Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Ads won't go away. Log file enclosed. Plz hlp

Started by Merty111180 , Feb 10 2005 10:44 AM

  • Please log in to reply

#1
Merty111180
Posted 10 February 2005 - 10:44 AM

Merty111180

    New Member

  • Member
  • Pip
  • 2 posts
Hello,
I clicked on a website during lunch today and it installed all sorts of malware/spyware on my computer. I installed lavasoft adware SE and it helped but there seems to be too much for it, ran full scans 3 times including one before windows completely loads and still popups are apearing at a rate of 1 per 15 seconds. I am updating windows as I type (and close new ads) Can someone please tell me what I can choose to delete from Hijack this after the windows updates install? Thanks.

Ok, windows update is completed, and I ran the online spyware scanner suggested as well as the lavasoft se and the log file has been reduced, but the popups are still commin. Please help. THanks in advance.

I did a complete norton antivirus scan last nite, found no viruses. But about 30IE windows were open when I came in. Ran CW Shredder then followed up by spy subtract. Popups greatly reduced but there seems to be about one or two left. I ran Hijack this again, theres the new file:

Logfile of HijackThis v1.99.0
Scan saved at 8:56:49 AM, on 2/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\PortReporter\portreporter.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\jan9hz2g\jan9hz2g.exe
C:\WINNT\system32\Pbnbxp.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\sysmonnt.exe
C:\WINNT\system32\iniogsvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mbrennan\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pwcproxy:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = powerconceptsllc.com;ny.powerconceptsllc.com;192.168;<local>
O2 - BHO: (no name) - {3CC8B4E4-F011-4CA1-96F1-19FB964683EB} - C:\Program Files\jan9hz2g\jan9hz2g.dll
O2 - BHO: (no name) - {4E8B6A16-A410-40F5-A049-CFA88CF869AA} - C:\Program Files\jan9hz2g\jan9hz2g.dll
O2 - BHO: (no name) - {57F4AAB0-7BDC-438A-8A3D-A36487128B43} - C:\Program Files\jan9hz2g\jan9hz2g.dll
O2 - BHO: (no name) - {A012702E-C450-49B9-86EC-AAEDD46E6E81} - C:\Program Files\jan9hz2g\jan9hz2g.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E8E66D8F-D58F-465E-8256-C63D2A1BA289} - C:\Program Files\jan9hz2g\jan9hz2g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jan9hz2g] C:\Program Files\jan9hz2g\jan9hz2g.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Pbnbxp.exe
O4 - HKLM\..\Run: [gwmefgr] c:\winnt\system32\gwmefgr.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [pxvzwc] C:\WINNT\system32\pxvzwc.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteyel32.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [HovqRhd8W] iniogsvc.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ny.powerconceptsllc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ny.powerconceptsllc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ny.powerconceptsllc.com
O23 - Service: CWShredder Service - InterMute, Inc. - C:\program files\InterMute\SpySubtract\CWShredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Port Reporter - Unknown - C:\Program Files\PortReporter\portreporter.exe
  • 0

Advertisements

#2
admin
Posted 10 February 2005 - 11:20 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Welcome to Geeks to Go! :tazz:

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {3CC8B4E4-F011-4CA1-96F1-19FB964683EB} - C:\Program Files\jan9hz2g\jan9hz2g.dll
O2 - BHO: (no name) - {4E8B6A16-A410-40F5-A049-CFA88CF869AA} - C:\Program Files\jan9hz2g\jan9hz2g.dll
O2 - BHO: (no name) - {57F4AAB0-7BDC-438A-8A3D-A36487128B43} - C:\Program Files\jan9hz2g\jan9hz2g.dll
O2 - BHO: (no name) - {A012702E-C450-49B9-86EC-AAEDD46E6E81} - C:\Program Files\jan9hz2g\jan9hz2g.dll
O2 - BHO: (no name) - {E8E66D8F-D58F-465E-8256-C63D2A1BA289} - C:\Program Files\jan9hz2g\jan9hz2g.dll
O4 - HKLM\..\Run: [jan9hz2g] C:\Program Files\jan9hz2g\jan9hz2g.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Pbnbxp.exe
O4 - HKLM\..\Run: [gwmefgr] c:\winnt\system32\gwmefgr.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [pxvzwc] C:\WINNT\system32\pxvzwc.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteyel32.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [HovqRhd8W] iniogsvc.exe
O23 - Service: Port Reporter - Unknown - C:\Program Files\PortReporter\portreporter.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Be sure you're able to view hidden files, and remove the following files/folders (if found):

C:\Program Files\jan9hz2g <- this folder
C:\WINNT\system32\Pbnbxp.exe
C:\WINNT\system32\sysmonnt.exe
C:\WINNT\system32\iniogsvc.exe
c:\winnt\system32\gwmefgr.exe
C:\windows\bundles\adl_mteststub.exe
C:\WINNT\system32\pxvzwc.exe
C:\winnt\system32\eliteyel32.exe
C:\WINNT\system32\sysmonnt <- this folder
C:\Program Files\PortReporter <- this folder

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. ;)
  • 0

#3
Merty111180
Posted 10 February 2005 - 01:55 PM

Merty111180

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thanks so much for your help Admin,

Some things were a little different than in said post, I was unable to locate:

C:\WINNT\system32\iniogsvc.exe
c:\winnt\system32\gwmefgr.exe
C:\winnt\system32\eliteyel32.exe
C:\WINNT\system32\sysmonnt <- this folder

After I didn't find them in these locations, I did a windows/search for them and came up empty handed.

Also, when deleting pxvzwc.exe, I discovered programs directly above it named pxvzwb, pxvzwd, pxvzwe

Any new info or developments in this log file? The pop-ups are still present, but they seem to come to a hault about 5 minutes or so after I log in.

Thanks again for the assistance.



Logfile of HijackThis v1.99.0
Scan saved at 2:45:18 PM, on 2/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\mbrennan\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pwcproxy:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = powerconceptsllc.com;ny.powerconceptsllc.com;192.168;<local>
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteyel32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ny.powerconceptsllc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ny.powerconceptsllc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ny.powerconceptsllc.com
O23 - Service: CWShredder Service - InterMute, Inc. - C:\program files\InterMute\SpySubtract\CWShredder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP