The results were catastrophic, with approximately three pop ups every 45 seconds, even with a browser closed. I put on my best geek facade early this morning and went to work. I did my research, here and on another site. I ran my usual web root spy sweeper. I downloaded ad aware and ran it as well. I downloaded and ran spybot. I found a special uninstaller for the Aurora ad and the Elite toolbar. I even sacrificed Kazaa and eliminated Top Search. I downloaded Dr. Delete and got rid of bman.exe and bman1.exe. (I think!) Then I dowloaded SpyBlaster, just in case I ever recover.
Now it didn't take me all day. I took breaks to nap and eat and trim my toenails and floss. I am happy to report that I have my old google toolbar back and now I only get a pop ups at the rate of two every 3-4 minutes. That is such progress!
My fear is that the child clicked and inadvertently installed a program I can not find. The pop ups are not squelched by my google toolbar blocker, begin at start up, and all seem to come from
ads1.revenue.net
ad.yieldmanager.com
that [bleep] tricky ad that tries to get you to download spyspotter
stuff powered by zedo
In my research I even figured out you need a hijackthis log, which I have managed to secure. (I am so proud!) It is below. I even looked at it and tried to nod thoughtfully and pretend like I understood it.
Also, I should mention I am unable to operate this computer in safe mode. For some reason, I can not log in that way. I get an incorrect password.
I am pitiful. Send help. I have nudie photos and pricey bourbon to trade.
***********
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\vplzvl.exe
C:\WINDOWS\System32\cioawex.exe
C:\WINDOWS\System32\sysnss.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\sysnss.exe
C:\WINDOWS\System32\camrrenu.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Julie\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.butlercc.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.butlercc.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - -{28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: (no name) - -{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - (no file)
O2 - BHO: (no name) - -{ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - -{825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vplzvl.exe
O4 - HKLM\..\Run: [v38S3Fj] cioawex.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefeg32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [sysnss] C:\WINDOWS\System32\sysnss.exe
O4 - HKCU\..\Run: [e0r2RPHte] camrrenu.exe
O4 - HKCU\..\RunOnce: [sysnss] C:\WINDOWS\System32\sysnss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - https://formsrvr.but...iator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bcccbii.com
O17 - HKLM\Software\..\Telephony: DomainName = bcccbii.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bcccbii.com
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - e:\ORANT\BIN\ONRSD80.EXE (file missing)
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\Oracle\Ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: OracleOraHome81Nameshp9000.buccc.cc.ks.us - Unknown owner - E:\Oracle\Ora81\BIN\NAMES.EXE (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe