Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Undertaker_282

145 Posts

1729

May 5th, 2007 23:00

Help! Not sure what's going on!

Hey, I think I had this type of problem before.  I keep getting pop-ups, and a "switch to, or retry" message keeps coming up a lot now.  Also, if I google something for example, and click on a choice, it doesn't go to that site, there's always a different one instead.  I made sure it was in the same window too, and it was, so it's not another new pop-up or anything.  I have to go back, and re-click the choice again, and then it goes to the actual one.  So thats another thing, and I get pop-ups every now and then which is also annoying.  There is also a "click to fix and find errors" icon on my desktop now.  Here is my HJT File:

Logfile of HijackThis v1.99.1
Scan saved at 20:23, on 07-05-05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\retadpu72.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\KAKA\APPLIC~1\CROSOF~1\rundll32.exe
C:\Documents and Settings\KAKA\My Documents\??mantec\lsass.exe
C:\Documents and Settings\KAKA\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {46B28836-13F2-3F51-F24D-6DE34BE4AD9C} - C:\WINDOWS\System32\mcnzelnj.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\System32\ipv6mons.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\KAKA\APPLIC~1\CROSOF~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Nbuzaqya] "C:\Documents and Settings\KAKA\My Documents\??mantec\lsass.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136849239576
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138402583077
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Thank you.


Message Edited by Undertaker_282 on 05-05-2007 07:29 PM

Message Edited by Undertaker_282 on 05-05-2007 07:32 PM

1972vet

3.3K Posts

May 6th, 2007 02:00

You have a couple problems...not the least of which is an info stealer on board.

Download Sysclean Package & save it to your desktop.
  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract the lptxxx.zip pattern file into the same folder you created for and placed sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.
Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Note: Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file generated in the System Cleaner folder.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.
  • Exit when done, reboot normally and re-enable your anti-virus program.
This tool generates a log file (sysclean.log) in the same folder where the scan is completed. When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations. The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.
Post the log along with a fresh HijackThis log. Thanks!

Undertaker_282

145 Posts

May 7th, 2007 00:00

How do I get the log for the scan?  I did the scan, but I couldn't copy or paste the log, because it wouldn't let me, and I don't think it automatically got saved, not sure.  What do I do?

1972vet

3.3K Posts

May 7th, 2007 02:00

The log is located here:
C:\SysCleanPackage\sysclean.log

Undertaker_282

145 Posts

May 7th, 2007 19:00

Ok so this is the log for Sysclean right? I didn't find it exactly where you said though.

/--------------------------------------------------------------\
|                  Trend Micro System Cleaner                  |
|              Copyright 2006, Trend Micro, Inc.               |
|                   http://www.antivirus.com                   |
\--------------------------------------------------------------/

2007-05-06, 12:51:27,   Auto-clean mode specified.
2007-05-06, 12:51:27,   Running scanner "C:\Sysclean\TSC.BIN"...
2007-05-06, 13:09:30,   Scanner "C:\Sysclean\TSC.BIN" has finished running.
2007-05-06, 13:09:30,   TSC Log:
Damage Cleanup Engine (DCE)  5.3(Build 1083)
Windows XP(Build 2600: Service Pack 1)
Start time : Sun May 06 2007 12:51:53
Load Damage Cleanup Template (DCT) "C:\Sysclean\TMRDCT.ptn" (version ) [fail]
Load Damage Cleanup Template (DCT) "C:\Sysclean\tsc.ptn" (version 860) [success]
Complete time : Sun May 06 2007 13:09:30
Execute pattern count(3085), Virus found count(0), Virus clean count(0), Clean failed count(0)
2007-05-06, 13:10:10,   An error was detected on "C:\Documents and Settings\KAKA\Application Data\?dobe\*.*": The filename, directory name, or volume label syntax is incorrect.
2007-05-06, 13:10:10,   An error was detected on "C:\Documents and Settings\KAKA\Application Data\??crosoft\*.*": The filename, directory name, or volume label syntax is incorrect.
2007-05-06, 13:11:31,   An error was detected on "C:\Documents and Settings\KAKA\My Documents\??mantec\*.*": The filename, directory name, or volume label syntax is incorrect.
2007-05-06, 13:11:34,   An error was detected on "C:\Documents and Settings\Zaid Hamdani\*.*": Access is denied.
2007-05-06, 13:13:10,   An error was detected on "C:\QooBox\Purity\Documents and Settings\KAKA\Application Data\YSTEM~1\?ystem\*.*": The filename, directory name, or volume label syntax is incorrect.
2007-05-06, 13:13:10,   An error was detected on "C:\QooBox\Purity\Program Files\YMANTE~1\?ymantec\*.*": The filename, directory name, or volume label syntax is incorrect.
2007-05-06, 13:13:52,   An error was detected on "C:\WINDOWS\SYSTEM32\??sks\*.*": The filename, directory name, or volume label syntax is incorrect.
2007-05-06, 14:29:40,   Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 5/6/2007 13:13:54
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 453 (183282 Patterns) (2007/05/03) (445300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean
C:\19033631.exe [TROJ_DLOADER.IQG]
C:\Documents and Settings\KAKA\Local Settings\Temp\po.exe [TROJ_PURITYSC.AQ]
C:\Documents and Settings\KAKA\Local Settings\Temp\qr.exe [TROJ_PURITYSC.G]
C:\Documents and Settings\KAKA\My Documents\hijackthis\backups\backup-20070114-221547-484.dll [TROJ_KOLWEB.J]
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll [TSPY_SINOWAL.CP]
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll [TSPY_SINOWAL.NAN]
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe [TROJ_PURITYSC.AM]
C:\Recycled\Q330995.exe [TROJ_Generic.Z]
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP74\A0013970.exe [TROJ_DLOADER.IQG]
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP74\A0013971.dll [TSPY_SINOWAL.CP]
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP74\A0013972.dll [TSPY_SINOWAL.NAN]
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP74\A0013973.exe [TROJ_PURITYSC.AM]
C:\WINDOWS\b122.exe [TROJ_AGENT.LNN]
C:\WINDOWS\SYSTEM32\regapi.exe [TROJ_Generic]
C:\WINDOWS\SYSTEM32\svchosts.exe [TROJ_AGENT.IPV]
69186 files have been read.
69186 files have been checked.
62671 files have been scanned.
111177 files have been scanned. (including files in archived)
16 files containing viruses.
Found 16 viruses totally.
Maybe 0 viruses totally.
Stop At : 5/6/2007 14:29:40
---------*---------*---------*---------*---------*---------*---------*---------*
2007-05-06, 14:29:40,   Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 5/6/2007 13:13:54
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 453 (183282 Patterns) (2007/05/03) (445300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean
Success Clean [TROJ_DLOADER.IQG](    1) from C:\19033631.exe
Success Clean [   WORM_SOBER.AX](    1) from C:\Documents and Settings\KAKA\Local Settings\Application Data\Microsoft\MSN\db30\sjunaid60-hotmail-com.207,(Winzipped_Data-Files.exe)
Success Clean [TROJ_PURITYSC.AQ](    1) from C:\Documents and Settings\KAKA\Local Settings\Temp\po.exe
Success Clean [ TROJ_PURITYSC.G](    1) from C:\Documents and Settings\KAKA\Local Settings\Temp\qr.exe
Success Clean [   TROJ_KOLWEB.J](    1) from C:\Documents and Settings\KAKA\My Documents\hijackthis\backups\backup-20070114-221547-484.dll
Success Clean [ TSPY_SINOWAL.CP](    1) from C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll
Success Clean [TSPY_SINOWAL.NAN](    1) from C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll
Success Clean [TROJ_PURITYSC.AM](    1) from C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
Can not Clean [  TROJ_Generic.Z](    1) from C:\Recycled\Q330995.exe
Success Clean [TROJ_DLOADER.IQG](    1) from C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP74\A0013970.exe
Success Clean [ TSPY_SINOWAL.CP](    1) from C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP74\A0013971.dll
Success Clean [TSPY_SINOWAL.NAN](    1) from C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP74\A0013972.dll
Success Clean [TROJ_PURITYSC.AM](    1) from C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP74\A0013973.exe
Success Clean [  TROJ_AGENT.LNN](    1) from C:\WINDOWS\b122.exe
Success Clean [    TROJ_Generic](    1) from C:\WINDOWS\SYSTEM32\regapi.exe
Success Clean [  TROJ_AGENT.IPV](    1) from C:\WINDOWS\SYSTEM32\svchosts.exe
69186 files have been read.
69186 files have been checked.
62671 files have been scanned.
111177 files have been scanned. (including files in archived)
16 files containing viruses.
Found 16 viruses totally.
Maybe 0 viruses totally.
Stop At : 5/6/2007 14:29:40 1 hour 15 minutes 19 seconds (4518.83 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2007-05-06, 14:29:40,   Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 5/6/2007 13:13:54
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 453 (183282 Patterns) (2007/05/03) (445300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean
Can not Clean [  TROJ_Generic.Z](    1) from C:\Recycled\Q330995.exe
69186 files have been read.
69186 files have been checked.
62671 files have been scanned.
111177 files have been scanned. (including files in archived)
16 files containing viruses.
Found 16 viruses totally.
Maybe 0 viruses totally.
Stop At : 5/6/2007 14:29:40 1 hour 15 minutes 19 seconds (4518.83 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2007-05-06, 14:29:40,   Scanner "C:\Sysclean\VSCANTM.BIN" has finished running.
 
Here is my logfile for HJT:

Logfile of HijackThis v1.99.1
Scan saved at 15:54, on 07-05-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\retadpu72.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\KAKA\APPLIC~1\CROSOF~1\rundll32.exe
C:\Documents and Settings\KAKA\My Documents\??mantec\lsass.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {46B28836-13F2-3F51-F24D-6DE34BE4AD9C} - C:\WINDOWS\System32\mcnzelnj.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\System32\ipv6mons.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\KAKA\APPLIC~1\CROSOF~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Nbuzaqya] "C:\Documents and Settings\KAKA\My Documents\??mantec\lsass.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136849239576
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138402583077
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
 


Message Edited by Undertaker_282 on 05-07-2007 03:01 PM

1972vet

3.3K Posts

May 8th, 2007 00:00

Let's make sure you can view all files.


Go to Start-->Control Panel-->Add/Remove Programs and uninstall the following programs if listed:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
Zolero
Tizzletalk
OuterInfo or anything similar with Oin in it.

Reboot and delete the associated folders to the programs you just uninstalled. If still present, they would be located here:
C:\Program Files\


Please download the KILLBOX, extract it to your desktop.

Open killbox.exe. First click on Tools-->Delete Temp Files. A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well. Next, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".

Once back into the main killbox program, check the box Delete on Reboot.

Highlight the entries below in Bold text and then copy them.

C:\WINDOWS\retadpu72.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\WINDOWS\System32\mcnzelnj.dll
C:\WINDOWS\System32\ipv6mons.dll
C:\Documents and Settings\KAKA\My Documents\??mantec\lsass.exe
Then in killbox click File-->Paste from Clipboard. Click the "All Files" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

A second message will ask to Reboot now? you will need to click No for now.
Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.


Please run HijackThis again and check the following:
O2 - BHO: (no name) - {46B28836-13F2-3F51-F24D-6DE34BE4AD9C} - C:\WINDOWS\System32\mcnzelnj.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\System32\ipv6mons.dll
O4 - HKLM\..\Run: C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: "C:\DOCUME~1\KAKA\APPLIC~1\CROSOF~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: "C:\Documents and Settings\KAKA\My Documents\??mantec\lsass.exe"
O4 - HKCU\..\Run: C:\Program Files\Ipwindows\ipwins.exe

Close all windows now except for the hijackthis application's window, then click the Fix Checked button.

Locate and delete the following folders indicated in Bold text:
C:\Program Files\ Ipwindows
C:\Documents and Settings\KAKA\My Documents\ ??mantec

Reboot the computer and post a fresh HijackThig log. Thanks!

Undertaker_282

145 Posts

May 10th, 2007 01:00

Ok here it is.  I couldn't find some of the ones you told me to check off, for Hijackthis, so I'm not sure what I do with that. 

Logfile of HijackThis v1.99.1
Scan saved at 22:16, on 07-05-09
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\SMBOLS~1\explorer.exe
C:\Program Files\?ssembly\ati2evxx.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\KAKA\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {41E2DB32-1CA3-3A02-A14D-6DE34BE5FACB} - C:\WINDOWS\System32\osm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\System32\SMBOLS~1\explorer.exe" -vt ndrv
O4 - HKCU\..\Run: [Nszu] "C:\Program Files\?ssembly\ati2evxx.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136849239576
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138402583077
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 

1972vet

3.3K Posts

May 10th, 2007 02:00

Your Java application is out of date and causes a slight security risk as a result.
Please follow these steps to remove older version Java components

1. Close any open programs you may have running, especially your web browser.

2. Click Start-->Control Panel-->Add or Remove Programs.
For those just reading this thread:
Depending on your OS, you may have to click Start-->Settings-->Control Panel-->Add or Remove Programs.

3. Click once on any item listing Java Runtime Environment in the name (to highlight it) then click the "Remove" or "Change/Remove" button.
Not every version of Java will begin with "Java" so be sure to read each entry in the list.
Repeat step 3 as many times as necessary to remove all versions of Java.
**If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.

4. Navigate to and delete:
  • C:\Program Files\ Java =this folder if found
5. Then go to this page.
Scroll down to where it says "Java Runtime Environment (JRE) 6u1
The Java SE Runtime Environment (JRE) allows end-users to run Java applications."and click the "Download" button to the right.

6. Check the box that says: "Accept License Agreement" the page will refresh and click on the link to download Windows Offline Installation with or without Multi-language. Save it to your desktop.
Then from your desktop double-click on the executable to install the newest version. Reboot when the installation completes.


Did you set this up?
O4 - HKCU\..\Run: "C:\WINDOWS\System32\SMBOLS~1\explorer.exe" -vt ndrv

Update your on board Mcafee Antivirus application. DO NOT SCAN YET, JUST UPDATE IT AND CLOSE THE APPLICATION..

Update your on board AVG Anti-Spyware application and make sure you have it configured as follows:

Nore:I If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.

Once the updates are installed do the following:
Click on the " Scanner" button and choose the " Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

Close the application and reboot the computer into Safe mode. Once in safe mode continue with the instructions below:

Open the AVG Anti-Spyware application and click the " Scan" tab.
Click " Complete System Scan" to start.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
  • Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
  • If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
When the scan has finished you will be presented with a list of infected objects found. Click " Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate " No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

Click on " Save Report" to view all completed scans. Click on the most recent scan you just performed and select " Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\

Exit AVG Anti-Spyware when done.

Next, please run full system scan using your on board McAfee Antivirus application. Allow the software to quarantine what it finds. When the scan completes, close the application.


Next, please run HijackThis again and check the following entries that may still exist:
O2 - BHO: (no name) - {41E2DB32-1CA3-3A02-A14D-6DE34BE5FACB} - C:\WINDOWS\System32\osm.dll
O4 - HKCU\..\Run: "C:\Program Files\?ssembly\ati2evxx.exe"

Close all open appliation windows except for the HijackThis application, then click the Fix Checked button.

Reboot and post the AVG Anti-Spyware log, your McAfee scan log, and a fresh HijackThis log. Don't forget to let me know if you indeed setup your AIDA application to run on startup. How is the computer running?

Undertaker_282

145 Posts

May 10th, 2007 21:00

For this part, "Did you set this up?
O4 - HKCU\..\Run: "C:\WINDOWS\System32\SMBOLS~1\explorer.exe" -vt ndrv"

What do you mean I have to do? Delete it or something?

Undertaker_282

145 Posts

May 11th, 2007 00:00

Can I also use Ewido or ZoneAlarm free, instead of McAfee?  McAfee acts weird sometimes, and it happens a lot.  I have AVG, just wondering about McAfee.  It says that certain features won't work if I still have it, like some firewall thing, that's the only thing.

Also, how do I get rid of the McAfee SiteAdvisor, located at the top right of internet explorer, I want to remove it.

There's also this "OuterInfo" Program installed, I just noticed it after clicking the start menu.  The only option it has are some rules, and an un-install choice.  If I click the un-install choice, it searches for it, or asks me to browse throuhg to look for it, but nothing happens.  It also says "missing shortcut" at the top.

Also, what's AIDA mean, and is "on board" a different type of program?





Message Edited by Undertaker_282 on 05-10-2007 10:21 PM

1972vet

3.3K Posts

May 11th, 2007 04:00

In my post #6 and #8, I gave you instructions that were designed to remove the malware issues you are having...one of which was the PurityScan by "OuterInfo". With my last post, the final instruction was:
Quote:
Reboot and post the AVG Anti-Spyware log, your McAfee scan log, and a fresh HijackThis log. Don't forget to let me know if you indeed setup your AIDA application to run on startup. How is the computer running?

...so You post back without posting the logs I requested and make no mention of how your system is running...regardless, to answer your question:

When I asked:
Quote:
"Did you set this up?
O4 - HKCU\..\Run: "C:\WINDOWS\System32\SMBOLS~1\explorer.exe" -vt ndrv"
...what I'm wanting to know is if you yourself set up your AIDA application to run at startup. It doesn't have a need to run at startup with is why I asked.

Quote:
Can I also use Ewido or ZoneAlarm free, instead of McAfee? McAfee acts weird sometimes, and it happens a lot. I have AVG, just wondering about McAfee. It says that certain features won't work if I still have it, like some firewall thing, that's the only thing.
The program I had you download and install on my last post to you was Ewido...the AVG Anti-Spyware application is Ewido re-written by the makers of AVG who purchased the application from Peter Ewido. You can use ZoneAlarm Free instead of McAfee certainly.

Also, how do I get rid of the McAfee SiteAdvisor, located at the top right of internet explorer, I want to remove it.
With Internet Explorer opened, click Tools-->Manage Add-ons-->Enable or Disable Add-ons. Look for it in the list, click it to highlight it, then click to Disable at the bottom...then click "OK"

There's also this "OuterInfo" Program installed, I just noticed it after clicking the start menu. The only option it has are some rules, and an un-install choice. If I click the un-install choice, it searches for it, or asks me to browse throuhg to look for it, but nothing happens. It also says "missing shortcut" at the top. See my first paragraph.


Also, what's AIDA mean, and is "on board" a different type of program?
AIDA is an application authored by Tamas Miklos...you'd have to ask him what he intended for the acronym to mean. "On Board" means you have the application installed on your system.

Undertaker_282

145 Posts

May 12th, 2007 03:00

" Quote:
Reboot and post the AVG Anti-Spyware log, your McAfee scan log, and a fresh HijackThis log. Don't forget to let me know if you indeed setup your AIDA application to run on startup. How is the computer running?

...so You post back without posting the logs I requested and make no mention of how your system is running...regardless, to answer your question:"

Oh no, about not posting the logs and telling you how it's going, I know I didn't post them, that question came up as I was reading the directions.  I haven't done the scans yet, I only did the AVG one, so that's why I didn't post anything you have asked me to.  I was just thinking those questions as I read all of this, I didn't know it would be answered once I was done with the scannings, sorry about that.

Undertaker_282

145 Posts

May 17th, 2007 00:00

Ok sorry for taking so long, but here's the log from AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
 + Created at: 17:02 07-05-11
 + Scan result: 
 
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\webHancer -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\webHancer\whAgent_update.exe -> Adware.Webhancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webhancer -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webhancer\CC -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\b104.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINDOWS\b103.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\Documents and Settings\KAKA\Cookies\kaka@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@cbsdigitalmedia.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@giftscom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@sento.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@4.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@cdn.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@ehg-veohnetworksinc.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\KAKA\Cookies\kaka@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.

::Report end

I haven't figured out how to do an actual scan for ZoneAlarm, but I did one for Ad-Aware SE, and I still have that.  Let me know what you want me to do, and if you want me to post it.  The log for the Ad-Aware SE was before it took it's action, which was to delete all of the bad files it found.  But I did delete them afterwards, but no log was made, there was only one made before I deleted all of them, so I guess there isn't a log made once you have delete the things it finds or something.  Let me know what you want me to do, and for the two things you told me to fix on HJT, they weren't there.

1972vet

3.3K Posts

May 17th, 2007 03:00

OK, the two items I asked you to remove with HijackThis that you cannot locate, I also do not find in the AVG anti-spyware log. I'd like to see a fresh HijackThis log to see if they are still present. Thanks!

Undertaker_282

145 Posts

May 18th, 2007 22:00

Ok here it is

 

Logfile of HijackThis v1.99.1
Scan saved at 19:32, on 07-05-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Documents and Settings\KAKA\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136849239576
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138402583077
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

 



Message Edited by Undertaker_282 on 05-18-2007 06:37 PM

1972vet

3.3K Posts

May 19th, 2007 00:00

This log looks much better. It looks like you were successful at removing the PurityScan as well as the various other malware. You have just this one stray Registry entry that can go:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
...run HijackThis again and click "Do a system scan only". Check the box next to that entry and close all other open windows...then click the Fix Checked button.

Reboot to properly record the changes made to the disk. Post back a fresh HijackThis log so we can make sure the entry was properly removed. How is the system running now?

Was this post helpful?

View All

No Events found!

Top