Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

oneclick has my homepage! [RESOLVED]

Started by Marycw , Jul 09 2005 02:06 PM

  • This topic is locked This topic is locked

#1
Marycw
Posted 09 July 2005 - 02:06 PM

Marycw

    Member

  • Member
  • PipPip
  • 10 posts
Help, I've been hijacked. I'm just a housewife. Any help would be appreciated.
I've run alot of anti-virus software to no avail. Thanks.



Logfile of HijackThis v1.99.1
Scan saved at 4:03:57 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\ViRobotXP\Vrres.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mary\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch....aspx?tb_id=401
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpB219.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [yruzgz] C:\WINDOWS\yruzgz.exe
O4 - HKLM\..\Run: [XELRYFL] C:\WINDOWS\XELRYFL.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [VZDJQW] C:\WINDOWS\VZDJQW.exe
O4 - HKLM\..\Run: [VFMZCJMT] C:\WINDOWS\VFMZCJMT.exe
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TAHNUB] C:\WINDOWS\TAHNUB.exe
O4 - HKLM\..\Run: [SpyHunter] C:\WINDOWS\EKRXELR.exe
O4 - HKLM\..\Run: [RXELOUBI] C:\WINDOWS\RXELOUBI.exe
O4 - HKLM\..\Run: [RXE] C:\WINDOWS\RXE.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QXAHN] C:\WINDOWS\QXAHN.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OCIPVGMT] C:\WINDOWS\OCIPVGMT.exe
O4 - HKLM\..\Run: [NTEKRXUV] C:\WINDOWS\NTEKRXUV.exe
O4 - HKLM\..\Run: [nizqx] C:\WINDOWS\nizqx.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
O4 - HKLM\..\Run: [KRXBHO] C:\WINDOWS\KRXBHO.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [JUWGJ] C:\WINDOWS\JUWGJ.exe
O4 - HKLM\..\Run: [JQWAGNTH] C:\WINDOWS\JQWAGNTH.exe
O4 - HKLM\..\Run: [ITFISF] C:\WINDOWS\ITFISF.exe
O4 - HKLM\..\Run: [GMTZDJQ] C:\WINDOWS\GMTZDJQ.exe
O4 - HKLM\..\Run: [FMSZFMTZ] C:\WINDOWS\FMSZFMTZ.exe
O4 - HKLM\..\Run: [FMSZDJ] C:\WINDOWS\FMSZDJ.exe
O4 - HKLM\..\Run: [FMSZBHO] C:\WINDOWS\FMSZBHO.exe
O4 - HKLM\..\Run: [FIOVCIPVG] C:\WINDOWS\FIOVCIPVG.exe
O4 - HKLM\..\Run: [EKRXELRY] C:\WINDOWS\EKRXELRY.exe
O4 - HKLM\..\Run: [EKRXELR] C:\WINDOWS\EKRXELR.exe
O4 - HKLM\..\Run: [EKRXBL] C:\WINDOWS\EKRXBL.exe
O4 - HKLM\..\Run: [EKR] C:\WINDOWS\EKR.exe
O4 - HKLM\..\Run: [DKN] C:\WINDOWS\DKN.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [CJPWZAGN] C:\WINDOWS\CJPWZAGN.exe
O4 - HKLM\..\Run: [CIPVCJPW] C:\WINDOWS\CIPVCJPW.exe
O4 - HKLM\..\Run: [CDJQWA] C:\WINDOWS\CDJQWA.exe
O4 - HKLM\..\Run: [BIOVCILS] C:\WINDOWS\BIOVCILS.exe
O4 - HKLM\..\Run: [BIOV] C:\WINDOWS\BIOV.exe
O4 - HKLM\..\Run: [Bib camp less option] C:\Documents and Settings\All Users\Application Data\Software stop bib camp\cash save.exe
O4 - HKLM\..\Run: [BHOV] C:\WINDOWS\BHOV.exe
O4 - HKLM\..\Run: [BHOUELRY] C:\WINDOWS\BHOUELRY.exe
O4 - HKLM\..\Run: [AGNTAHK] C:\WINDOWS\AGNTAHK.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Rdr Option] C:\DOCUME~1\Mary\APPLIC~1\INTERA~1\Fork Help Build.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Service Manager.norun
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'farlsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe

The bitter, wretched end.
Thanks
  • 0

Advertisements

#2
Trevuren
Posted 09 July 2005 - 02:31 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi marycw and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

a. Click on My Controls at the top right hand corner of the window.
b. In the left hand column, click "View Topics"
c. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren
  • 0

#3
Marycw
Posted 09 July 2005 - 04:43 PM

Marycw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Okay Trev, I think I did what you said except I couldn't find the "immediate email notification" button but I don't think that's crucial. Anyway, here's my new log.

Logfile of HijackThis v1.99.1
Scan saved at 6:36:54 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\ViRobotXP\Vrres.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch....aspx?tb_id=401
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpB219.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [yruzgz] C:\WINDOWS\yruzgz.exe
O4 - HKLM\..\Run: [XELRYFL] C:\WINDOWS\XELRYFL.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [VZDJQW] C:\WINDOWS\VZDJQW.exe
O4 - HKLM\..\Run: [VFMZCJMT] C:\WINDOWS\VFMZCJMT.exe
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TAHNUB] C:\WINDOWS\TAHNUB.exe
O4 - HKLM\..\Run: [SpyHunter] C:\WINDOWS\EKRXELR.exe
O4 - HKLM\..\Run: [RXELOUBI] C:\WINDOWS\RXELOUBI.exe
O4 - HKLM\..\Run: [RXE] C:\WINDOWS\RXE.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QXAHN] C:\WINDOWS\QXAHN.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OCIPVGMT] C:\WINDOWS\OCIPVGMT.exe
O4 - HKLM\..\Run: [NTEKRXUV] C:\WINDOWS\NTEKRXUV.exe
O4 - HKLM\..\Run: [nizqx] C:\WINDOWS\nizqx.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
O4 - HKLM\..\Run: [KRXBHO] C:\WINDOWS\KRXBHO.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [JUWGJ] C:\WINDOWS\JUWGJ.exe
O4 - HKLM\..\Run: [JQWAGNTH] C:\WINDOWS\JQWAGNTH.exe
O4 - HKLM\..\Run: [ITFISF] C:\WINDOWS\ITFISF.exe
O4 - HKLM\..\Run: [GMTZDJQ] C:\WINDOWS\GMTZDJQ.exe
O4 - HKLM\..\Run: [FMSZFMTZ] C:\WINDOWS\FMSZFMTZ.exe
O4 - HKLM\..\Run: [FMSZDJ] C:\WINDOWS\FMSZDJ.exe
O4 - HKLM\..\Run: [FMSZBHO] C:\WINDOWS\FMSZBHO.exe
O4 - HKLM\..\Run: [FIOVCIPVG] C:\WINDOWS\FIOVCIPVG.exe
O4 - HKLM\..\Run: [EKRXELRY] C:\WINDOWS\EKRXELRY.exe
O4 - HKLM\..\Run: [EKRXELR] C:\WINDOWS\EKRXELR.exe
O4 - HKLM\..\Run: [EKRXBL] C:\WINDOWS\EKRXBL.exe
O4 - HKLM\..\Run: [EKR] C:\WINDOWS\EKR.exe
O4 - HKLM\..\Run: [DKN] C:\WINDOWS\DKN.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [CJPWZAGN] C:\WINDOWS\CJPWZAGN.exe
O4 - HKLM\..\Run: [CIPVCJPW] C:\WINDOWS\CIPVCJPW.exe
O4 - HKLM\..\Run: [CDJQWA] C:\WINDOWS\CDJQWA.exe
O4 - HKLM\..\Run: [BIOVCILS] C:\WINDOWS\BIOVCILS.exe
O4 - HKLM\..\Run: [BIOV] C:\WINDOWS\BIOV.exe
O4 - HKLM\..\Run: [Bib camp less option] C:\Documents and Settings\All Users\Application Data\Software stop bib camp\cash save.exe
O4 - HKLM\..\Run: [BHOV] C:\WINDOWS\BHOV.exe
O4 - HKLM\..\Run: [BHOUELRY] C:\WINDOWS\BHOUELRY.exe
O4 - HKLM\..\Run: [AGNTAHK] C:\WINDOWS\AGNTAHK.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Rdr Option] C:\DOCUME~1\Mary\APPLIC~1\INTERA~1\Fork Help Build.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Service Manager.norun
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'farlsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe


Woe is me. Thanks for your help.
  • 0

#4
Trevuren
Posted 09 July 2005 - 05:14 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
First we strongly recommend that you remove the following programs from your system. They are either mostly ineffective or spyware carriers:

1. I want you to UNINSTALL the following programs through the ADD/REMOVE feature of your Control Panel:

Kazaa
SpyHunter
WildTangent

2. Now, using Windows Explorer, I need you to DELETE the following folder(s) and all their content:

C:\Program Files\Kazaa

C:\Program Files\SpyHunter

C:\Program Files\WildTangent

3. REBOOT your system.

4. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

#5
Marycw
Posted 09 July 2005 - 07:41 PM

Marycw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Okay, I followed those steps and this is my latest log:


Logfile of HijackThis v1.99.1
Scan saved at 9:36:50 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\PROGRAM FILES\VIROBOTXP\VRRES.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch....aspx?tb_id=401
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpDD75.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [yruzgz] C:\WINDOWS\yruzgz.exe
O4 - HKLM\..\Run: [XELRYFL] C:\WINDOWS\XELRYFL.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [VZDJQW] C:\WINDOWS\VZDJQW.exe
O4 - HKLM\..\Run: [VFMZCJMT] C:\WINDOWS\VFMZCJMT.exe
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TAHNUB] C:\WINDOWS\TAHNUB.exe
O4 - HKLM\..\Run: [RXELOUBI] C:\WINDOWS\RXELOUBI.exe
O4 - HKLM\..\Run: [RXE] C:\WINDOWS\RXE.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QXAHN] C:\WINDOWS\QXAHN.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OCIPVGMT] C:\WINDOWS\OCIPVGMT.exe
O4 - HKLM\..\Run: [NTEKRXUV] C:\WINDOWS\NTEKRXUV.exe
O4 - HKLM\..\Run: [nizqx] C:\WINDOWS\nizqx.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
O4 - HKLM\..\Run: [KRXBHO] C:\WINDOWS\KRXBHO.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [JUWGJ] C:\WINDOWS\JUWGJ.exe
O4 - HKLM\..\Run: [JQWAGNTH] C:\WINDOWS\JQWAGNTH.exe
O4 - HKLM\..\Run: [ITFISF] C:\WINDOWS\ITFISF.exe
O4 - HKLM\..\Run: [GMTZDJQ] C:\WINDOWS\GMTZDJQ.exe
O4 - HKLM\..\Run: [FMSZFMTZ] C:\WINDOWS\FMSZFMTZ.exe
O4 - HKLM\..\Run: [FMSZDJ] C:\WINDOWS\FMSZDJ.exe
O4 - HKLM\..\Run: [FMSZBHO] C:\WINDOWS\FMSZBHO.exe
O4 - HKLM\..\Run: [FIOVCIPVG] C:\WINDOWS\FIOVCIPVG.exe
O4 - HKLM\..\Run: [EKRXELRY] C:\WINDOWS\EKRXELRY.exe
O4 - HKLM\..\Run: [EKRXELR] C:\WINDOWS\EKRXELR.exe
O4 - HKLM\..\Run: [EKRXBL] C:\WINDOWS\EKRXBL.exe
O4 - HKLM\..\Run: [EKR] C:\WINDOWS\EKR.exe
O4 - HKLM\..\Run: [DKN] C:\WINDOWS\DKN.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [CJPWZAGN] C:\WINDOWS\CJPWZAGN.exe
O4 - HKLM\..\Run: [CIPVCJPW] C:\WINDOWS\CIPVCJPW.exe
O4 - HKLM\..\Run: [CDJQWA] C:\WINDOWS\CDJQWA.exe
O4 - HKLM\..\Run: [BIOVCILS] C:\WINDOWS\BIOVCILS.exe
O4 - HKLM\..\Run: [BIOV] C:\WINDOWS\BIOV.exe
O4 - HKLM\..\Run: [Bib camp less option] C:\Documents and Settings\All Users\Application Data\Software stop bib camp\cash save.exe
O4 - HKLM\..\Run: [BHOV] C:\WINDOWS\BHOV.exe
O4 - HKLM\..\Run: [BHOUELRY] C:\WINDOWS\BHOUELRY.exe
O4 - HKLM\..\Run: [AGNTAHK] C:\WINDOWS\AGNTAHK.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Rdr Option] C:\DOCUME~1\Mary\APPLIC~1\INTERA~1\Fork Help Build.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Service Manager.norun
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'farlsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe

Thanks for your help.
:tazz:
  • 0

#6
Trevuren
Posted 09 July 2005 - 08:05 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch....aspx?tb_id=401
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpDD75.tmp
O4 - HKLM\..\Run: [yruzgz] C:\WINDOWS\yruzgz.exe
O4 - HKLM\..\Run: [XELRYFL] C:\WINDOWS\XELRYFL.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [VZDJQW] C:\WINDOWS\VZDJQW.exe
O4 - HKLM\..\Run: [VFMZCJMT] C:\WINDOWS\VFMZCJMT.exe
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [TAHNUB] C:\WINDOWS\TAHNUB.exe
O4 - HKLM\..\Run: [RXELOUBI] C:\WINDOWS\RXELOUBI.exe
O4 - HKLM\..\Run: [RXE] C:\WINDOWS\RXE.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [QXAHN] C:\WINDOWS\QXAHN.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [OCIPVGMT] C:\WINDOWS\OCIPVGMT.exe
O4 - HKLM\..\Run: [NTEKRXUV] C:\WINDOWS\NTEKRXUV.exe
O4 - HKLM\..\Run: [nizqx] C:\WINDOWS\nizqx.exe
O4 - HKLM\..\Run: [KRXBHO] C:\WINDOWS\KRXBHO.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [JUWGJ] C:\WINDOWS\JUWGJ.exe
O4 - HKLM\..\Run: [JQWAGNTH] C:\WINDOWS\JQWAGNTH.exe
O4 - HKLM\..\Run: [ITFISF] C:\WINDOWS\ITFISF.exe
O4 - HKLM\..\Run: [GMTZDJQ] C:\WINDOWS\GMTZDJQ.exe
O4 - HKLM\..\Run: [FMSZFMTZ] C:\WINDOWS\FMSZFMTZ.exe
O4 - HKLM\..\Run: [FMSZDJ] C:\WINDOWS\FMSZDJ.exe
O4 - HKLM\..\Run: [FMSZBHO] C:\WINDOWS\FMSZBHO.exe
O4 - HKLM\..\Run: [FIOVCIPVG] C:\WINDOWS\FIOVCIPVG.exe
O4 - HKLM\..\Run: [EKRXELRY] C:\WINDOWS\EKRXELRY.exe
O4 - HKLM\..\Run: [EKRXELR] C:\WINDOWS\EKRXELR.exe
O4 - HKLM\..\Run: [EKRXBL] C:\WINDOWS\EKRXBL.exe
O4 - HKLM\..\Run: [EKR] C:\WINDOWS\EKR.exe
O4 - HKLM\..\Run: [DKN] C:\WINDOWS\DKN.exe
O4 - HKLM\..\Run: [CJPWZAGN] C:\WINDOWS\CJPWZAGN.exe
O4 - HKLM\..\Run: [CIPVCJPW] C:\WINDOWS\CIPVCJPW.exe
O4 - HKLM\..\Run: [CDJQWA] C:\WINDOWS\CDJQWA.exe
O4 - HKLM\..\Run: [BIOVCILS] C:\WINDOWS\BIOVCILS.exe
O4 - HKLM\..\Run: [BHOV] C:\WINDOWS\BHOV.exe
O4 - HKLM\..\Run: [BHOUELRY] C:\WINDOWS\BHOUELRY.exe
O4 - HKLM\..\Run: [AGNTAHK] C:\WINDOWS\AGNTAHK.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKCU\..\Run: [Rdr Option] C:\DOCUME~1\Mary\APPLIC~1\INTERA~1\Fork Help Build.exe
O4 - Global Startup: Service Manager.norun


Now, using Windows Explorer, DELETE the following files/folders (with all their content), if they still exist:

C:\Program Files\safe-share<==Folder
C:\PROGRAM FILES\Toolbar<==Folder
C:\WINDOWS\System32\hpDD75.tmp
C:\WINDOWS\yruzgz.exe
C:\WINDOWS\XELRYFL.exe
C:\Program Files\WildTangent<==Folder
C:\WINDOWS\VZDJQW.exe
C:\WINDOWS\VFMZCJMT.exe
C:\WINDOWS\TAHNUB.exe
C:\WINDOWS\RXELOUBI.exe
C:\WINDOWS\RXE.exe
C:\WINDOWS\System32\msmsgs.exe<== Watch the spelling
C:\WINDOWS\QXAHN.exe
C:\WINDOWS\OCIPVGMT.exe
C:\WINDOWS\NTEKRXUV.exe
C:\WINDOWS\nizqx.exe
C:\WINDOWS\KRXBHO.exe
C:\Program Files\Kazaa<==Folder
C:\WINDOWS\JUWGJ.exe
C:\WINDOWS\JQWAGNTH.exe
C:\WINDOWS\ITFISF.exe
C:\WINDOWS\GMTZDJQ.exe
C:\WINDOWS\FMSZFMTZ.exe
C:\WINDOWS\FMSZDJ.exe
C:\WINDOWS\FMSZBHO.exe
C:\WINDOWS\FIOVCIPVG.exe
C:\WINDOWS\EKRXELRY.exe
C:\WINDOWS\EKRXELR.exe
C:\WINDOWS\EKRXBL.exe
C:\WINDOWS\EKR.exe
C:\WINDOWS\DKN.exe
C:\WINDOWS\CJPWZAGN.exe
C:\WINDOWS\CIPVCJPW.exe
C:\WINDOWS\CDJQWA.exe
C:\WINDOWS\BIOVCILS.exe
C:\WINDOWS\BHOV.exe
C:\WINDOWS\BHOUELRY.exe
C:\WINDOWS\AGNTAHK.exe
C:\WINDOWS\System32\intel32.exe
C:\DOCUME~1\Mary\APPLICATION DATA1\INTERA~1<==Folder

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.


Regards,

Trevuren
  • 0

#7
Marycw
Posted 10 July 2005 - 12:50 PM

Marycw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Well, life is getting better. I'm not sure if I followed instructions to a T, but I can at least have my own homepage now. When I ran the Panda scan, I couldn't figure out where the "autoclean" box was so perhaps I have to do it again? I appreciate your wisdom and knowledge. Let me know what I should do next.

Logfile of HijackThis v1.99.1
Scan saved at 2:45:37 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\Program Files\ViRobotXP\Vrres.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jfadbbdrsklvq...jeC8GdZYzZ.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [BIOV] C:\WINDOWS\BIOV.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Bib camp less option] C:\Documents and Settings\All Users\Application Data\Software stop bib camp\SeekMedia.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Rdr Option] C:\DOCUME~1\Mary\APPLIC~1\INTERA~1\Fork Help Build.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'farlsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:06:56 PM, 7/10/2005
+ Report-Checksum: D179F947

+ Scan result:

C:\Documents and Settings\Mary\Cookies\mary@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\mary@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\mary@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\[email protected][1].txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\mary@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Mary\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Hijackthis\backups\backup-20050709-234422-934.dll -> Trojan.Puper.m : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1179\A0278264.exe -> TrojanDownloader.Small.gr : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1179\A0278268.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1179\A0278269.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1179\A0278270.dll -> Spyware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1179\A0278271.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1179\A0278272.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1179\A0278273.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1179\A0278274.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1180\A0278280.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1180\A0278281.dll -> Trojan.Agent.ff : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1180\A0278299.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1180\A0278348.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1180\A0278412.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1180\A0278433.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1180\A0278451.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1180\A0278467.dll -> Trojan.Puper.t : Cleaned with backup


::Report End


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard.com


~~~ system32 ~~~

hp***.tmp
shnlog.exe
intmon.exe
hhk.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Infected!

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!


Panda scan


Incident Status Location

Adware:Adware/Lop No disinfected c:\docume~1\mary\locals~1\temp\nyqzgidf.exe
Adware:Adware/Lop No disinfected C:\DOCUME~1\ALLUSE~1\APPLIC~1\SOFTWA~1\SEEKME~1.EXE
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Bargain Buddy
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
Adware:Adware/nCase No disinfected C:\WINDOWS\msbb*
Adware:Adware/CWS No disinfected C:\Documents and Settings\Mary\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Mary\Application Data\Lycos
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Mary\Favorites\online dating.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Mary\Favorites\Black Jack Online.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\01 NOUN.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\active bone.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\bikeregs.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\CakePhone.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\cash save.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\download aim.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\FORGLUE.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\Heart deaf.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\Livedownload.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\ooze bat.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\safevc.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\SeekMedia.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\Thatpoke.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Software stop bib camp\wma ford.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Application Data\Inter Amen\attcfeja.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Application Data\Inter Amen\Error Internet Spam.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Application Data\Inter Amen\Fork Help Build.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Application Data\Inter Amen\multi bits ace find.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Application Data\Inter Amen\zcfhgxrz.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Application Data\meet for dent\ItchBone.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\aepyfgaf.exe
Adware:Adware/Envolo No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/WinActive No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\bz2289.tmp[bz2289.tmp]
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\eiujgjjy.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\izcqsvez.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\omflfqhm.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\pch287.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\pch289.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\pch331.exe
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\temp.cab[toolbar.dll]
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\uleqtsiw.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Bob\Local Settings\Temp\wyxyucmq.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Connor\Application Data\Inter Amen\Error Internet Spam.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Connor\Application Data\Inter Amen\Fork Help Build.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Connor\Application Data\Inter Amen\multi bits ace find.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Connor\Application Data\Inter Amen\oswunemf.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Connor\Application Data\Inter Amen\pyaqbfqr.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Connor\Application Data\Inter Amen\rxivtcry.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Connor\Local Settings\Temp\cnkxqdxk.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Connor\Local Settings\Temp\Inside Program.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Connor\Local Settings\Temporary Internet Files\Content.IE5\V6C7JT01\upAYB[1].int
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\azkljxkx.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\cezthlgd.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\ddxgqbwq.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\Error Internet Spam.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\Fork Help Build.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\gtckeeaw.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\hpdnkdzd.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\jatojvfm.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\jwwcwseo.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\multi bits ace find.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\nvdyanji.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\rgdhhmws.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\xewyxbxk.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Application Data\Inter Amen\xvoijlkt.exe
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Mary\Favorites\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Mary\Favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Mary\Favorites\Network Security.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Mary\Favorites\Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Mary\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Mary\Favorites\Online Gambling.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Alprazolam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Carisoprodol.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Diazepam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Hydrocodone.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Lortab.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Online Pharmacy.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Prozac.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Valium.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Vicodin.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy\Xanax.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Mary\Favorites\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Mary\Favorites\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Mary\Favorites\Spam Filters.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Mary\Favorites\Web Detective.url
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Local Settings\Temp\nyqzgidf.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Mary\Local Settings\Temp\vzcmayix.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\bargain.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\msbbau.dat
  • 0

#8
Trevuren
Posted 10 July 2005 - 02:56 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
That cleaned up a lot of junk. Now we have a LOP infection to get rid of.

1. I need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes.
  • Open Microsoft AntiSpyware.
  • Click on Options, Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware
2. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jfadbbdrsklvq...jeC8GdZYzZ.html
O4 - HKLM\..\Run: [BIOV] C:\WINDOWS\BIOV.exe
O4 - HKLM\..\Run: [Bib camp less option] C:\Documents and Settings\All Users\Application Data\Software stop bib camp\SeekMedia.exe
O4 - HKCU\..\Run: [Rdr Option] C:\DOCUME~1\Mary\APPLIC~1\INTERA~1\Fork Help Build.exe
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab

Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

FILES

C:\WINDOWS\BIOV.exe

FOLDERS (with all their content)


C:\Documents and Settings\All Users\Application Data\Software stop bib camp
C:\DOCUMENTS and SETTINGS\Mary\APPLICATION DATA\INTERA~1

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren
  • 0

#9
Marycw
Posted 10 July 2005 - 03:49 PM

Marycw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I couldn't the first R1 line you listed to delete, otherwise I did what you said. Using Explorer, I could only find "Software stop bib camp" to delete. Instead of

C:\documents and settings\Mary\application data\intera~1

I had a file named

C:\documents and settings\Mary\application data\interamen. Should I have deleted that? I didn't.

I know this may come as a shock to you, but twenty years ago I got a C in computer science in high school. I think I'm going to request that my grade be retroactively upgraded to a B- :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 5:41:14 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ViRobotXP\Vrres.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gguhmmyxj...jeC8GdZYzZ.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'farlsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe
  • 0

#10
Trevuren
Posted 10 July 2005 - 06:24 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Please download and run this LOP uninstaller from: HERE

2. REBOOT your system

3. Please post a fresh HJT log

Regards,

Trevuren
  • 0

Advertisements

#11
Marycw
Posted 10 July 2005 - 07:25 PM

Marycw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
AAAAAGGHHH!

Logfile of HijackThis v1.99.1
Scan saved at 9:22:31 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\Program Files\ViRobotXP\Vrres.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ad1.zendmedia...c.php?id=start1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\lwbwheel.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'farlsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe
  • 0

#12
Trevuren
Posted 10 July 2005 - 07:40 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good from here. Give it a spin and if everything seems to be OK malwarewise, give me the OK and we will commence the final but essential cleanup procedures.

Regards,

Trevuren
  • 0

#13
Marycw
Posted 10 July 2005 - 07:52 PM

Marycw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I don't think so. It seemed like that LOB remover program hardly ran. Are you sure it worked? I had zenmedia set for my homepage, so I deleted the lines in the hijack code after I posted it here.

M.
  • 0

#14
Trevuren
Posted 10 July 2005 - 08:07 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Why did you delete lines in your HJT log? That really doesn't make sense

Trevuren
  • 0

#15
Marycw
Posted 10 July 2005 - 08:24 PM

Marycw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I deleted them via the "Fix checked" function in HijackThis ... not in the log. It was making my homepage a zenmedia ad.

M.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP