Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Getting constant popups even when not on Internet Explorer.

  1. #1
    Junior Member
    Join Date
    Jul 2006
    Posts
    6

    Default Getting constant popups even when not on Internet Explorer.

    Please help! I keep getting constant pop-ups even when I'm not using Internet Explorer. I've used Spybot, Spysweeper, Adaware, and can't get rid of it. Here's my hijackthis log:

    Logfile of HijackThis v1.99.0
    Scan saved at 1:07:12 PM, on 7/31/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    d:\Documents and Settings\u08085\Desktop\Tools\HijackThis 1.99\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a9.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a9.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.a9.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwproxy1.mwd.h2o:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *mwd.dst.ca.us;*.mwd.h2o;*mwdh2o.*;*mwdh20.*;*mwdsc.org;*mwdsc.net;144.166.*.*;*arrowheadtunnels.com;*dvlake.*;www.bwaterwise.*;www.bewaterwise.*;www.calwaterfuture.org;www.socalwaterdialogue.org;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [EZEJTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
    O4 - HKLM\..\Run: [rrpcrg] C:\Program Files\XPOINT\PE\rrpcrg.exe
    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
    O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MetaPass Quick Launch] "d:\Documents and Settings\u08085\Application Data\MetaPass\sysdisk\MetaPassT.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: MWD Virtual Private Networking Client.lnk = C:\Program Files\MWD VPN\IPSec Connections\vpngui.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
    O15 - Trusted Zone: http://*.getmsds.com
    O15 - Trusted Zone: http://*.trendmicro.com
    O15 - Trusted Zone: http://*.getmsds.com (HKLM)
    O15 - Trusted Zone: http://*.trendmicro.com (HKLM)
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mwd.h2o
    O17 - HKLM\Software\..\Telephony: DomainName = mwd.h2o
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mwd.h2o
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\MWD VPN\IPSec Connections\cvpnd.exe
    O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
    O23 - Service: OfficeScanNT Personal Firewall - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
    O23 - Service: Proxy Host Service - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
    O23 - Service: QCONSVC - Unknown - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe
    O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe

  2. #2
    Security Expert: Emeritus
    Join Date
    Jun 2006
    Location
    Texas
    Posts
    760

    Default

    Hello tlee33

    Welcome to Safer Networking Forums

    Please download VirtumundoBeGone:
    http://secured2k.home.comcast.net/to...undoBeGone.exe
    * Save it to the Desktop
    * Close all running programs (including your Internet Browser)
    * Double-click VirtumundoBeGone.exe on the Desktop
    * Follow the directions as indicated

    This program may generate a "Blue Screen of Death" which is an expected/necessary part of the process.
    Do not be concerned.
    Just reboot if your system "jams".

    To confirm successful deletion, and determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It is found on the Desktop. Please also post a new HijackThis log and let me know how your computer is running now.

    Thanks,
    tea

  3. #3
    Junior Member
    Join Date
    Jul 2006
    Posts
    6

    Default

    Thanks for th help.

    I ran the program but it didn't seem to find anything...here's the log it generated:

    [08/01/2006, 7:34:15] - VirtumundoBeGone v1.5 ( "d:\Documents and Settings\u08085\Desktop\VirtumundoBeGone.exe" )
    [08/01/2006, 7:34:19] - Detected System Information:
    [08/01/2006, 7:34:19] - Windows Version: 5.1.2600, Service Pack 1
    [08/01/2006, 7:34:19] - Current Username: u08085 (Admin)
    [08/01/2006, 7:34:19] - Windows is in NORMAL mode.
    [08/01/2006, 7:34:19] - Searching for Browser Helper Objects:
    [08/01/2006, 7:34:19] - Finished Searching Browser Helper Objects
    [08/01/2006, 7:34:19] - Finishing up...
    [08/01/2006, 7:34:19] - Nothing found! Exiting...

  4. #4
    Security Expert: Emeritus
    Join Date
    Jun 2006
    Location
    Texas
    Posts
    760

    Default

    Hello,

    Could I see a new HijackThis log please?

    Thanks,
    tea

  5. #5
    Junior Member
    Join Date
    Jul 2006
    Posts
    6

    Default

    Could there be some kind of installer running? Here's the latest Hijack file:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:41:37 PM, on 8/1/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\MWD VPN\IPSec Connections\cvpnd.exe
    C:\Program Files\OfficeScan NT\ntrtscan.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\OfficeScan NT\tmlisten.exe
    C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
    C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
    C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
    C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\TEMP\NFD018.EXE
    C:\WINDOWS\System32\tp4serv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\System32\AEIWLSTA.EXE
    C:\Program Files\Funk Software\Proxy Host\phtray.exe
    C:\Program Files\OfficeScan NT\pccntmon.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    D:\Documents and Settings\u08085\Application Data\MetaPass\sysdisk\MetaPassT.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\IBMTOOLS\APPS\BlueTooth Application\BTTray.exe
    C:\Program Files\IBMTOOLS\APPS\BlueTooth Application\BTStackServer.exe
    C:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
    C:\WINDOWS\system32\rundll32.exe
    G:\Tools\HijackThis 1.99.1\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a9.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a9.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.a9.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwproxy1.mwd.h2o:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *mwd.dst.ca.us;*.mwd.h2o;*mwdh2o.*;*mwdh20.*;*mwdsc.org;*mwdsc.net;144.166.*.*;*arrowheadtunnels.com;*dvlake.*;www.bwaterwise.*;www.bewaterwise.*;www.calwaterfuture.org;www.socalwaterdialogue.org;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [EZEJTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
    O4 - HKLM\..\Run: [rrpcrg] C:\Program Files\XPOINT\PE\rrpcrg.exe
    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
    O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MetaPass Quick Launch] "d:\Documents and Settings\u08085\Application Data\MetaPass\sysdisk\MetaPassT.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: MWD Virtual Private Networking Client.lnk = C:\Program Files\MWD VPN\IPSec Connections\vpngui.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
    O15 - Trusted Zone: http://*.getmsds.com
    O15 - Trusted Zone: http://*.trendmicro.com
    O15 - Trusted Zone: http://*.getmsds.com (HKLM)
    O15 - Trusted Zone: http://*.trendmicro.com (HKLM)
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mwd.h2o
    O17 - HKLM\Software\..\Telephony: DomainName = mwd.h2o
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mwd.h2o
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\lv2409fqe.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\MWD VPN\IPSec Connections\cvpnd.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
    O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
    O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe
    O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe

  6. #6
    Security Expert: Emeritus
    Join Date
    Jun 2006
    Location
    Texas
    Posts
    760

    Default

    Hello,

    Please download Look2Me-Destroyer.exe to your desktop.
    • Close all windows before continuing.
    • Double-click Look2Me-Destroyer.exe to run it.
    • Put a check next to Run this program as a task.
    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    • Once it's done scanning, click the Remove L2M button.
    • You will receive a Done Scanning message, click OK.
    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    • Your computer will then shutdown.
    • Turn your computer back on.
    • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new...b/MSWINSCK.OCX

    Thanks,
    tea

  7. #7
    Junior Member
    Join Date
    Jul 2006
    Posts
    6

    Default Fixed!

    Looks like it worked. You are awesome!! Thanks a bunch!!!!
    Here's my log:


    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 8/1/2006 2:03:07 PM

    Infected! C:\WINDOWS\system32\lv2409fqe.dll
    Infected! C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0087927.dll
    Infected! C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0087932.dll
    Infected! C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0089289.dll
    Infected! C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0089301.dll
    Infected! C:\WINDOWS\System32\guard.tmp

    Attempting to delete infected files...

    Attempting to delete: C:\WINDOWS\system32\lv2409fqe.dll
    C:\WINDOWS\system32\lv2409fqe.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0087927.dll
    C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0087927.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0087932.dll
    C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0087932.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0089289.dll
    C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0089289.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0089301.dll
    C:\System Volume Information\_restore{36870944-E622-4235-8073-BCF24E8ACB25}\RP558\A0089301.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\System32\guard.tmp
    C:\WINDOWS\System32\guard.tmp Deleted successfully!

    Making registry repairs.

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Themes

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{567D145A-40D5-471B-B399-2BC4274DB61A}"
    HKCR\Clsid\{567D145A-40D5-471B-B399-2BC4274DB61A}

    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded

  8. #8
    Security Expert: Emeritus
    Join Date
    Jun 2006
    Location
    Texas
    Posts
    760

    Default

    Hello,

    Glad it's better. Could I see a new HijackThis log please?

    Thanks,
    tea

  9. #9
    Junior Member
    Join Date
    Jul 2006
    Posts
    6

    Default

    Here's my latest log:

    Logfile of HijackThis v1.99.0
    Scan saved at 11:10:48 AM, on 8/2/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\MWD VPN\IPSec Connections\cvpnd.exe
    C:\Program Files\OfficeScan NT\ntrtscan.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\OfficeScan NT\tmlisten.exe
    C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
    C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
    C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
    C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
    C:\TEMP\WX2C6D.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\tp4serv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
    C:\WINDOWS\System32\AEIWLSTA.EXE
    C:\Program Files\Funk Software\Proxy Host\phtray.exe
    C:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
    C:\Program Files\OfficeScan NT\pccntmon.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    D:\Documents and Settings\u08085\Application Data\MetaPass\sysdisk\MetaPassT.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\IBMTOOLS\APPS\BlueTooth Application\BTTray.exe
    C:\Program Files\IBMTOOLS\APPS\BlueTooth Application\BTStackServer.exe
    C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
    C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
    d:\DOCUME~1\u08085\LOCALS~1\Temp\~e5d141.tmp
    C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    d:\DOCUME~1\u08085\LOCALS~1\Temp\~e5d141.tmp
    C:\Program Files\Internet Explorer\iexplore.exe
    d:\Documents and Settings\u08085\Desktop\Tools\HijackThis 1.99\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a9.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a9.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.a9.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwproxy1.mwd.h2o:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *mwd.dst.ca.us;*.mwd.h2o;*mwdh2o.*;*mwdh20.*;*mwdsc.org;*mwdsc.net;144.166.*.*;*arrowheadtunnels.com;*dvlake.*;www.bwaterwise.*;www.bewaterwise.*;www.calwaterfuture.org;www.socalwaterdialogue.org;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [EZEJTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\EZEJTRAY.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
    O4 - HKLM\..\Run: [rrpcrg] C:\Program Files\XPOINT\PE\rrpcrg.exe
    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
    O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MetaPass Quick Launch] "d:\Documents and Settings\u08085\Application Data\MetaPass\sysdisk\MetaPassT.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: MWD Virtual Private Networking Client.lnk = C:\Program Files\MWD VPN\IPSec Connections\vpngui.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
    O15 - Trusted Zone: http://*.getmsds.com
    O15 - Trusted Zone: http://*.trendmicro.com
    O15 - Trusted Zone: http://*.getmsds.com (HKLM)
    O15 - Trusted Zone: http://*.trendmicro.com (HKLM)
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mwd.h2o
    O17 - HKLM\Software\..\Telephony: DomainName = mwd.h2o
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mwd.h2o
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\MWD VPN\IPSec Connections\cvpnd.exe
    O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
    O23 - Service: OfficeScanNT Personal Firewall - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
    O23 - Service: Proxy Host Service - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
    O23 - Service: QCONSVC - Unknown - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe
    O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe

  10. #10
    Security Expert: Emeritus
    Join Date
    Jun 2006
    Location
    Texas
    Posts
    760

    Default

    Hello,

    Please navigate to these files and delete them:

    C:\TEMP\WX2C6D.EXE
    d:\DOCUME~1\u08085\LOCALS~1\Temp\~e5d141.tmp

    Empty everything else you find in the temp folder while you're there.

    Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html

    Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

    Reboot your computer.

    In your reply, please post a new HijackThis log and let me know how your computer is running now.

    Thanks,
    tea

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •