PDA

View Full Version : Numerous Adware Problems - Command, Surf Side Kick, Windows Installer, etc



R Brooks
2006-08-01, 01:48
Boy, do I have a mess.

First, I have tried to read previous threads and fix the problems. I think I have eliminated a lot of adware programs but some still persist. One of the main problems now is the repeating pop-up of something called "Windows Installer" that trys to install something about every 3 seconds. Some program calles "HpSdpAppCoreApp" keeps trying to run also.

These problem with that prohibits me from doing any online scan (Pandascan tried repeatedly).

Here is the log from Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 5:30:12 PM, on 7/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wfxqhv.exe
C:\Program Files\Common Files\{D8DC6F63-09E4-1033-0415-040203200001}\Update.exe
C:\WINDOWS\System32\zqskw.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\yaysy.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,jugwjcp.exe
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\System32\vtutr.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: vtutr - C:\WINDOWS\System32\vtutr.dll

I have run all these different program (and maybe a couple of others):

Spy-Bot
Ad-Adware SE
Combofix
Ren-cmdservice
Smitfraudfix
Vuendofix

I thinks some of the problems were removed.

Thanks in advance,

Robert

teacup61
2006-08-01, 09:31
Hello Robert,

Welcome to Safer Networking Forums :)

Please download VirtumundoBeGone:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to the Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the Desktop
* Follow the directions as indicated

This program may generate a "Blue Screen of Death" which is an expected/necessary part of the process.
Do not be concerned.
Just reboot if your system "jams".

To confirm successful deletion, and determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It is found on the Desktop.

Your log shows that you have disabled some startup programs using MSConfig.
This is not recommended because I cannot clearly see everything that is loading on your computer at startup.
To enable all startup items quickly please follow these instructions:

Start | Run | type msconfig | OK
If not already selected go to the General tab.
Under Startup Selection select "Normal Startup - load all device drivers and services".
Click Apply and then Close.
When given the option, please choose to restart the computer.
Post a new log when you are done.


Thanks,
tea

R Brooks
2006-08-01, 19:55
Thanks for the response. Here is what I got with virtumundo:

[08/01/2006, 12:37:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[08/01/2006, 12:37:11] - Detected System Information:
[08/01/2006, 12:37:11] - Windows Version: 5.1.2600, Service Pack 1
[08/01/2006, 12:37:11] - Current Username: Owner (Admin)
[08/01/2006, 12:37:11] - Windows is in NORMAL mode.
[08/01/2006, 12:37:11] - Searching for Browser Helper Objects:
[08/01/2006, 12:37:11] - BHO 1: {D623BC2F-A58D-4A75-A10D-CC244A702A35} (Ozbyq Class)
[08/01/2006, 12:37:11] - BHO 2: {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} (DPCUpdater Object)
[08/01/2006, 12:37:11] - BHO 3: {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} ()
[08/01/2006, 12:37:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/01/2006, 12:37:11] - No filename found. Continuing.
[08/01/2006, 12:37:11] - Finished Searching Browser Helper Objects
[08/01/2006, 12:37:11] - Finishing up...
[08/01/2006, 12:37:11] - Nothing found! Exiting...

And here is the Hijack this list:

Logfile of HijackThis v1.99.1
Scan saved at 12:49:39 PM, on 8/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\System32\MsiExec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\yaysy.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,jugwjcp.exe
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\System32\vtutr.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [himgyu] C:\WINDOWS\System32\iqioyw.exe reg_run
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [win32095-65664220] C:\WINDOWS\win32095-65664220.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [myzwkesA] C:\WINDOWS\myzwkesA.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfg_7.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrfg_7.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKCU\..\Run: [eetha] C:\WINDOWS\System32\iqioyw.exe reg_run
O4 - HKCU\..\Run: [Yak!] C:\Program Files\Yak!\Yak.exe
O4 - HKCU\..\Run: [Tgbill] C:\Documents and Settings\Owner\My Documents\?icrosoft\m?iexec.exe
O4 - HKCU\..\Run: [SysProtect Free] C:\Program Files\SysProtect Free\USYP.exe /scan
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\MANTEC~1\chkdsk.exe" -vt yazr
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kfiw] C:\Program Files\Common Files\kfiw\kfiwm.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: axtpf.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: vtutr - C:\WINDOWS\System32\vtutr.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I did do the Normal Start Up - that "Windows Installer" program still runs about every 3 seconds - always putting it's little window on top of what I am working.

Awaiting the next step,

Robert

teacup61
2006-08-01, 22:33
Hello,

Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Look in your control panel's add/remove programs for PuritySCAN By OIN, OuterInfo, OIN, Cowabanga, SnowballWars or similar. Click on it and then click remove.

Reboot and if found, delete this folder:

C:\Program Files\PurityScan

If not listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
http://www.outerinfo.com/howto.html
Tutorial for the uninstaller if needed

Reboot when done and if found, delete this folder:

C:\Program Files\PurityScan

Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip

Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.


Finally post a new Hijack This log and the contents of the Qoofix logfile.

Try running the VirtumundoBeGone now. Vundo is there, but so are a lot of other things.

Thanks,
tea

R Brooks
2006-08-01, 23:19
Not sure if we are making headway or not.

Here are the logs:

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [8/1/2006] at [4:03:14 PM]
-------------------------------------------------------------
Terminated module: oxiopfa.dll found in Qoofix.exe (3544)
Terminated module: oxiopfa.dll found in iqioyw.exe (1312)
Terminated module: oxiopfa.dll found in explorer.exe (1320)
Terminated module: oxiopfa.dll found in yaysy.exe (1328)
Terminated module: oxiopfa.dll found in yaysy.exe (1344)
Terminated module: oxiopfa.dll found in yaysy.exe (1364)
Terminated module: oxiopfa.dll found in xload.exe (1616)
Terminated module: oxiopfa.dll found in win32095-65664220.exe (1624)
Terminated module: oxiopfa.dll found in sgtray.exe (1640)
Terminated module: oxiopfa.dll found in qttask.exe (1664)
Terminated module: oxiopfa.dll found in iTunesHelper.exe (1672)
Terminated module: oxiopfa.dll found in igfxtray.exe (1680)
Terminated module: oxiopfa.dll found in hpsysdrv.exe (1696)
Terminated module: oxiopfa.dll found in hkcmd.exe (1736)
Terminated module: oxiopfa.dll found in ALCXMNTR.EXE (208)
Terminated module: oxiopfa.dll found in AGRSMMSG.exe (236)
Terminated module: oxiopfa.dll found in Yak.exe (260)
Terminated module: oxiopfa.dll found in m?iexec.exe (272)
Terminated module: oxiopfa.dll found in msmsgs.exe (344)
Terminated module: oxiopfa.dll found in kfiwm.exe (400)
Terminated module: oxiopfa.dll found in kfiwa.exe (472)
-------------------------------------------------------------
C:\WINDOWS\System32\iqioyw.exe will be deleted on reboot!
C:\WINDOWS\System32\jugwjcp.exe will be deleted on reboot!
C:\WINDOWS\System32\nnwrk.dat will be deleted on reboot!
C:\WINDOWS\System32\oxiopfa.dll will be deleted on reboot!
C:\WINDOWS\System32\yaysy.exe will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\axtpf.exe will be deleted on reboot!

User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [8/1/2006] at [4:04:46 PM]

Note: Some registry keys may have been removed.


Logfile of HijackThis v1.99.1
Scan saved at 4:11:22 PM, on 8/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wfxqhv.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\System32\zqskw.exe
C:\WINDOWS\win32095-65664220.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\{D8DC6F63-09E4-1033-0415-040203200001}\Update.exe
C:\Program Files\Yak!\Yak.exe
C:\Documents and Settings\Owner\My Documents\?icrosoft\m?iexec.exe
C:\PROGRA~1\MANTEC~1\chkdsk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\kfiw\kfiwm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\kfiw\kfiwa.exe
C:\WINDOWS\System32\MsiExec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
C:\Documents and Settings\Owner\Desktop\vundofix.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\System32\vtutr.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [himgyu] C:\WINDOWS\System32\iqioyw.exe reg_run
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [win32095-65664220] C:\WINDOWS\win32095-65664220.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [myzwkesA] C:\WINDOWS\myzwkesA.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfg_7.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrfg_7.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKCU\..\Run: [Yak!] C:\Program Files\Yak!\Yak.exe
O4 - HKCU\..\Run: [Tgbill] C:\Documents and Settings\Owner\My Documents\?icrosoft\m?iexec.exe
O4 - HKCU\..\Run: [SysProtect Free] C:\Program Files\SysProtect Free\USYP.exe /scan
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\MANTEC~1\chkdsk.exe" -vt yazr
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kfiw] C:\Program Files\Common Files\kfiw\kfiwm.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: vtutr - C:\WINDOWS\System32\vtutr.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Any idea what that "Windows Installer" is that I mentioned? I still keeps popping up infront of any window every 3 seconds or so. It will open 9 or 10 of them at times.

Ran the Vendomundobegone and it said no Vendo found.

Robert

teacup61
2006-08-01, 23:44
Hi Robert,

Believe it or not, there was progress made.:) We just have to keep at this. The Installer is likely malware, so as we get this clean it should at some point go away. If you already have vundofix, please delete it to make sure we get the latest version downloaded.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens,Click Scan for Vundo button.
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files
* Copy&Paste the 2 entries below into the top 2 boxes

o C:\WINDOWS\System32\vtutr.dll
o C:\WINDOWS\System32\rtutv*

* Click Add Files and Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Keep at it, you're doing fine.:bigthumb:

tea

R Brooks
2006-08-04, 00:50
Will do the above in the morning when I am back at the computer.

Will download Vendomundo again, but just downloaded the current version I have 4 days ago.

Still, will do as directed.

Robert

R Brooks
2006-08-08, 19:54
Tea, sorry I am a few days behind.

I did try your last instructions but met with limited success.

* Double-click VundoFix.exe to run it. WORKED OK
* Put a check next to Run VundoFix as a task. WORKED OK
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK WORKED OK
* When VundoFix re-opens,Click Scan for Vundo button. WORKED OK
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files WOULD NOT RESPOND - COULD NOT ADD THE FILES BELOW* Copy&Paste the 2 entries below into the top 2 boxes

o C:\WINDOWS\System32\vtutr.dll
o C:\WINDOWS\System32\rtutv*

IT DID FIND THESE FILES ON THE SCAN THO:
C:\WINDOWS\System32\vtutr.dll
C:\WINDOWS\System32\rtutv.ini
C:\WINDOWS\System32\rtutv.bak2

NONE OF THE FOLLOWING COULD BE COMPLETED:* Click Add Files and Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

new Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:27:01 PM, on 8/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\zqskw.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\win32095-65664220.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\{D8DC6F63-09E4-1033-0415-040203200001}\Update.exe
C:\Program Files\Yak!\Yak.exe
C:\Documents and Settings\Owner\My Documents\?icrosoft\m?iexec.exe
C:\PROGRA~1\MANTEC~1\chkdsk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\kfiw\kfiwm.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\kfiw\kfiwa.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsiExec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\VundoFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\System32\vtutr.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [himgyu] C:\WINDOWS\System32\iqioyw.exe reg_run
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [win32095-65664220] C:\WINDOWS\win32095-65664220.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [myzwkesA] C:\WINDOWS\myzwkesA.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfg_7.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrfg_7.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKCU\..\Run: [Yak!] C:\Program Files\Yak!\Yak.exe
O4 - HKCU\..\Run: [Tgbill] C:\Documents and Settings\Owner\My Documents\?icrosoft\m?iexec.exe
O4 - HKCU\..\Run: [SysProtect Free] C:\Program Files\SysProtect Free\USYP.exe /scan
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\MANTEC~1\chkdsk.exe" -vt yazr
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kfiw] C:\Program Files\Common Files\kfiw\kfiwm.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: vtutr - C:\WINDOWS\System32\vtutr.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks,

robert

teacup61
2006-08-08, 22:19
Hello,

Please download, install, and update Ewido anti-spyware (http://www.ewido.net/en/download/)


Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Close ewido. Do not run it yet.


Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\System32\vtutr.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [himgyu] C:\WINDOWS\System32\iqioyw.exe reg_run
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [win32095-65664220] C:\WINDOWS\win32095-65664220.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [myzwkesA] C:\WINDOWS\myzwkesA.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfg_7.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrfg_7.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKCU\..\Run: [Tgbill] C:\Documents and Settings\Owner\My Documents\?icrosoft\m?iexec.exe
O4 - HKCU\..\Run: [SysProtect Free] C:\Program Files\SysProtect Free\USYP.exe /scan
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\MANTEC~1\chkdsk.exe" -vt yazr
O4 - HKCU\..\Run: [kfiw] C:\Program Files\Common Files\kfiw\kfiwm.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: vtutr - C:\WINDOWS\System32\vtutr.dll

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Also, delete the following files/folders (if they exist):

C:\WINDOWS\System32\xeymi.dll
C:\WINDOWS\System32\vtutr.dll
C:\WINDOWS\System32\iqioyw.exe
C:\WINDOWS\System32\wfxqhv.exe
C:\WINDOWS\win32095-65664220.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\myzwkesA.exe
C:\\kybrdfg_7.exe
C:\\dfndrfg_7.exe
C:\WINDOWS\v1201.exe
C:\Program Files\SysProtect Free <----this folder
C:\PROGRA~1\MANTEC~1 <----this folder. May have more letters, but will start with MANTEC
C:\Program Files\Common Files\kfiw <-----this folder
C:\Program Files\Compaq Connections\1940576 <------this folder. NOT the whole Compaq folder!
C:\DOCUME~1\Owner\LOCALS~1\Temp\mma.chm::/joysavsht.cab <----when you delete this file, delete everything else you see in the temp folder, NOT the folder itself.
C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab

Use Cleanmgr to clean temporary files:

1. Click > start > run and type cleanmgr and click OK
2. Scan your system for files to remove.
3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
4. Click OK to remove those files.
5. Click Yes to confirm deletion.


In Safe Mode, load Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Restart back into Normal Mode.


Please delete your version of ComboFix, as the tool is updated constantly and we need to make sure we have the newest version. :)

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your reply, please post the report from Ewido, the ComboFix log, and a new HijackThis log. These will take a LOT of room, so you may need to use more than one post to fit them in. Please also let me know how your computer is running now.

Thanks,
tea

R Brooks
2006-08-09, 07:45
I got all the way to Ewido scan and the program stops responding at the "Apply all Actions" part.

Tried it twice and froze both times.

Scan takes about 45-50 minutes.

Becoming discouraged.

robert

teacup61
2006-08-09, 08:34
Don't give up! This stuff is tough, but you're doing fine. We just have to be tougher. We do have bigger guns if the normal things don't work. ;) Did you try the ComboFix part again? I'd also like to see a new HijackThis log, please. :)

Hang in there. ;)
tea

R Brooks
2006-08-10, 01:09
Combofix stalls - as does just about everything on Normal Startup because that Windows Installer program is constantly opening and trying to install something (which it can't do for some reason).

It will get up to 15 Windows going at a time and you cannot even close them fast enough to hardly get any other program to run.

I tried running VundoFix but it never re-opens as "a task."

The Surf Side Kick has never gone away at any point.

Sorry to sound so full of complaints.

I can get the Hijackthis log but things don't seem to be clearing:

Logfile of HijackThis v1.99.1
Scan saved at 6:00:16 PM, on 8/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINDOWS\System32\vf1v62x.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\System32\vtutr.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [wGzyM6F48] C:\WINDOWS\System32\apbzk.exe
O4 - HKLM\..\Run: [epy9J] "C:\WINDOWS\System32\l3jdfs.exe"
O4 - HKLM\..\Run: [sys0256642205-6] C:\WINDOWS\sys0256642205-6.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Yak!] C:\Program Files\Yak!\Yak.exe
O4 - HKCU\..\Run: [Tgbill] C:\Documents and Settings\Owner\My Documents\?icrosoft\m?iexec.exe
O4 - HKCU\..\Run: [SysProtect Free] C:\Program Files\SysProtect Free\USYP.exe /scan
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\APPLIC~1\WNSXS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kfiw] C:\Program Files\Common Files\kfiw\kfiwm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINDOWS\System32\vf1v62x.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: vtutr - C:\WINDOWS\System32\vtutr.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

teacup61
2006-08-10, 03:23
Hello,

Complain and vent, just don't be mean. I know it's frustrating.;)

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINDOWS\System32\vf1v62x.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\System32\vtutr.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [wGzyM6F48] C:\WINDOWS\System32\apbzk.exe
O4 - HKLM\..\Run: [epy9J] "C:\WINDOWS\System32\l3jdfs.exe"
O4 - HKLM\..\Run: [sys0256642205-6] C:\WINDOWS\sys0256642205-6.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Tgbill] C:\Documents and Settings\Owner\My Documents\?icrosoft\m?iexec.exe
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\APPLIC~1\WNSXS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINDOWS\System32\vf1v62x.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: vtutr - C:\WINDOWS\System32\vtutr.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Also, delete the following files/folders (if they exist):

C:\Program Files\SurfSideKick 3 <---this folder
C:\WINDOWS\System32\vf1v62x.dll
C:\WINDOWS\System32\WinNB57.dll
C:\WINDOWS\System32\vtutr.dll
C:\WINDOWS\thiselt.exe
C:\WINDOWS\System32\apbzk.exe
C:\WINDOWS\System32\l3jdfs.exe
C:\WINDOWS\sys0256642205-6.exe
C:\WINDOWS\IA<----this folder, if possible.
C:\Program Files\Network Monitor <---this folder
Locate by searching for the following, and delete repairs303169590.dll

copy and paste next command via start > run

sc delete cmdService

Click OK


In Safe Mode, load Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Restart back into Normal Mode.


Now please try ComboFix again.

In your reply, please post the report from Ewido, and the ComboFix log if you were successful, and a new HijackThis log. Let me know how it's running now. :)

Thanks,
tea

R Brooks
2006-08-11, 00:44
Making progress. All the programs have problem with the Surf Side Kick program. I did finally get the Surf Side Kick to go away with Ewido by finding a few SSK files and deleting them. I could never get rid of the whole folder until I altered or deleted a few files in the folder.

Internet Explorer, connections to other computers on network, and programs seem to be running at speed.

Computer is shut off now pending your next instructions.

Robert

Here are some logs which are showing that things are clearing up:

Logfile of HijackThis v1.99.1
Scan saved at 4:56:30 PM, on 8/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Yak!\Yak.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\System32\vtutr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Yak!] C:\Program Files\Yak!\Yak.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kfiw] C:\Program Files\Common Files\kfiw\kfiwm.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - Winlogon Notify: vtutr - C:\WINDOWS\System32\vtutr.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ewido:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:35:17 PM 8/10/2006

+ Scan result:



C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89U341EF\thiselt[1].exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3251774080-327912393-1422264487-1003\Dc2.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\IA\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\IA\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nsq5F.dll -> Adware.Ezula : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20060808-223221-318.dll -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GDAZ09EN\em[1].ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20060810-151137-833.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89U341EF\876057[1].exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinDmy.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\My Documents\Μicrosoft\mѕiexec.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msiexec.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\ClickSpring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\System32bez6n4r21.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\System32cymmh.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\afdaqd3.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bez6n4r21.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cymmh.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20060808-223221-767.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\hijackthis\backups\backup-20060810-151137-143.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\E1B9C.tmp/vp1i4.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HEZGLER\km57[1].cab/vp1i4.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\System32n9nyb.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\System32y3aqsoepa.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iqqr.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\n9nyb.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vp1i4.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wfxqhv.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\whcixm7.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\y3aqsoepa.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\zqskw.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-3251774080-327912393-1422264487-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-3251774080-327912393-1422264487-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
[200] C:\WINDOWS\System32\repairs303169590.dll -> Adware.SurfSide : Error during cleaning.
[248] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : Error during cleaning.
[260] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : Error during cleaning.
[436] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : Error during cleaning.
[480] C:\WINDOWS\system32\repairs303169590.dll -> Adware.SurfSide : Error during cleaning.
[724] C:\WINDOWS\System32\repairs303169590.dll -> Adware.SurfSide : Error during cleaning.
HKLM\SOFTWARE\Classes\AppID\{4F5E5D72-C915-4f3b-908B-527D064B0FAA} -> Adware.SysProtect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{EF130E77-0A34-4365-BFB7-218FD3DDCD5F} -> Adware.SysProtect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{02946FD1-2D99-46E6-A790-3A089714EDD9} -> Adware.SysProtect : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Ignored.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89U341EF\klite.ath[1] -> Not-A-Virus.Exploit.Win32.MS05013 : Ignored.
C:\RECYCLER\S-1-5-21-3251774080-327912393-1422264487-1003\Dc6\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

Combofix:

Start Time= Thu 08/10/2006 16:53:28.57
Running from: C:\Documents and Settings\Owner\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-10 16:53:36 503 ( A.... ) "C:\ComboFix.txt"
2006-08-10 16:42:52 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-10 16:42:50 100 ( A.... ) "C:\ComboFix.2006-08-10.165328.txt"
2006-08-10 16:42:16 4001 ( A.... ) "C:\WINDOWS\viassary-hp.reg"
2006-08-10 16:40:44 259575808 ( A.SH. ) "C:\hiberfil.sys"
2006-08-10 16:40:42 390070272 ( A.SH. ) "C:\pagefile.sys"
2006-08-09 17:59:08 69632 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-08-09 17:45:42 3413 ( A.... ) "C:\VundoFix.txt"
2006-08-09 17:38:48 ( .DSH. ) "C:\Config.Msi"
2006-08-09 17:34:34 100 ( A.... ) "C:\ComboFix.2006-08-10.164248.txt"
2006-08-09 17:32:52 ( .D... ) "C:\sUBs"
2006-08-08 21:05:52 175362 ( A.... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"
2006-08-08 21:05:38 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"
2006-08-08 21:05:24 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"
2006-08-08 21:05:24 0 ( A.... ) "C:\WINDOWS\System32afdaqd3.exe"
2006-08-08 21:05:08 733 ( A.... ) "C:\asdf.txt"
2006-08-08 21:05:06 ( .D... ) "C:\Program Files\InetGet2"
2006-08-08 11:48:42 ( .D... ) "C:\VundoFix Backups"
2006-08-01 16:02:58 ( .D... ) "C:\Qoofix"
2006-08-01 15:49:14 ( .D... ) "C:\BFU"
2006-08-01 12:42:38 264 ( A.SH. ) "C:\boot.ini"
2006-07-31 17:56:56 ( .D... ) "C:\Program Files\webHancer"
2006-07-31 17:46:48 328 ( A.... ) "C:\WINDOWS\glovp.dll"
2006-07-31 16:24:54 890 ( A.... ) "C:\rapport.txt"
2006-07-31 12:13:34 31648 ( A.... ) "C:\ComboFix.2006-08-09.173428.txt"
2006-07-30 18:03:22 2 ( A.... ) "C:\WINDOWS\system32\wtsit.exe"
2006-07-30 17:02:18 ( .D... ) "C:\Program Files\Viewpoint"
2006-07-28 10:27:10 ( .D... ) "C:\Program Files\??mantec"
2006-07-27 19:20:00 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-26 12:00:42 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-07-26 12:00:16 359634 ( A.... ) "C:\WINDOWS\media_motor_bundle.exe"
2006-07-26 11:59:02 0 ( A.... ) "C:\WINDOWS\System32ghynf.exe"
2006-07-26 11:58:58 ( .D... ) "C:\Program Files\Common Files\{D8DC6F63-09E4-1033-0415-040203200001}"
2006-07-24 15:31:24 1163264 ( A.... ) "C:\WINDOWS\system32\l3jdfs.exe"
2006-07-21 18:55:38 127578 ( A.... ) "C:\WINDOWS\system32\tsuninst.exe"
2006-06-21 18:38:40 235228 ( A.... ) "C:\WINDOWS\system32\icon_mediamotor.exe"
2006-06-21 18:38:16 115239 ( A.... ) "C:\WINDOWS\system32\ts_mediamotor.exe"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-10 16:40 259,575,808 C:\hiberfil.sys
2006-08-09 17:57 69,632 C:\WINDOWS\system32\VundoFix.exe
2006-08-08 21:05 319,294 C:\WINDOWS\YOINSI.exe
2006-08-08 21:05 234,248 C:\WINDOWS\Tagasuarus2.exe
2006-08-08 21:05 1,163,264 C:\WINDOWS\system32\l3jdfs.exe
2006-08-08 21:05 0 C:\WINDOWS\System32afdaqd3.exe
2006-07-31 15:21 53,248 C:\WINDOWS\system32\Process.exe
2006-07-31 15:21 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-31 15:21 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-31 15:21 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-27 18:48 390,070,272 C:\pagefile.sys
2006-07-27 14:19 155,648 C:\WINDOWS\system32\igfxres.dll
2006-07-26 12:02 2 C:\WINDOWS\system32\wtsit.exe
2006-07-26 12:01 127,578 C:\WINDOWS\system32\tsuninst.exe
2006-07-26 12:00 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-26 12:00 328 C:\WINDOWS\glovp.dll
2006-07-26 12:00 232,749 C:\WINDOWS\pf78.exe
2006-07-26 11:59 0 C:\WINDOWS\System32ghynf.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=dword:00000002
"Windows Overlay Components"=dword:00000002




Contents of the 'Scheduled Tasks' folder

Completion time: Thu 08/10/2006 16:53:42.28
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-09.173428.txt
ComboFix.2006-08-10.164248.txt
ComboFix.2006-08-10.165328.txt

teacup61
2006-08-11, 02:15
Hello,

Yay! Progress! Great job!:bigthumb:

Your Java is way out of date, which leaves your computer open to infection.

Updating Java:

Go to Start > Control Panel double-click > add/remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have a coffee cup next to it:
Select it and click Remove.
Then Download and install the newest version from here:

http://www.java.com/en/download/manual.jsp (http://www.java.com/en/download/manual.jsp)

After you complete that task, use 'Control Panel > Add/Remove Programs' to remove ALL earlier versions of Sun java. You remain vulnerable as long as these remain on your system.

Vundo is still showing in your log. Go back to the previous directions regarding VundoFix and try those now.

Then,
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: DPCUpdater Object - {DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - C:\WINDOWS\System32\vtutr.dll
O4 - HKCU\..\Run: [kfiw] C:\Program Files\Common Files\kfiw\kfiwm.exe
O20 - Winlogon Notify: vtutr - C:\WINDOWS\System32\vtutr.dll

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Delete the following, if present:

C:\WINDOWS\System32\vtutr.dll
C:\Program Files\Common Files\kfiw<----this folder

Reboot your computer.

Use Cleanmgr to clean temporary files:

1. Click > start > run and type cleanmgr and click OK
2. Scan your system for files to remove.
3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
4. Click OK to remove those files.
5. Click Yes to confirm deletion.

Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online http://www.pandasoftware.com/products/activescan.htm
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report in your next reply together with a fresh HijackThis log and the vundo log.Let me know how it's running. :)

Thanks,
tea

R Brooks
2006-08-15, 00:31
Vundofix does not seem to be working too good. I tired to run it in Safemode and think I may have had better success. Otherwise, I could not delete the vtutr.dll file.

Here are the scans:

Logfile of HijackThis v1.99.1
Scan saved at 5:26:27 PM, on 8/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Yak!\Yak.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Yak!] C:\Program Files\Yak!\Yak.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

and the Panda:


Incident Status Location

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\LocalService\Cookies\system@go[1].txt
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@targetsaver[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tucows[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe[²ƒÇ]
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\b103.exe[stub_109_4_0_4_0.exe]
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\b111.exe[eltadperf.exe]
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\cmdinst.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\nsl5.tmp
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{D8DC6F63-09E4-1033-0415-040203200001}\services.dll
Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IA\KE.vbs
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\media_motor_bundle.exe
Virus:Trj/Downloader.HPZ Not disinfected C:\WINDOWS\pf78.exe[pms111x.exe]
Virus:Trj/VB.MC Not disinfected C:\WINDOWS\pf78.exe[SYSC00.exe]
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\system32\icon_mediamotor.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\system32\ts_mediamotor.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\Tagasuarus2.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\uni_ehhh.exe
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\YOINSI.exe
Hope this helps.

Robert;)

teacup61
2006-08-16, 00:44
Hi Robert,

Looks like what Panda found is all we need to get rid of now. We're getting there!:)

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

Navigate to, and delete the following files/folders:

C:\WINDOWS\YOINSI.exe
C:\WINDOWS\uni_ehhh.exe
C:\WINDOWS\Tagasuarus2.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe
C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
C:\Documents and Settings\Owner\Local Settings\Temp\b103.exe[stub_109_4_0_4_0.exe]
C:\Documents and Settings\Owner\Local Settings\Temp\b111.exe[eltadperf.exe]
C:\Documents and Settings\Owner\Local Settings\Temp\cmdinst.exe
C:\WINDOWS\IA <----this folder


In Safe Mode, load Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Restart back into Normal Mode.


I notice that you do not seem to be running Antivirus software or a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them!!

AVG (http://free.grisoft.com/freeweb.php/doc/2/), Avira (http://www.free-av.com/) OR Avast (http://www.avast.com/) are good FREE antivirus.Some good free firewalls are ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za), or Outpost (http://www.agnitum.com/products/outpostfree/download.php)
A tutorial on understanding and using firewalls may be found here (http://www.bleepingcomputer.com/forums/tutorial60.html).
Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

When you've done this, run a full system scan.

In your reply, please post the report from Ewido and a new HijackThis log. Let me know how the virus scan went, and how your computer is running now. :)

Thanks,
tea

tashi
2006-08-20, 10:45
Still with us R Brooks?

R Brooks
2006-08-21, 21:04
Still here.

Computer is still running a little sluggish. Was actually running quicker about one or two instructions ago.

The lower have of the specified delete list from your prev. email was not on computer. Everything below Windows\media_motor_bundle.exe

I do have the Windows firewall program up now. Do you think one of the Freeware Anti-virus programs you listed is better (easier to use??) than the other?

Logfile of HijackThis v1.99.1
Scan saved at 1:58:12 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Yak!\Yak.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Yak!] C:\Program Files\Yak!\Yak.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155651907953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:07:26 PM 8/21/2006

+ Scan result:



C:\WINDOWS\system32\l3jdfs.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Ignored.
C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.


::Report end

I see the NetInstaller.exe on the Ewido above - I did delete it before the progarm ran tho.

Thanks for the help: :bow: :bow: :bow:

Robert

teacup61
2006-08-22, 07:22
Ah, there you are.:)

Do you know what this is? O4 - HKCU\..\Run: [Yak!] C:\Program Files\Yak!\Yak.exe

If not, please do the following:

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\Program Files\Yak!\Yak.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Thanks,
tea

R Brooks
2006-08-22, 19:03
Yes, Yak! is a freeware program we have used for years. It is a VERY simple program that allows you to communicate between computers on the same network. It's a great little program.

Do you think one of the Freeware Anti-virus programs you listed is better (easier to use??) than the other?

I have not been using the computer we are working on EXCEPT for what you have told me to do. Is it OK to start using it again for general use?


Robert

teacup61
2006-08-23, 01:19
Hello,

Thanks for the info. :)

I use Avast!. It's light on resources, and very easy to use. :) Please put the AV on the computer before you begin to use it. When you do, please run a scan and let me know if it finds anything bad.

You said you deleted the file before you ran Ewido, correct? If so, it's still showing up. :( I'm not convinced you're quite in the clear yet as long as that file is still showing.

Let me know how everything is running, and post a new HijackThis log in your reply. :)

Thanks,
tea

R Brooks
2006-08-24, 22:54
You said in your most recent post:

"You said you deleted the file before you ran Ewido, correct? If so, it's still showing up. I'm not convinced you're quite in the clear yet as long as that file is still showing."

I am not sure what you are talking about? Which "file"?

Installed Avast - computer did slow down after installing that. I guess that is suspected.


Logfile of HijackThis v1.99.1
Scan saved at 3:47:07 PM, on 8/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yak!\Yak.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yak!] C:\Program Files\Yak!\Yak.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155651907953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


And the Ewok log:laugh: :


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:31:10 PM 8/24/2006

+ Scan result:



C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

I told it to delete that top file that says "not-a-virus". It said to ignore it once.

Hope that was OK.

teacup61
2006-08-25, 12:27
Hello there,


I see the NetInstaller.exe on the Ewido above - I did delete it before the progarm ran tho. That's the statement you made that I was referring to.;)

The Ewok log!:rofl: I like that!:laugh:

Did Avast! show anything when you ran a scan?

You know what? You had a LOT of garbage on this machine. You've done a great job with it, and your log looks clean.:bigthumb:

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za), or Outpost (http://www.agnitum.com/products/outpostfree/download.php)
A tutorial on understanding and using firewalls may be found here (http://www.bleepingcomputer.com/forums/tutorial60.html).

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here (http://www.bleepingcomputer.com/forums/tutorial49.html).

SpywareGuard (http://www.javacoolsoftware.com/spywareguard.html)
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here (http://www.bleepingcomputer.com/forums/tutorial50.html).

Ad-Aware SE (http://www.lavasoftusa.com/software/adaware)
A tutorial on using Ad-Aware to remove spyware from your computer may be found here (http://www.bleepingcomputer.com/forums/tutorial48.html).

Spybot-Search & Destroy (http://www.safer-networking.org/en/download)
A tutorial on using Spybot to remove spyware from your computer may be found here (http://www.bleepingcomputer.com/forums/tutorial43.html). Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm)

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea:)

R Brooks
2006-08-29, 19:51
Thanks for all the help.

I have debugged computers before but never one that was in such a mess as this one.

I would like to learn more about what the Hijackthis Log means. Is there a site for that?

Thanks again for all the help and watch out for the Ewoks!:eek:

Warmest regards:D: ,

Robert

teacup61
2006-08-30, 11:02
Hello Robert,

There are several very good "schools" dedicated to teaching HijackThis. They do not cost money to go through, and there is no time limit to complete your learning.

http://spywareinfo.com <--- register, then sign up for the Boot Camp in the Open Forum.
http://bleepingcomputer.com
http://www.geekstogo.com/forum/forums.html <-----sign up, then apply for GeekU (Geek University)
http://forums.tomcoyote.org <---apply to the Classroom after you join.

I'll be on the lookout for the rogue Ewoks, and you take care!
tea :greeting:

tashi
2006-09-05, 02:02
As the problem appears to be resolved this topic has been archived. :bigthumb:

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad we could help.