Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

horrible adware [CLOSED]


  • This topic is locked This topic is locked

#1
nick0440

nick0440

    Member

  • Member
  • PipPip
  • 35 posts
i accidently clicked on an add it downloaded like 20 diff progs.

heres a hijack this log, bound to be packed with stuff -.-

Logfile of HijackThis v1.99.1
Scan saved at 5:20:28 PM, on 8/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atievxx.exe
C:\WINDOWS\TGljZW5zZWQgVXNlcg\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\WINDOWS\System32\zqskw.exe
C:\dfndrff_11a.exe
C:\WINDOWS\pop06ap2.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\kybrdff_11a.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\tqzflkgA.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\win32101949133048.exe
C:\nwnmff_11.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MANTEC~1\javaw.exe
C:\WINDOWS\?asks\l?[bleep].exe
C:\PROGRA~1\COMMON~1\ofqz\ofqzm.exe
C:\Program Files\PSLister\PSLister.exe
C:\PROGRA~1\COMMON~1\ofqz\ofqza.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\testuser\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalo.../search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalo.../search.asp?si=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\kprlf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlyppjy.exe
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\System32\cvn0.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [tqzflkgA] C:\WINDOWS\tqzflkgA.exe
O4 - HKLM\..\Run: [hvs4b22e] RUNDLL32.EXE w03bc6a1.dll,n 0034b22b0000000303bc6a1
O4 - HKLM\..\Run: [win32101949133048] C:\WINDOWS\win32101949133048.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_11.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Urci] "C:\PROGRA~1\MANTEC~1\javaw.exe" -vt yazr
O4 - HKCU\..\Run: [Kjc] C:\WINDOWS\?asks\l?[bleep].exe
O4 - HKCU\..\Run: [ofqz] C:\PROGRA~1\COMMON~1\ofqz\ofqzm.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://ggpapps.gener...ca32/wficat.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.genera...aDownloader.cab
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\dsmap.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGljZW5zZWQgVXNlcg\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\tqzflkg.exe
  • 0

Advertisements


#2
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Hi nick0440, welcome to geekstogo. I'm Ryan, and I'll be helping you fix your computer.

Please rename HiJack This to anything you would like.

I would like to see an Uninstall list.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Post this report in a reply.

-Ryan
  • 0

#3
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Also, go to Start > Run > MSCONFIG. PLease make sure that Normal Startup is selected.

If not, please select it, and restart your computer and post a new HiJack This log.

-Ryan
  • 0

#4
nick0440

nick0440

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
ok im restarting now, i have unistall log, and about to get the new hijack log...

on 2 comps right now
  • 0

#5
nick0440

nick0440

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
uninstall list


Command
Cowabanga by OIN
ePAVE
Forethought
HijackThis 1.99.1
iTunes
Macromedia Flash Player 8
Media-motor
MetaFrame Presentation Server Web Client for Win32
Microsoft Office Professional Edition 2003
Microsoft VM for Java
Network Monitor
PCTEL 2304WT V.9x MDC Modem Drivers
Quicklinks
QuickTime
Related Page
TargetSaver
Tibia 7.6
UCmore - The Search Accelerator
Web Nexus Network
webHancer Customer Companion
webHancer Survey Companion
Windows Overlay Components
WinRAR archiver
______________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 5:54:11 PM, on 8/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\Atievxx.exe
C:\WINDOWS\TGljZW5zZWQgVXNlcg\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\tqzflkg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wfxqhv.exe
C:\WINDOWS\System32\cvn0.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\tqzflkgA.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\win32101949133048.exe
C:\nwnmff_11.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\WINDOWS\pop06ap2.exe
C:\kybrdff_11a.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\dfndrff_11a.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MANTEC~1\javaw.exe
C:\WINDOWS\?asks\l?[bleep].exe
C:\WINDOWS\System32\zqskw.exe
C:\PROGRA~1\COMMON~1\ofqz\ofqzm.exe
C:\WINDOWS\System32\n9nyb.exe
C:\Program Files\PSLister\PSLister.exe
C:\WINDOWS\System32\ghynf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\ofqz\ofqza.exe
C:\PROGRA~1\COMMON~1\ofqz\ofqzl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\testuser\Desktop\llmg.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalo.../search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalo.../search.asp?si=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\kprlf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlyppjy.exe
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\System32\cvn0.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [tqzflkgA] C:\WINDOWS\tqzflkgA.exe
O4 - HKLM\..\Run: [hvs4b22e] RUNDLL32.EXE w03bc6a1.dll,n 0034b22b0000000303bc6a1
O4 - HKLM\..\Run: [win32101949133048] C:\WINDOWS\win32101949133048.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_11.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_11a.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrff_11a.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Urci] "C:\PROGRA~1\MANTEC~1\javaw.exe" -vt yazr
O4 - HKCU\..\Run: [Kjc] C:\WINDOWS\?asks\l?[bleep].exe
O4 - HKCU\..\Run: [ofqz] C:\PROGRA~1\COMMON~1\ofqz\ofqzm.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://ggpapps.gener...ca32/wficat.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.genera...aDownloader.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\hr8805lue.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGljZW5zZWQgVXNlcg\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\tqzflkg.exe
  • 0

#6
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
OK, you have a bunch of stuff that we need to remove, but don't worry, we'll get rid of it and your computer back to normal in no time.


You will want to print out a copy of these instructions to follow while you complete this procedure, as you will not be able to access the internet later in the fix.

Uninstalling Programs

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing webHancer.

Please go to Add/Remove Programs in the Control Panel and remove the following programs:

Command
Cowabanga by OIN
Media-motor
QuickLinks
TargetSaver
UCmore - The Search Accelerator
Web Nexus Network
webHancer Customer Companion
webHancer Survey Companion
Windows Overlay Components

If there are any other programs that you didn't install, feel free to remove them as well.


In the event that you lose Internet access after removing webHancer, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.


Prep


1. Please download Ewido Anti-Malware
  • Install ewido anti-malware
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).


3.Please download Look2Me-Destroyer.exe to your desktop.

Do not do anything with these yet!
Close all windows before continuing.

The Fix

  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

Once in Safe Mode, Open Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Restart your computer.

Post the contents of Ewido text report that you saved, the contents of C:\Look2Me-Destroyer.txt, and a new HiJackThis log in this same topic, and let us know how your system's working. :whistling:

-Ryan
  • 0

#7
nick0440

nick0440

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
the page to download BFU is scrmbled on the infected computer.

:'( i cant direclty download these i need links to the website itself not the files.

Edited by nick0440, 20 August 2006 - 06:11 PM.

  • 0

#8
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
It will probably be easier for you if you download these on the good computer and burn them to a cd to bring over to the infected one.

-Ryan
  • 0

#9
nick0440

nick0440

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
i DL'ed them all [bleep] off the net and began the scanning and such edwido already has 150+ infections



whats with the bleep? i said turned.

wat is it? sexual references?

Edited by nick0440, 20 August 2006 - 07:00 PM.

  • 0

#10
nick0440

nick0440

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/20/2006 7:30:03 PM

Infected! C:\WINDOWS\system32\hr8805lue.dll
Infected! C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP88\A0003203.dll
Infected! C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP88\A0003212.dll
Infected! C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP88\A0003217.dll
Infected! C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP89\A0004218.dll
Infected! C:\WINDOWS\system32\enl2l13o1.dll
Infected! C:\WINDOWS\system32\enrol1931.dll
Infected! C:\WINDOWS\system32\hr8805lue.dll
Infected! C:\WINDOWS\system32\j66mlgj116o.dll
Infected! C:\WINDOWS\system32\kmduzb.dll
Infected! C:\WINDOWS\system32\lbrhelp.dll
Infected! C:\WINDOWS\system32\nwmsevt.dll
Infected! C:\WINDOWS\system32\xwlehlp.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\hr8805lue.dll
C:\WINDOWS\system32\hr8805lue.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP88\A0003203.dll
C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP88\A0003203.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP88\A0003212.dll
C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP88\A0003212.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP88\A0003217.dll
C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP88\A0003217.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP89\A0004218.dll
C:\System Volume Information\_restore{F4B37F6A-E802-4069-9453-BCAD8B0CD66B}\RP89\A0004218.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enl2l13o1.dll
C:\WINDOWS\system32\enl2l13o1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enrol1931.dll
C:\WINDOWS\system32\enrol1931.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr8805lue.dll
C:\WINDOWS\system32\hr8805lue.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j66mlgj116o.dll
C:\WINDOWS\system32\j66mlgj116o.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kmduzb.dll
C:\WINDOWS\system32\kmduzb.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lbrhelp.dll
C:\WINDOWS\system32\lbrhelp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nwmsevt.dll
C:\WINDOWS\system32\nwmsevt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\xwlehlp.dll
C:\WINDOWS\system32\xwlehlp.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1AC74E75-6569-4911-9190-1537E3B8D1FE}"
HKCR\Clsid\{1AC74E75-6569-4911-9190-1537E3B8D1FE}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded




___________________________________________________________________



Logfile of HijackThis v1.99.1
Scan saved at 8:14:39 PM, on 8/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\testuser\Desktop\llmg.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalo.../search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalo.../search.asp?si=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlyppjy.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hvs4b22e] RUNDLL32.EXE w03bc6a1.dll,n 0034b22b0000000303bc6a1
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://ggpapps.gener...ca32/wficat.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.genera...aDownloader.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe




---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:03:34 PM 8/20/2006

+ Scan result:



C:\WINDOWS\TGljZW5zZWQgVXNlcg\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\TGljZW5zZWQgVXNlcg\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\drsmartload180a.exe -> Adware.DollarRevenue : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer\optimize.exe -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-1580818891-1060284298-1003\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-1580818891-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-1580818891-1060284298-1003\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\7ML4L3N3\joysavsht[1].cab/amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\pop06ap2.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\mitB.tmp.cab/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\mitB.tmp/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinATS.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinDmy.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Adware.MoneyTree : Cleaned with backup (quarantined).
C:\Program Files\PSLister\PSLister.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\MirarSetup_876075.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\C0D8.tmp/cvn0.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\System32bez6n4r21.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bez6n4r21.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cvn0.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ghynf.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\C0D8.tmp/wfxqhv.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\C0D8.tmp/zqskw.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\System32n9nyb.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iqqr.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\n9nyb.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wfxqhv.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xeymi.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\zqskw.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\i23.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-1580818891-1060284298-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-1580818891-1060284298-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\ucmoreiex.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Program Files\webHancer -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\webHancer\Programs -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\webHancer\Programs\webhdll.dll -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\webHancer\Programs\whinstaller.exe -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall\whAgent.inf -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall\whInstaller.ini -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webHancer -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webHancer\CC -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\FHW8KBZ3\3138302D2D2D[1].exe -> Downloader.Adload.bl : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\FHW8KBZ3\drsmartload849a[1].exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\drsmartload45a9999a.exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\drsmartload46a9999a.exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\drsmartload849a9999a.exe -> Downloader.Adload.ee : Cleaned with backup (quarantined).
C:\drsmartload.exe -> Downloader.Adload.ef : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\fym9bvo.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\WINDOWS\optimize.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\!update.exe -> Downloader.PurityScan.da : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\tp7543.exe -> Downloader.Qoologic.ax : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\BB51PXPU\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mnnil.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\aeplq.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\anbhvlk.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kprlf.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tgbhfd.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vlyppjy.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[692] C:\WINDOWS\System32\anbhvlk.dll -> Downloader.Qoologic.bj : Error during cleaning.
[700] C:\WINDOWS\System32\kprlf.exe -> Downloader.Qoologic.bj : Error during cleaning.
[732] C:\WINDOWS\System32\kprlf.exe -> Downloader.Qoologic.bj : Error during cleaning.
[740] C:\WINDOWS\System32\kprlf.exe -> Downloader.Qoologic.bj : Error during cleaning.
C:\WINDOWS\system32\w03bc6a1.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\MTE3NDI6ODoxNgnew.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Program Files\Online Services\meho.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\ac3_0003.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\stub_113_4_0_4_0newer.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\nwnmff_11.exe -> Downloader.VB.aiy : Cleaned with backup (quarantined).
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup (quarantined).
C:\WINDOWS\win32101949133048.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\xload.exe -> Downloader.VB.wz : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\2I2XDXSU\xload[1].exe -> Downloader.VB.wz : Cleaned with backup (quarantined).
C:\803_104.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\SS1001newer.exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-842925246-1580818891-1060284298-1003\Dc347.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\WINDOWS\v1201.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Program Files\Common Files\meme.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\Windows NT\popojyji.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\NWXLB0SC\pre[1].exe -> Hijacker.VB.lb : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\pre.exe -> Hijacker.VB.lb : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\UO1D3VNZ\speedtest2[1].dll -> Not-A-Virus.Downloader.Win32.InsTool.a : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temp\SystemDoctor2006FreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\BB51PXPU\SystemDoctor2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\UO1D3VNZ\SystemDoctor2006FreeInstall[1].cab/USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\5K55R19J\xp-cydoor-728[1].swf -> Not-A-Virus.Hoax.SWF.Alerter.a : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Local Settings\Temporary Internet Files\Content.IE5\FHW8KBZ3\xp-cydoor-728[1].swf -> Not-A-Virus.Hoax.SWF.Alerter.a : Cleaned with backup (quarantined).
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Casinotropez : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Casinotropez : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Kmpads : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\testuser\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\WINDOWS\wnu_191.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\WINDOWS\uni_ehhhh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\uninst104.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end






[692] C:\WINDOWS\System32\anbhvlk.dll -> Downloader.Qoologic.bj : Error during cleaning.
[700] C:\WINDOWS\System32\kprlf.exe -> Downloader.Qoologic.bj : Error during cleaning.
[732] C:\WINDOWS\System32\kprlf.exe -> Downloader.Qoologic.bj : Error during cleaning.
[740] C:\WINDOWS\System32\kprlf.exe -> Downloader.Qoologic.bj : Error during cleaning.

didnt clean these files.

Edited by nick0440, 20 August 2006 - 07:17 PM.

  • 0

#11
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Please download Qoofix by Rubber Ducky to your desktop.
  • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
  • Close all windows and programs, including internet windows.
  • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
  • Click Begin Removal and wait for the scan to finish
  • If Qoofix finds an infection, select yes to restart your computer
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


Please post the contents of C:\vundofix.txt, C:\Qoofix\Qoofix Logfile.txt, and a new HiJackThis log.

-Ryan

Edited by rmurphy, 20 August 2006 - 07:26 PM.

  • 0

#12
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP