Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack This

Started by MBurlew8 , Jun 05 2005 05:59 PM

  • Please log in to reply

#1
MBurlew8
Posted 05 June 2005 - 05:59 PM

MBurlew8

    Member

  • Member
  • PipPip
  • 18 posts
I have been experiencing numerous pop-ups from hotbar, revenue and loading websites. I have been trying to get rid of this on my own for the past three days. I have done many scans, and read many threads; however i cannot seem to get rid of it. Here is my Hijack This Log. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 6:45:48 PM, on 6/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\K1MRW1MR\HIJACKTHIS[1].EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildt...uncherSetup.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmas...ick/TMSetup.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/c...ChatOCXProj.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.aka...vex-2.0.2.7.cab
  • 0

Advertisements

#2
don77
Posted 05 June 2005 - 07:19 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi and welcome MBurlew8
Need you to do a couple things please,

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt
Move HJT into this new folder please,

Next

Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean. Make sure you check the 'Disinfect automatically' option in Active scan, and check the “Auto Clean” option in TrendMicro, Then let us know if its working better and what the scans found.


Next
  • Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443
  • Unzip/extract the files inside to a folder on your desktop.
  • Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
  • Then post the results here please, along with the new HijackThis log.

  • 0

#3
MBurlew8
Posted 05 June 2005 - 10:14 PM

MBurlew8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I ran Trend Micro's House call and also Active Scan. Each scan found items but could not delete them because they were in use. I rebooted in safe mode and deleted a couple, but most still could not be deleted.


Find-Its Log


Windows Millennium [Version 4.90.3000]

Current date is Sun 06-05-2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\SIDEB.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\System\HQRHIL~1.EXE
* SAHAgent C:\WINDOWS\System\BLN02NQV.INI
* SAHAgent C:\WINDOWS\System\70TOVMTO.INI
* SAHAgent C:\WINDOWS\System\ATRC8P~1.INI
* SAHAgent C:\WINDOWS\System\HQRHIL~1.INI
* SAHAgent C:\WINDOWS\System\UMQLTG~1.INI
* SAHAgent C:\WINDOWS\System\GAH95ON6.INI
* SAHAgent C:\WINDOWS\System\ABASA5~1.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.


Volume in drive C has no label
Volume Serial Number is 3E3A-13F3
Directory of C:\WINDOWS\SYSTEM32

14,667.36 MB free
»»»»» Checking for SAHAgent ico files.

Volume in drive C has no label
Volume Serial Number is 3E3A-13F3
Directory of C:\WINDOWS\SYSTEM32

14,667.36 MB free

»»»»»»»»»»»»»»»»»»»»»»»».




Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 11:16:13 PM, on 6/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildt...uncherSetup.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmas...ick/TMSetup.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/c...ChatOCXProj.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.aka...vex-2.0.2.7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#4
don77
Posted 06 June 2005 - 05:49 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi MBurlew8, We have a couple things to do here,

*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SIDEB.EXE
C:\WINDOWS\System\HQRHIL~1.EXE
C:\WINDOWS\System\BLN02NQV.INI
C:\WINDOWS\System\70TOVMTO.INI
C:\WINDOWS\System\ATRC8P~1.INI
C:\WINDOWS\System\HQRHIL~1.INI
C:\WINDOWS\System\UMQLTG~1.INI
C:\WINDOWS\System\GAH95ON6.INI
C:\WINDOWS\System\ABASA5~1.INI

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

You should be asked to restart your computer, If not please do so,

Next

Please run another scan with Active, This time when it is completes please copy and paste back what it has found please.

Along with a fresh Findit's log please
  • 0

#5
MBurlew8
Posted 06 June 2005 - 09:33 PM

MBurlew8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Active Scan

Incident Status Location

Adware:Adware/eZula No disinfected C:\PROGRAM FILES\EZULA\CHCON.DLL
Adware:Adware/eZula No disinfected C:\Program Files\eZula
Spyware:Spyware/BargainBuddy No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\Temp\FLEOK
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\HookPopup.dll
Adware:Adware/IEPlugin No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\downloaded program files\osd149f.osd
Spyware:Spyware/Spyblocs No disinfected C:\WINDOWS\Desktop\Remove Spyware.url
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???
Adware:Adware/SearchRelevancy No disinfected Windows Registry
Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\EYENU.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VDHELPER.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYW32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SE_8M.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RGSAPI16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MLAFD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wgpshell.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CGMOCX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DBDRG8X.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MAXBDE40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AYCODC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wpp.dll
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Nyblvq.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Uvuxff.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Udccue.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Dxkytc.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\HookPopup.dll
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Ownlix.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AMMUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DWSENH.DLL
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\liqp7c25q.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MEPWL32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\zmib.dll
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM\ezstub.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\APMUI.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\POLALL1R.INF
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\natr.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Spyware:Spyware/Spyblocs No disinfected C:\WINDOWS\Desktop\Remove Spyware.url
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_VENDARE3.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaPassX.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Downloaded Program Files\OSD149F.OSD
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_VENDARE3.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_VENDARE3.exe
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\installer_VENDARE3.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.ocx
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Adware:Adware/nCase No disinfected C:\WINDOWS\icont.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\eZinstall.exe
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\puvwg.dat
Adware:Adware/EliteBar No disinfected C:\WINDOWS\blocklist.reg
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\installer_SIAC.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\salm_kyf.dat
Adware:Adware/nCase No disinfected C:\WINDOWS\salmau.dat
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\joyiconsbbb.exe
Adware:Adware/ImGiant No disinfected C:\WINDOWS\myurlff.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows AdStatus\WinStatComm.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Windows FormatAd\WinFormKeep.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows FormatAd\WinForm.exe
Adware:Adware/eZula No disinfected C:\Program Files\eZula\seng.dll
Adware:Adware/eZula No disinfected C:\Program Files\eZula\CHCON.dll
Adware:Adware/eZula No disinfected C:\Program Files\Web Offer\apev.exe
Adware:Adware/eZula No disinfected C:\Program Files\Web Offer\CHPON.dll
Spyware:Spyware/ISTbar No disinfected C:\NULL
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/nCase No disinfected C:\temp\salmau.dat


FindIt's Log

Current date is Mon 06-06-2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\ICONT.EXE
* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.


Volume in drive C has no label
Volume Serial Number is 3E3A-13F3
Directory of C:\WINDOWS\SYSTEM32

14,711.92 MB free
»»»»» Checking for SAHAgent ico files.

Volume in drive C has no label
Volume Serial Number is 3E3A-13F3
Directory of C:\WINDOWS\SYSTEM32

14,711.92 MB free

»»»»»»»»»»»»»»»»»»»»»»»».
  • 0

#6
don77
Posted 08 June 2005 - 04:40 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
sorry for the delay in response,
Using killbox again please and the same method please kill the following,

C:\PROGRAM FILES\EZULA\CHCON.DLL 
C:\Program Files\eZula 
C:\Temp\FLEOK 
C:\WINDOWS\unstall.exe 
C:\keys.ini 
C:\WINDOWS\inf\polall1r.inf 
C:\WINDOWS\SYSTEM\HookPopup.dll 
C:\WINDOWS\downloaded program files\osd149f.osd 
C:\WINDOWS\Desktop\Remove Spyware.url 
C:\Program Files\joystick networks 
C:\WINDOWS\SYSTEM\EYENU.DLL 
C:\WINDOWS\SYSTEM\VDHELPER.DLL 
C:\WINDOWS\SYSTEM\WYW32.DLL 
C:\WINDOWS\SYSTEM\SE_8M.DLL 
C:\WINDOWS\SYSTEM\RGSAPI16.DLL 
C:\WINDOWS\SYSTEM\MLAFD.DLL 
C:\WINDOWS\SYSTEM\wgpshell.dll 
C:\WINDOWS\SYSTEM\CGMOCX.DLL 
C:\WINDOWS\SYSTEM\DBDRG8X.DLL 
C:\WINDOWS\SYSTEM\MAXBDE40.DLL 
C:\WINDOWS\SYSTEM\AYCODC32.DLL 
C:\WINDOWS\SYSTEM\wpp.dll 
C:\WINDOWS\SYSTEM\Nyblvq.exe 
C:\WINDOWS\SYSTEM\Uvuxff.exe 
C\:WINDOWS\SYSTEM\Udccue.exe 
C:\WINDOWS\SYSTEM\Dxkytc.exe 
C:\WINDOWS\SYSTEM\HookPopup.dll 
C:\WINDOWS\SYSTEM\Ownlix.exe 
C:\WINDOWS\SYSTEM\AMMUI.DLL 
C:\WINDOWS\SYSTEM\DWSENH.DLL 
C:\WINDOWS\SYSTEM\liqp7c25q.dll 
C:\WINDOWS\SYSTEM\MEPWL32.DLL 
C:\WINDOWS\SYSTEM\zmib.dll 
C:\WINDOWS\SYSTEM\ezstub.exe 
C:\WINDOWS\SYSTEM\APMUI.DLL 
C:\WINDOWS\INF\POLALL1R.INF 
C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\natr.exe 
C:\WINDOWS\unstall.exe 
C:\WINDOWS\Desktop\Remove Spyware.url 
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll 
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf 
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_VENDARE3.exe 
C:\WINDOWS\Downloaded Program Files\popcaploader.inf 
C:\WINDOWS\Downloaded Program Files\MediaPassX.dll 
C:\WINDOWS\Downloaded Program Files\OSD149F.OSD 
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_VENDARE3.exe 
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_VENDARE3.exe 
C:\WINDOWS\Downloaded Program Files\ysbactivex.inf 
C:\WINDOWS\Downloaded Program Files\installer_VENDARE3.exe 
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll 
C:\WINDOWS\Downloaded Program Files\m67m.ocx 
C:\WINDOWS\Downloaded Program Files\m67m.inf 
C:\WINDOWS\Downloaded Program Files\setup4002b.ini 
C:\WINDOWS\icont.exe 
C:\WINDOWS\eZinstall.exe 
C:\WINDOWS\puvwg.dat 
C:\WINDOWS\blocklist.reg 
C:\WINDOWS\installer_SIAC.exe 
C:\WINDOWS\salm_kyf.dat 
C:\WINDOWS\salmau.dat 
C:\WINDOWS\joyiconsbbb.exe 
C:\WINDOWS\myurlff.exe 
C:\Program Files\Windows AdStatus\WinStatComm.dll 
C:\Program Files\Windows FormatAd\WinFormKeep.exe 
C:\Program Files\Windows FormatAd\WinForm.exe 
C:\Program Files\eZula\seng.dll 
C:\Program Files\eZula\CHCON.dll 
C:\Program Files\Web Offer\apev.exe 
C:\Program Files\Web Offer\CHPON.dll 
C:\NULL 
C:\keys.ini 
C:\temp\salmau.dat

Run another scan with Active again please.
Also please run a scan with TrendMicro's HouseCall
Let us know what it finds as well
  • 0

#7
MBurlew8
Posted 14 June 2005 - 09:37 AM

MBurlew8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I'm very sorry it's taken so long for me to respond. I hadn't noticed your post until now.


Active Scan

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYADMOE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IZS.DLL
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\ELITEGFS32.EXE
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\NSVSVC\NSVS.DLL
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\ELITEG~1.EXE
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/SideFind No disinfected Windows Registry
Spyware:Spyware/Bundleware No disinfected C:\WINDOWS\downloaded program files\ds3.dll
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\mp3.ocx
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???
Adware:Adware/SearchRelevancy No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\EYENU.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VDHELPER.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYW32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SE_8M.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RGSAPI16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MLAFD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wgpshell.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CGMOCX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYADMOE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OKESVR32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DBDRG8X.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MAXBDE40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AYCODC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RDCLTC1.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wpp.dll
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Nyblvq.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Uvuxff.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Udccue.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Dxkytc.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IZWDIAL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SXRIALUI.DLL
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Ownlix.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AMMUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DWSENH.DLL
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\liqp7c25q.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MEPWL32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\zmib.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\elitegfs32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\temperror32.dat
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NRTOS.DLL
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsv.ocx
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SII.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\APMUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WTADMOD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DFCVW_32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GIU32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lvqp7c25q.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IZS.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\POLALL1R.INF
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\natr.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_VENDARE3.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaPassX.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Downloaded Program Files\OSD149F.OSD
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_VENDARE3.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_VENDARE3.exe
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\installer_VENDARE3.exe
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\mp3.ocx
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.ocx
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Adware:Adware/Look2Me No disinfected C:\WINDOWS\Downloaded Program Files\DS3.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\puvwg.dat
Adware:Adware/EliteBar No disinfected C:\WINDOWS\blocklist.reg
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\installer_SIAC.exe
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\joyiconsbbb.exe
Adware:Adware/ImGiant No disinfected C:\WINDOWS\myurlff.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows FormatAd\WinFormKeep.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows FormatAd\WinForm.exe
Spyware:Spyware/ISTbar No disinfected C:\NULL

Trend Micro

TSPY SMALL.SN C:\_RESTORE\ARCHIVE\FS1.CAB*A0000051.CPY*
TSPY SMALL.SN C:\_RESTORE\ARCHIVE\FS1.CAB*A0000054.CPY*
TROJ LOADER.D C:\_RESTORE\ARCHIVE\FS14.CAB*A0003164.CPY*
TROJ LOADER.D C:\_RESTORE\ARCHIVE\FS14.CAB*A0003169.CPY*
TROJ AGENT.NJ C:\_RESTORE\ARCHIVE\FS30.CAB*A0013335.CPY*
TROJ LOADER.C C:\_RESTORE\ARCHIVE\FS30.CAB*A0013347.CPY*
TROJ LOADER.C C:\_RESTORE\ARCHIVE\FS30.CAB*A0013348.CPY*
TROJ QLOGIC.A C:\_RESTORE\ARCHIVE\FS30.CAB*A0013349.CPY*
TROJ QLOGIC.A C:\_RESTORE\ARCHIVE\FS30.CAB*A0013366.CPY*
TROJ DLOADER.FN C:\_RESTORE\ARCHIVE\FS62.CAB*A0029514.CPY*
TROJ DLOADER.FN C:\_RESTORE\ARCHIVE\FS96.CAB*A0038069.CPY*
TROJ DROPPER.DM C:\_RESTORE\ARCHIVE\FS117.CAB*A0049647.CPY*
TROJ STARTPAG.QY C:\_RESTORE\ARCHIVE\FS117.CAB*A0050104.CPY*
TROJ AGENT.MJ C:\_RESTORE\ARCHIVE\FS117.CAB*A0051525.CPY*
TROJ STARTPAG.QY C:\_RESTORE\ARCHIVE\FS117.CAB*A0051530.CPY*
TROJ STARTPAG.QY C:\_RESTORE\ARCHIVE\FS117.CAB*A0051532.CPY*
TROJ STARTPAG.QY C:\_RESTORE\ARCHIVE\FS133.CAB*A0053359.CPY*
TROJ DLOADER.FN C:\_RESTORE\ARCHIVE\FS140.CAB*A0057445.CPY*
TROJ LOWZONE.F C:\_RESTORE\ARCHIVE\FS172.CAB*A0061188.CPY*
TROJ DROPPER.DM C:\_RESTORE\ARCHIVE\FS258.CAB*A0077549.CPY*
TROJ STARTPAG.QY C:\_RESTORE\ARCHIVE\FS258.CAB*A0078082.CPY*
TROJ AGENT.MJ C:\_RESTORE\ARCHIVE\FS258.CAB*A0079013.CPY*
TROJ DLOADER.OT C:\WINDOWS\SYSTEM\vidctrl\vidctrl.exe
TROJ STARTPAG.QY C:\WINDOWS\SYSTEM\elitegfs32.exe
TROJ STARTPAG.QY C:\WINDOWS\SYSTEM\temperror33.dat
  • 0

#8
don77
Posted 14 June 2005 - 06:04 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Download Ad-Aware SE
Use the: “Check for Updates Now” option and download the latest reference files
Use the Start button, and on the next window, select: Perform Full System Scan
Press Next, and let Ad-aware scan the hard drive
When finished, right-click the window with the entries, choose: Select All from the menu, and click Next
Once AdAware has removed the entries, close the program
Restart the computer
Next
Dowload the latest version of Spybot 1.3. Please check it for updates, Run the program and have it fix anything it finds in Red.
Restart your computer,


Run another scan with Active. Post back a fresh HJT log as well please
  • 0

#9
MBurlew8
Posted 15 June 2005 - 11:00 AM

MBurlew8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Active Scan

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYADMOE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RZCMQSVR.DLL
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\ELITEGFS32.EXE
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\ELITEG~1.EXE
Adware:Adware/SaveNow No disinfected C:\WINDOWS\All Users\Application Data\nsv
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\mp3.ocx
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???
Adware:Adware/SearchRelevancy No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\EYENU.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VDHELPER.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYW32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SE_8M.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RGSAPI16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MLAFD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wgpshell.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CGMOCX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYADMOE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OKESVR32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DBDRG8X.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MAXBDE40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AYCODC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RDCLTC1.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wpp.dll
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Nyblvq.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Uvuxff.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Udccue.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Dxkytc.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IZWDIAL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SXRIALUI.DLL
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Ownlix.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AMMUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DWSENH.DLL
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\liqp7c25q.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MEPWL32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\zmib.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\elitegfs32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\temperror32.dat
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NRTOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SII.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\APMUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WTADMOD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DFCVW_32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GIU32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lvqp7c25q.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IZS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wep.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MWVCRT40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MZCUIA32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CCMOCX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WJNMM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ZUPFLDR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WON87EM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RZCMQSVR.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\POLALL1R.INF
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\Start Menu\Programs\Disabled Startup Items\natr.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_VENDARE3.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaPassX.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Downloaded Program Files\OSD149F.OSD
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_VENDARE3.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_VENDARE3.exe
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\installer_VENDARE3.exe
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\mp3.ocx
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\SSK3_B5_SSK3_B5.exe
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\puvwg.dat
Adware:Adware/EliteBar No disinfected C:\WINDOWS\blocklist.reg
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\installer_SIAC.exe
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\joyiconsbbb.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskBho.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskCore.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\Ssk.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows FormatAd\WinFormKeep.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows FormatAd\WinForm.exe
Spyware:Spyware/ISTbar No disinfected C:\NULL


Hijack This Log

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ELITEGFS32.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [STOPzilla] /autostart
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEGFS32.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [szserver] "C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE" szserver
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKCU\..\RunServices: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildt...uncherSetup.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmas...ick/TMSetup.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/c...ChatOCXProj.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.aka...vex-2.0.2.7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
  • 0

#10
don77
Posted 16 June 2005 - 08:33 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hmmm this seems to be going in the wrong direction,
Please download CCleaner and install

Please run CCleaner to assist in this process.
(Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".


Next

Run another scan with both Ad-aware and Spybot,


Restart your computer

Next
Run this online scan
http://www.kaspersky...oduct=161744315

Have it fix what it finds please

Run another scan with Active post back what it finds along with a fresh HJT log please
  • 0

Advertisements

#11
MBurlew8
Posted 17 June 2005 - 08:03 PM

MBurlew8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Active Scan


Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OTE2NLS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CQUSALGO.DLL
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\ELITEGFS32.EXE
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\NSVSVC\NSVS.DLL
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\ELITEG~1.EXE
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exclean.exe
Adware:Adware/nCase No disinfected C:\Temp\FLEOK
Spyware:Spyware/AdClicker No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\mp3.ocx
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\EYENU.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VDHELPER.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYW32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SE_8M.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RGSAPI16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MLAFD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wgpshell.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CGMOCX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYADMOE.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OKESVR32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DBDRG8X.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MAXBDE40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AYCODC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RDCLTC1.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wpp.dll
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Nyblvq.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Uvuxff.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Udccue.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Dxkytc.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IZWDIAL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SXRIALUI.DLL
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Ownlix.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AMMUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DWSENH.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MEPWL32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\zmib.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\elitegfs32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\temperror32.dat
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NRTOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IDROP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SBDOCLC.DLL
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\vidctrl\vidctrl.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SII.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\APMUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WTADMOD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DFCVW_32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GIU32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lvqp7c25q.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IZS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wep.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MWVCRT40.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MZCUIA32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CCMOCX.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WJNMM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ZUPFLDR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WON87EM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OOBC32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DDNMPNTW.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\PQWEROLD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VRDX16.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DGDRGBXF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CQUSALGO.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OTE2NLS.DLL
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsv.ocx
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MRR.DLL
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exclean.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\2r5qf5lt.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mtvbvm60.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\POLALL1R.INF
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.ocx
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_VENDARE3.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaPassX.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Downloaded Program Files\OSD149F.OSD
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_VENDARE3.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_VENDARE3.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\YSBactivex.dll
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\installer_VENDARE3.exe
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\mp3.ocx
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\SSK3_B5_SSK3_B5.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\blocklist.reg
Adware:Adware/nCase No disinfected C:\WINDOWS\salm_kyf.dat
Adware:Adware/nCase No disinfected C:\WINDOWS\salmau.dat
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\joyiconsbbb.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows FormatAd\WinFormKeep.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows FormatAd\WinForm.exe
Adware:Adware/nCase No disinfected C:\temp\salmau.dat



Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 9:03:25 PM, on 6/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\ELITEGFS32.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEGFS32.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmas...ick/TMSetup.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/c...ChatOCXProj.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.aka...vex-2.0.2.7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.co...ysb_1002952.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...bs/joysaver.cab
  • 0

#12
don77
Posted 18 June 2005 - 04:07 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEGFS32.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...bs/joysaver.cab


Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

C:\WINDOWS\SYSTEM\ELITEGFS32.EXE
C:\WINDOWS\SYSTEM\nsvsvc\<<Delete Folder
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE


Restart your computer,

Check both Ad-aware and spybot for updates,

Reboot to safe mode,
Open CCleaner and have it clean your Temp Folders please,
Close out CCleaner,
Open Ad-aware and run a full scan with it please, Have it fix all it finds.
Same with Spybot have it fix all it finds in Red,

Restart your computer
Run another scan with Active scan, Post back a fresh HJT log please
  • 0

#13
MBurlew8
Posted 18 June 2005 - 07:23 PM

MBurlew8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:20:51 PM, on 6/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {90918C20-FB99-495A-BD79-CB91ACF44887} - http://www.typingmas...ick/TMSetup.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/c...ChatOCXProj.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.aka...vex-2.0.2.7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.co...ysb_1002952.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
  • 0

#14
don77
Posted 18 June 2005 - 08:31 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Did you run Active scan ?
  • 0

#15
MBurlew8
Posted 19 June 2005 - 08:08 AM

MBurlew8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Active Scan




Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OTE2NLS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DLMSSPXN.DLL
Spyware:Spyware/BargainBuddy No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\Temp\FLEOK
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\SahImages
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\downloaded program files\osd149f.osd
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\mp3.ocx
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DLMSSPXN.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SE_8M.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IZWDIAL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SXRIALUI.DLL
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Ownlix.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AMMUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DWSENH.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MEPWL32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\zmib.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WYASCR.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IW3Svc.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\SYSTEM\temperror32.dat
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NRTOS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IDROP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SBDOCLC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SII.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\APMUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WTADMOD.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DFCVW_32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GIU32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\lvqp7c25q.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OTE2NLS.DLL
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_VENDARE3.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaPassX.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Downloaded Program Files\OSD149F.OSD
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\installer_VENDARE3.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_VENDARE3.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\YSBactivex.dll
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\Downloaded Program Files\installer_VENDARE3.exe
Adware:Adware/TopConvert No disinfected C:\WINDOWS\Downloaded Program Files\mp3.ocx
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Spyware:Spyware/Media-motor No disinfected C:\HJT\backups\backup-20050618-180019-572.inf
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP