Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

AdultSexFriendFinder Pop-up [RESOLVED]


  • This topic is locked This topic is locked

#1
Element9846

Element9846

    Member

  • Member
  • PipPip
  • 76 posts
I have removed ClickSpring Which is a Malware I beleive...but I get [bleep] popups when i FIRST go into internet....sometimes if Im idle it pops up as well...but I always get adult sex friend finder popup when I first go into I.E.

Now don't get confused...Its not repetitiive...its only ONE popup....not 78
Either way its still not belonging here so please help...Ive gotten other [bleep] popups but I think its from this same thing

Yes, I am a guy...Most likely I got this from real [bleep] lol :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 11:51:07 AM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\w?wexec.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Preferred Customer\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ps2.ign.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ps2.ign.com/?fromint=1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = StratoNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {036CB198-2C2A-2EFE-2EF4-2E87EBF1BBBB} - C:\WINDOWS\system32\sgq.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BHOMoneyGainer Class - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - C:\WINDOWS\shginas.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Q1rkIoo.exe] C:\documents and settings\preferred customer\local settings\temp\Q1rkIoo.exe
O4 - HKLM\..\Run: [4YFKLJG3LQ469M] C:\WINDOWS\SYSTEM32\THS89524.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Phrk] C:\WINDOWS\system32\w?wexec.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [Orrh] C:\Documents and Settings\Preferred Customer\Application Data\psco.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} (CParamWr Class) - http://toolbar.azese...l/azesearch.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.c...et/applet_o.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C44AFB17-2647-4A94-8698-A6A730757F46}: NameServer = 204.117.214.10,199.2.252.10
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
  • 0

Advertisements


#2
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Okay...I have svchost.exe in system32 folder but NO FOLDER named SVCHOST

Should I delete anything related to svchost or is svchost a real component for a computer?
  • 0

#3
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I don't know why you think it's bad because you have no SVCHOST folder in the System directory. Do NOT delete svchost.exe out of the System32 folder. YES, it is a legitimate system file.

Edited by bananafanafo, 23 May 2005 - 11:02 AM.

  • 0

#4
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Okay thank you...Can you search my member name though? I have two other actual real problems which yes, are malware that have been lost and overlooked...thx
  • 0

#5
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
They were not overlooked please do not start another topic. I'm just going to close all of your "extra" topics. So it didn't do anything but waste time.
  • 0

#6
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Im sorry Im new...I did read the rules on bumping and such but the day i posted a topic it was VERY VERY VERY busy...I apoligize very much.
  • 0

#7
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's always very busy which is why we have these rules :tazz:

I merged 2 of your topics and closed the 3rd. I will be back as soon as possible to help you with your system.
  • 0

#8
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Thank you very much sir...Take your time its just one popup but it is still definately somthing bad...Ive posted my log severeral times but i can post again if you wish
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're welcome, but I'm a "ma'am" :tazz:
  • 0

#10
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
And I don't need another HiJackThis log yet. I'll tell you when I do :tazz:
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I just looked at your log and I'm quite amazed that you're only getting one popup!

First thing we need to do is get rid of the Peper Trojan.

Please download this file: Peper Fix (uninst.exe), run it, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal).

Reboot and post a new HiJackThis log.
  • 0

#12
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Thx for the help here is my log...I started I.e. and no popup but is it just a strange happening? cause this HAS AND has NOT popped uop b4 but its definately not my startpage...its ign.com (start page)

kk heres my new log file

Logfile of HijackThis v1.99.1
Scan saved at 11:21:15 PM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\w?wexec.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\crypserv.exe
C:\Documents and Settings\Preferred Customer\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ps2.ign.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ps2.ign.com/?fromint=1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = StratoNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: (no name) - {036CB198-2C2A-2EFE-2EF4-2E87EBF1BBBB} - C:\WINDOWS\system32\sgq.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BHOMoneyGainer Class - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - C:\WINDOWS\shginas.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Q1rkIoo.exe] C:\documents and settings\preferred customer\local settings\temp\Q1rkIoo.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Phrk] C:\WINDOWS\system32\w?wexec.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [Orrh] C:\Documents and Settings\Preferred Customer\Application Data\psco.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} (CParamWr Class) - http://toolbar.azese...l/azesearch.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.c...et/applet_o.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C44AFB17-2647-4A94-8698-A6A730757F46}: NameServer = 204.117.214.10,199.2.252.10
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


[edit below]
Ive had AZESearch Toolbar in the past....and just noticed that was also detected on there....must still be remnants of that at well...but lets stay on topic either way...Ill make a thread about aze if I have to unless your willing to get both out all together

Edited by Element9846, 23 May 2005 - 09:26 PM.

  • 0

#13
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You do have the aze installer on your computer as well as many other malicious items. We only got rid of the Peper Trojan, now we have to get rid of the rest of the pests. I'll be back as soon as possible.
  • 0

#14
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Do not start another topic. It would get quite confusing if you were having multiple helpers working on the same system. I will do EVERYTHING in this topic. :tazz:

Edited by bananafanafo, 23 May 2005 - 11:55 PM.

  • 0

#15
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ps2.ign.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ps2.ign.com/?fromint=1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = StratoNet

O2 - BHO: (no name) - {036CB198-2C2A-2EFE-2EF4-2E87EBF1BBBB} - C:\WINDOWS\system32\sgq.dll (file missing)
O2 - BHO: BHOMoneyGainer Class - {2559D0B1-AF60-4BD5-965D-0E51383A6367} - C:\WINDOWS\shginas.dll

O4 - HKLM\..\Run: [Q1rkIoo.exe] C:\documents and settings\preferred customer\local settings\temp\Q1rkIoo.exe
O4 - HKCU\..\Run: [Phrk] C:\WINDOWS\system32\w?wexec.exe
O4 - HKCU\..\Run: [Orrh] C:\Documents and Settings\Preferred Customer\Application Data\psco.exe

O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} (CParamWr Class) - http://toolbar.azese...l/azesearch.cab


Close HijackThis.

Using Windows Explorer, delete the following files (in bold):

C:\WINDOWS\system32\w?wexec.exe (Only delete the file with the "?" in the name!)
C:\Documents and Settings\Preferred Customer\Application Data\psco.exe
C:\documents and settings\preferred customer\local settings\temp\Q1rkIoo.exe

Reboot and post a new HiJackThis log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP