Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malaware has made me its beeeyotch[RESOLVED]


  • This topic is locked This topic is locked

#1
Julie Jamison

Julie Jamison

    New Member

  • Member
  • Pip
  • 2 posts
Last night my seven year old called cheerily from the "kid" computer, "Mom, something is wrong here." I walked over to see approximately 43 pop ups and some installations-in-progress. BAH!

The results were catastrophic, with approximately three pop ups every 45 seconds, even with a browser closed. I put on my best geek facade early this morning and went to work. I did my research, here and on another site. I ran my usual web root spy sweeper. I downloaded ad aware and ran it as well. I downloaded and ran spybot. I found a special uninstaller for the Aurora ad and the Elite toolbar. I even sacrificed Kazaa and eliminated Top Search. I downloaded Dr. Delete and got rid of bman.exe and bman1.exe. (I think!) Then I dowloaded SpyBlaster, just in case I ever recover.

Now it didn't take me all day. I took breaks to nap and eat and trim my toenails and floss. I am happy to report that I have my old google toolbar back and now I only get a pop ups at the rate of two every 3-4 minutes. That is such progress!

My fear is that the child clicked and inadvertently installed a program I can not find. The pop ups are not squelched by my google toolbar blocker, begin at start up, and all seem to come from

ads1.revenue.net
ad.yieldmanager.com
that [bleep] tricky ad that tries to get you to download spyspotter
stuff powered by zedo

In my research I even figured out you need a hijackthis log, which I have managed to secure. (I am so proud!) It is below. I even looked at it and tried to nod thoughtfully and pretend like I understood it.

Also, I should mention I am unable to operate this computer in safe mode. For some reason, I can not log in that way. I get an incorrect password.

I am pitiful. Send help. I have nudie photos and pricey bourbon to trade.

***********

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\vplzvl.exe
C:\WINDOWS\System32\cioawex.exe
C:\WINDOWS\System32\sysnss.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\sysnss.exe
C:\WINDOWS\System32\camrrenu.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Julie\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.butlercc.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.butlercc.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - -{28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: (no name) - -{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - (no file)
O2 - BHO: (no name) - -{ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - -{825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vplzvl.exe
O4 - HKLM\..\Run: [v38S3Fj] cioawex.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefeg32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [sysnss] C:\WINDOWS\System32\sysnss.exe
O4 - HKCU\..\Run: [e0r2RPHte] camrrenu.exe
O4 - HKCU\..\RunOnce: [sysnss] C:\WINDOWS\System32\sysnss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - https://formsrvr.but...iator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcccbii.com
O17 - HKLM\Software\..\Telephony: DomainName = bcccbii.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcccbii.com
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - e:\ORANT\BIN\ONRSD80.EXE (file missing)
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: OracleOraHome81Nameshp9000.buccc.cc.ks.us - Unknown owner - E:\Oracle\Ora81\BIN\NAMES.EXE (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Julie Jamison

If you are still in need of help post a new HJT.log the top part of the log you posted is missing.

I.E
Logfile of HijackThis v1.99.1
Scan saved at 19:36:16, on 30/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Kc :tazz:
  • 0

#3
Julie Jamison

Julie Jamison

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
How shameful - I didn't even post the log correctly. :tazz:

Thank you, but I think I may have it under control. Approximately 347 steps later we are down to the last few stubborn exe files.

You guys are awesome though, to provide help to the needy.

Thank you!
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP