View Full Version : iexplorer.exe
yukukuhi
2008-11-14, 16:57
iexplorer.exe is not ending it's process even after it being closed. Please Help. Please Reply And Thank you.
pskelley
2008-11-16, 14:48
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
From the limited information you have provided, there is no way I can tell you if I can help or not. I don't even know if it is a malware problem?
If you want to find out, read the directions posted above and pinned (sticky) to the top of this forum and start with the required HijackThis log.
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
Thanks
yukukuhi
2008-11-22, 15:19
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:54 PM, on 11/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVerTV\QuickTV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\Ofb1.dll (file missing)
O2 - BHO: (no name) - {484FFC3E-5891-BD10-0BED-75DFED1D8FA1} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdneu.exe] C:\WINDOWS\system32\kdneu.exe
O4 - HKLM\..\Run: [Amok web bash obj] C:\Documents and Settings\All Users\Application Data\seek film amok web\Mail proc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DOES WEB] C:\DOCUME~1\SS1611~1.RAM\APPLIC~1\BLEHBA~1\For That Data.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84BDD19D-C5F9-421F-AB6B-EEC31C8E86BF}: NameServer = 85.255.112.151;85.255.112.146
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 8008 bytes
pskelley
2008-11-22, 15:42
Thanks for returning your HJT log. You have many issues, some malware and some are not. You have this junk:
http://research.sunbelt-software.com/threatdisplay.aspx?name=C2.lop&threatid=8144
http://www.systemlookup.com/Startup/8495.html <<< this junk and much more.
You are also hacked by these Ukrainian criminals:
http://whois.domaintools.com/85.255.112.151 <<< see this
Where do you think you managed to get infected with all of this junk?:sad:
This is going to take time and effort, if you still want to proceed we will start like this.
1) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5 <<< this program is obsolete, uninstall it in Add Remove Programs.
http://free.grisoft.com/ww.download-avg-anti-spyware-and-anti-rootkit
2) This progam C:\PROGRA~1\Grisoft\AVG7 <<< is out of date (assuming you are using the free version) use these instructions to update to the newest free version:
http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
(this tutorial will save some resources i you can use it)
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm
After you have AVG 8 installed:
*Right click the icon for AVG in System Tray and choose Open AVG User Interface.
*Click on Update now, allow AVG to download and install any new updates.
* Click on Computer Scanner then choose "Scan whole computer", this takes about one hour on the computer I am using now.
(make sure you delete or move to the Virus Vault what is found)
* Near the bottom above the words "The scan is complete" choose "Export overview to file"
* Choose Desktop and give it a name you will recognize like AVG Scan Results, then choose SAVE.
* Close results and close the Interface.
* Copy and paste the contents of that file to this topic.
3) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
4) Post a new HJT log also.
Thanks
yukukuhi
2008-11-23, 14:53
"Scan ""Scan whole computer"" was finished."
"Infections found:";"1"
"Infected objects removed or healed:";"1"
"Not removed or healed:";"0"
"Spyware found:";"7"
"Spyware removed:";"7"
"Not removed:";"0"
"Warnings count:";"20"
"Information count:";"0"
"Scan started:";"Sunday, November 23, 2008, 5:12:22 PM"
"Scan finished:";"Sunday, November 23, 2008, 6:10:12 PM (57 minute(s) 49 second(s))"
"Total object scanned:";"687897"
"User who launched the scan:";"s.s.ram"
"Infections"
"File";"Infection";"Result"
"C:\WINDOWS\KOjesksie.exe";"Trojan horse Generic9.AKFT";"Moved to Virus Vault"
"Spyware"
"File";"Infection";"Result"
"C:\Program Files\NetPumper\NPNetPumper_Application.dll";"Adware Generic3.LLD";"Moved to Virus Vault"
"C:\Program Files\NetPumper\NPNetPumper_Audio.dll";"Adware Generic3.LLD";"Moved to Virus Vault"
"C:\Program Files\NetPumper\NPNetPumper_Video.dll";"Adware Generic3.LLD";"Moved to Virus Vault"
"C:\Program Files\NetPumper\TurnLog.exe";"Adware Generic2.PHY";"Moved to Virus Vault"
"D:\Softwares\absetup.exe";"Adware Generic2.UVH";"Moved to Virus Vault"
"D:\Softwares\absetup.exe:\$JJ\roboform.exe";"Adware Generic2.UVH";"Moved to Virus Vault"
"D:\Softwares\Alcohol 120% 1.9.7\CRACK\patch_ssc.exe";"Potentially harmful program HackTool.crack";"Moved to Virus Vault"
"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\ad.yieldmanager.com.e762f029";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@2o7[2].txt";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@2o7[2].txt:\2o7.net.e7e7d917";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@ad.yieldmanager[2].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@ad.yieldmanager[2].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@doubleclick[1].txt";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@doubleclick[1].txt:\doubleclick.net.1d39bd48";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@real[1].txt";"Found Tracking cookie.Real";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@real[1].txt:\real.com.66561182";"Found Tracking cookie.Real";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@real[1].txt:\real.com.9cd7658a";"Found Tracking cookie.Real";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@real[1].txt:\real.com.d10953d0";"Found Tracking cookie.Real";"Potentially dangerous object"
yukukuhi
2008-11-23, 15:06
AVG Scan Results
"Scan ""Scan whole computer"" was finished."
"Infections found:";"1"
"Infected objects removed or healed:";"1"
"Not removed or healed:";"0"
"Spyware found:";"7"
"Spyware removed:";"7"
"Not removed:";"0"
"Warnings count:";"20"
"Information count:";"0"
"Scan started:";"Sunday, November 23, 2008, 5:12:22 PM"
"Scan finished:";"Sunday, November 23, 2008, 6:10:12 PM (57 minute(s) 49 second(s))"
"Total object scanned:";"687897"
"User who launched the scan:";"s.s.ram"
"Infections"
"File";"Infection";"Result"
"C:\WINDOWS\KOjesksie.exe";"Trojan horse Generic9.AKFT";"Moved to Virus Vault"
"Spyware"
"File";"Infection";"Result"
"C:\Program Files\NetPumper\NPNetPumper_Application.dll";"Adware Generic3.LLD";"Moved to Virus Vault"
"C:\Program Files\NetPumper\NPNetPumper_Audio.dll";"Adware Generic3.LLD";"Moved to Virus Vault"
"C:\Program Files\NetPumper\NPNetPumper_Video.dll";"Adware Generic3.LLD";"Moved to Virus Vault"
"C:\Program Files\NetPumper\TurnLog.exe";"Adware Generic2.PHY";"Moved to Virus Vault"
"D:\Softwares\absetup.exe";"Adware Generic2.UVH";"Moved to Virus Vault"
"D:\Softwares\absetup.exe:\$JJ\roboform.exe";"Adware Generic2.UVH";"Moved to Virus Vault"
"D:\Softwares\Alcohol 120% 1.9.7\CRACK\patch_ssc.exe";"Potentially harmful program HackTool.crack";"Moved to Virus Vault"
"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\ad.yieldmanager.com.e762f029";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Application Data\Mozilla\Firefox\Profiles\aqzwukpa.default\cookies.txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@2o7[2].txt";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@2o7[2].txt:\2o7.net.e7e7d917";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@ad.yieldmanager[2].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@ad.yieldmanager[2].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@doubleclick[1].txt";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@doubleclick[1].txt:\doubleclick.net.1d39bd48";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@real[1].txt";"Found Tracking cookie.Real";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@real[1].txt:\real.com.66561182";"Found Tracking cookie.Real";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@real[1].txt:\real.com.9cd7658a";"Found Tracking cookie.Real";"Potentially dangerous object"
"C:\Documents and Settings\s.s.ram\Cookies\s.s.ram@real[1].txt:\real.com.d10953d0";"Found Tracking cookie.Real";"Potentially dangerous object"
uninstall_list
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.1
Adobe Shockwave Player
Adobe Stock Photos 1.0
AMVapp 2.1
AMVapp Audio Apps 2.0
AMVapp Support Tools 2.0
Apple Software Update
Audio Record Wizard v3.98
Avant Browser (remove only)
AVerTV GO 007 FM Plus
AVG Free 8.0
AVI MPEG WMV RM to MP3 Converter 1.6.8
AVI Splitter
AviSynth 2.5
Avisynth Filters 2.5x
AVS DVD Player version 2.4
BitTornado 0.3.8
Boilsoft Video Joiner 5.01
Boilsoft Video Splitter 5.01
dBpowerAMP
dBpoweramp DSP Effects
dBpoweramp Music Converter
DGMPEGDec 1.2.1
DivX Web Player
DVD Decrypter (Remove Only)
ffdshow [rev 1846] [2008-02-05]
Google Toolbar for Internet Explorer
Helix YUV Codecs (remove only)
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Intel(R) Graphics Media Accelerator Driver
iPod for Windows 2005-11-17
iTunes
Lossless Codecs
Megaupload Toolbar
Microsoft .NET Framework 2.0
Microsoft Age of Empires Trial
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.18)
MSN
Nero Suite
NetPumper 1.23.0.0
Panasonic VS3_VS2_MX6_SA6 USB-Handset Manager
Panda ActiveScan 2.0
PhotoNow! 1.0
PremiereAVSPlugin 1.5
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Replay Media Catcher
Spybot - Search & Destroy
Ulead VideoStudio 11
VeohTV BETA
VideoReDo TVSuite Version 3.1.4.549
VirtualDubMod 1.5.4.1
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
Xiph QuickTime Components
XMLinst
Xvid 1.1.3 final uninstall
Yahoo! extras
Yahoo! Messenger
Yahoo! Toolbar
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:01 PM, on 11/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVerTV\QuickTV.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\Ofb1.dll (file missing)
O2 - BHO: (no name) - {484FFC3E-5891-BD10-0BED-75DFED1D8FA1} - (no file)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdneu.exe] C:\WINDOWS\system32\kdneu.exe
O4 - HKLM\..\Run: [Amok web bash obj] C:\Documents and Settings\All Users\Application Data\seek film amok web\Mail proc.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DOES WEB] C:\DOCUME~1\SS1611~1.RAM\APPLIC~1\BLEHBA~1\For That Data.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84BDD19D-C5F9-421F-AB6B-EEC31C8E86BF}: NameServer = 85.255.112.151;85.255.112.146
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat,avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 7028 bytes
pskelley
2008-11-23, 15:27
Thanks for returning your informatioon, we have a long way to go.
AVG scan results: Did you delete those bogus tracking cookies AVG found? Here is information to help you avoid those cookies:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
Information is available for Firefox if needed.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested: https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 8.1.1 <<< out of date and being exploited, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php
BitTornado 0.3.8 <<< uninstall all p2p programs:
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Resuming cleanup:
Disable resident protections (Antivirus...); you'll re-enable them after the scan
Credits: Eric_71
Download Lop S&D here:
http://eric.71.mespages.googlepages.com/LopSD.exe
Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (C:\lopR.txt)
Thanks
pskelley
2008-11-30, 16:07
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.