the same tool, please do this:

    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Do not do anything with this yet!

    Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon [​IMG] and select alcanshorty.bfu
    • Press Execute and let the program do its job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.
    Reboot into normal windows.


    Please do another Panda scan and post a new HijackThis log along with the results of the Panda scan.
     
  11. Aywren

    Aywren Thread Starter

    Joined:
    Jun 16, 2006
    Messages:
    12
    Here is the first log after the qoofix.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:10:18 AM, on 6/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    C:\PROGRA~1\NORTON~1\DefWatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\LckFldService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\SYSTEM32\sistray.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Documents and Settings\VOLUNTEER\Desktop\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmfizu.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
    O2 - BHO: (no name) - {FC027F23-593E-41E5-B96C-DDE4DF2E6A8B} - C:\Program Files\NetMeeting\meho.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\SYSTEM32\rundll32.exe C:\PROGRA~1\BELARC\ADVISOR\SYSTEM\NPBELV32.DLL,RunDll32_BelNotify
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [wshche] C:\WINDOWS\system32\wshche.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://webmail.durantchildren.org
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.judicial.state.sc.us/CFIDE/classes/CFJava.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/153e97dbf6eb628f4716/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101759720358
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132259677890
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PDC.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O20 - AppInit_DLLs: ,
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NORTON~1\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NORTON~1\Rtvscan.exe

    Working on the Alcra now. Thanks again!
     
  12. Aywren

    Aywren Thread Starter

    Joined:
    Jun 16, 2006
    Messages:
    12
    Ran the Alcra... here's the Panda Scan log:


    Incident Status Location

    Spyware:spyware/safesurf Not disinfected c:\windows\system32\irsmfizu.dll
    Adware:adware program Not disinfected c:\windows\system32\key.~
    Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
    Adware:adware/commad Not disinfected Windows Registry
    Potentially unwanted tool:application/winantivirus2006 Not disinfected hkey_local_machine\software\WinAntiVirus Pro 2006
    Adware:adware/popupsearches Not disinfected Windows Registry
    Adware:adware/adrotator Not disinfected Windows Registry
    Adware:adware/e2give Not disinfected Windows Registry
    Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\UnIrimon.exe
    Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\vsl.exe[VSL.dl_]
    Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\vsl.exe[auxe.exe]
    Adware:Adware/CommAd Not disinfected C:\WINDOWS\VVNFUg\pphIo0.vbs
     
  13. Aywren

    Aywren Thread Starter

    Joined:
    Jun 16, 2006
    Messages:
    12
    And the new HijackThis Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:09:22 AM, on 6/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    C:\PROGRA~1\NORTON~1\DefWatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\LckFldService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\SYSTEM32\sistray.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\VOLUNTEER\Desktop\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmfizu.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
    O2 - BHO: (no name) - {FC027F23-593E-41E5-B96C-DDE4DF2E6A8B} - C:\Program Files\NetMeeting\meho.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\SYSTEM32\rundll32.exe C:\PROGRA~1\BELARC\ADVISOR\SYSTEM\NPBELV32.DLL,RunDll32_BelNotify
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [wshche] C:\WINDOWS\system32\wshche.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://webmail.durantchildren.org
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.judicial.state.sc.us/CFIDE/classes/CFJava.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/153e97dbf6eb628f4716/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101759720358
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132259677890
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PDC.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O20 - AppInit_DLLs: ,
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NORTON~1\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NORTON~1\Rtvscan.exe
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,563
    I'm attaching a FixWF.zip file to this post. Save it to your desktop. Double click the FixWF.reg file and allow it to enter into the registry.


    Click Here and download Killbox and save it to your desktop but don’t run it yet.


    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm

    R3 - Default URLSearchHook is missing

    O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} –
    C:\WINDOWS\system32\irsmfizu.dll

    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)

    O2 - BHO: (no name) - {FC027F23-593E-41E5-B96C-DDE4DF2E6A8B} - C:\Program Files\NetMeeting\meho.dll (file missing)

    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe

    O4 - HKCU\..\Run: [wshche] C:\WINDOWS\system32\wshche.exe

    O15 - Trusted Zone: http://webmail.durantchildren.org

    O15 - Trusted Zone: *.media-motor.net

    O15 - Trusted Zone: *.mmohsix.com

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/153e97db...p/RdxIE601.cab

    O20 - AppInit_DLLs: ,


    Do you recognize this entry and did you put it in the trusted zone intentionally? If not, include it with the others to be fixed as well.

    O15 - Trusted Zone: http://webmail.durantchildren.org


    Then boot to safe mode:


    How to restart to safe mode


    Double-click on Killbox.exe to run it.
    • Put a tick by Standard File Kill.
    • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

      C:\PROGRA~1\COMMON~1\System\MOSearch

      c:\windows\system32\irsmfizu.dll

      c:\windows\system32\key.~

      c:\windows\kwv2.dat

      C:\WINDOWS\SYSTEM32\UnIrimon.exe

      C:\WINDOWS\vsl.exe

      C:\WINDOWS\VVNFUg


    • Click on the button that has the red circle with the X in the middle after you enter each file.
    • It will ask for confirmation to delete the file.
    • Click Yes.
    • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    • Killbox may tell you that one or more files do not exist.
    • If that happens, just continue on with all the files. Be sure you don't miss any.
    • Next in Killbox go to Tools > Delete Temp Files
    • In the window that pops up, put a check by ALL the options there except these three:
      • XP Prefetch
      • Recent
      • History
    • Now click the Delete Selected Temp Files button.
    • Exit the Killbox.


    Boot back to Windows normally and post another HijackThis log please.
     

    Attached Files:

  15. Aywren

    Aywren Thread Starter

    Joined:
    Jun 16, 2006
    Messages:
    12
    Thank you so much for all of your help -- already seeing a huge improvement in this PC's performance.

    I've followed the instructions above, everything went through without a hitch.

    Yes, O15 - Trusted Zone: http://webmail.durantchildren.org is familiar, and is fine.

    Here is the newest log:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:12:33 AM, on 6/26/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    C:\PROGRA~1\NORTON~1\DefWatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\LckFldService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\SYSTEM32\sistray.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Documents and Settings\VOLUNTEER\Desktop\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\SYSTEM32\rundll32.exe C:\PROGRA~1\BELARC\ADVISOR\SYSTEM\NPBELV32.DLL,RunDll32_BelNotify
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O15 - Trusted Zone: http://webmail.durantchildren.org
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.judicial.state.sc.us/CFIDE/classes/CFJava.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101759720358
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132259677890
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PDC.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{03A75225-D223-49A9-AC1A-9DA10B59731A}: NameServer = 24.25.5.60,24.25.5.61
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\BELARC\BELMON~1\BANTMonitorSvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NORTON~1\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NORTON~1\Rtvscan.exe

    Thank you again for all your help!!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/475844

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice