View Full Version : Browser Hijack, Pop-Ups, Viruses
trumpetmix
2006-10-18, 22:28
I am having a problem with my computer. It is slower than dirt, and every time I try to open any browser I get tons of pop-ups along with the computer eventually crashing. I can not get an online scan to complete, but I have run Spybot in safe mode with networking (this computer is on a network) until it came up clean. It did nothing for the problem except delay the pop-ups for a little while. I have the hijack this log and am pasting it below. PLEASE HELP!
Thank you,
Angela
Logfile of HijackThis v1.99.1
Scan saved at 5:39:37 PM, on 10/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\elitepop06.exe
C:\WINDOWS\win320946-21464268.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\{80102022-0256-1033-1105-990615990001}\Update.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\iufsj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,sqmwunk.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\angela\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [epqazeh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\epqazeh.dll,pfzjooe
O4 - HKLM\..\Run: [1pop06apelt2] C:\WINDOWS\elitepop06.exe
O4 - HKLM\..\Run: [qit6d719] RUNDLL32.EXE w08e6aca.dll,n 0056d7140000000208e6aca
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [ntdll.dll] C:\WINDOWS\system32\rlookh.exe reg_run
O4 - HKLM\..\Run: [win320946-21464268] C:\WINDOWS\win320946-21464268.exe
O4 - HKLM\..\Run: [dahomah.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dahomah.dll,ftrttbf
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [fqkf] C:\PROGRA~1\COMMON~1\fqkf\fqkfm.exe
O4 - Global Startup: UPS OnLine PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://server/tsweb/msrdp.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = Smithall.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = Smithall.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = Smithall.local
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
shelf life
2006-10-19, 02:54
hi trumpetmix,
Welcome to the malware forum.
you have quite a collection.
the first thing i would do is this:
* Install Ewido Anti-Malware, 30 day trial version.
http://download.ewido.net/ewido-setup.exe
* Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
* On the top of the main screen click Shield
* Click the word active to change it to inactive
* On the top of the main screen click Update.
* Then click on Start Update. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido. http://www.ewido.net/en/download/updates/
When you have finished updating, EXIT Ewido.
-------------------------------------------------
might want to copy/paste the rest of this into notepad and save it so you can read it in safe mode:
Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap the F8 key during the computer restart.chose the first option form the list: SAFE MODE only (no networking)
* In Safe Mode,run Ewido.
* Click Scanner
* Click on the Scan tab
* Click Complete System Scan to begin scanning.
* When the scan is complete click Recommended Action and change it to Quarantine
* Then click Apply all actions
Once finished, click the Save report button, then click Save Report As. This will create a text file.
Make sure you know where to find this file again (like on the Desktop).
also in safe mode run spybot search and destroy.
------------------------------------------------------
reboot computer normally, i dont see a antivirus application do you need one?
rescan and post a new hjt log for me.
if you need AV you can get avg free here:
http://free.grisoft.com/doc/2/lng/us/tpl/v5
download, install, update and do a full system scan.
shelf life
trumpetmix
2006-10-19, 15:12
Shelf life,
First of all, thank you!!
Second, I cannot log onto the computer in safe mode unless I do it with networking. I am an administrator, but only as my network ID. Any suggestions?
Thank you again,
Angela
shelf life
2006-10-20, 02:54
hi trumpetmix,
the reason to do it without networking is to keep any malware from using your connection. if the ethernet cable (i assume broadband coonection) is easy to get to just pull the plug on the cable where it plugs into the back of your computer or where it would connect from your computer to router/switch/hub, whatever is easiest to get to. after the scan plug cable back in and reboot normally.
if you cant do this for any reason go ahead and run it in safe mode with networking.
shelf life
trumpetmix
2006-10-24, 23:22
First of all, the link you gave me (http://download.ewido.net/ewido-setup.exe) actually redirects you to AVG software now. I downloaded it, and ran the scan in safe mode with no networking. Here is the log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:27:19 PM 10/24/2006
+ Scan result:
C:\WINDOWS\R2VvcmdlIEMuIFNtaXRo\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\R2VvcmdlIEMuIFNtaXRo\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\Program Files\DeluxeCommunications\DxcCore.dll -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-1454471165-492894223-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run\\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Bar -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\elitesix.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dzfqg.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\brent\Local Settings\Temp\SahUpdate\setup4021.cab/atrc8parb_.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\Documents and Settings\brent\Local Settings\Temp\SahUpdate\setup4021.cab/hqrhil7kg_.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\Documents and Settings\brent\Local Settings\Temp\SahUpdate\setup4021.cab/liqp7c25q_.dll -> Adware.Sahat : Cleaned with backup (quarantined).
C:\Documents and Settings\brent\Local Settings\Temp\SahUpdate\setup4021.cab/umqltg4cl_.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\Documents and Settings\brent\Local Settings\Temp\SahUpdate\setup4021.cab/umqltg4cl_.ini -> Adware.Sahat : Cleaned with backup (quarantined).
C:\Documents and Settings\brent\Local Settings\Temp\SahUpdate\setup4021.cab/update.exe -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\MirarSetup_876057.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{80102022-0256-1033-1105-990615990001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{80102022-0256-1033-1105-990615990001}\services.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\adrotate.dll -> Adware.TrafficSol : Cleaned with backup (quarantined).
C:\WINDOWS\system32\brrotate.dll -> Adware.TrafficSol : Cleaned with backup (quarantined).
C:\WINDOWS\system32\qomnkli.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\opnllll.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ksbpq.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sqmwunk.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.a : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ifgusijx.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\carl\Application Data\Mozilla\Profiles\default\45z21s1h.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\woody\Application Data\Mozilla\Profiles\default\zkk0mbig.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\carl\Application Data\Mozilla\Profiles\default\45z21s1h.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\woody\Application Data\Mozilla\Profiles\default\zkk0mbig.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\carl\Application Data\Mozilla\Profiles\default\45z21s1h.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\woody\Application Data\Mozilla\Profiles\default\zkk0mbig.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.32:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.36:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.53:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.54:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.20:C:\Documents and Settings\carl\Application Data\Mozilla\Profiles\default\45z21s1h.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.7:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\carl\Cookies\carl@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.6:C:\Documents and Settings\angela\Application Data\Mozilla\Profiles\default\6mgj3932.slt\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.7:C:\Documents and Settings\angela\Application Data\Mozilla\Profiles\default\6mgj3932.slt\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@commission-junction[2].txt -> TrackingCookie.Commission-junction : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.67:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.6:C:\Documents and Settings\woody\Application Data\Mozilla\Profiles\default\zkk0mbig.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\carl\Cookies\carl@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\carl\Cookies\carl@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@e-2dj6wjkykoajgdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.19:C:\Documents and Settings\angela\Application Data\Mozilla\Profiles\default\6mgj3932.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.40:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.41:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.31:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\carl\Cookies\carl@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.80:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\carl\Cookies\carl@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.72:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\carl\Cookies\carl@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.16:C:\Documents and Settings\woody\Application Data\Mozilla\Profiles\default\zkk0mbig.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.17:C:\Documents and Settings\woody\Application Data\Mozilla\Profiles\default\zkk0mbig.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.18:C:\Documents and Settings\woody\Application Data\Mozilla\Profiles\default\zkk0mbig.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.73:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.86:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Shopathomeselect : Cleaned.
:mozilla.87:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Shopathomeselect : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.79:C:\Documents and Settings\brent\Application Data\Mozilla\Profiles\default\i6a4a63f.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\angela\Cookies\angela@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
::Report end
trumpetmix
2006-10-24, 23:23
Second, I rebooted and ran hijack this again. Take a look and let me know what my next step is. THANK YOU!!!!
Here is that log:
Logfile of HijackThis v1.99.1
Scan saved at 5:02:27 PM, on 10/24/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\iufsj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,sqmwunk.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\angela\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [epqazeh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\epqazeh.dll,pfzjooe
O4 - HKLM\..\Run: [rdsgjf] C:\WINDOWS\system32\rlookh.exe reg_run
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [win320946-21464268] C:\WINDOWS\win320946-21464268.exe
O4 - HKLM\..\Run: [dahomah.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dahomah.dll,ftrttbf
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [foincsb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\foincsb.dll,mfdezic
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [naahl] C:\WINDOWS\system32\rlookh.exe reg_run
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [Mspa] "C:\DOCUME~1\angela\APPLIC~1\RACLE~1\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: UPS OnLine PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://server/tsweb/msrdp.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = Smithall.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = Smithall.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = Smithall.local
O20 - AppInit_DLLs: dxclib303562752.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
shelf life
2006-10-25, 02:17
hi trumpetmix,
ok good. ewido is now called avg antispyware. you still have a load of stuff on there.
you really need to get some antivirus software on your computer, more about that later.
---------------------------------------------------------------------------
ok heres what we will do:
read thru this thread. download what you need, mainly smitfraudFix, you already have avg (ewido). go ahead and run thru the fix following the directions. step 6
and beyond of the fix require a boot into safe mode for the "clean" and the rest. so i would copy/paste the rest of the directions into notepad and save them so you can find them in safe mode.
the thread: http://forums.spybot.info/showthread.php?t=4015
once you have finished the smitfraudfix, have run avg(ewido) etc
the last thing to do in safe mode is this:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.
some of these entries may not be present after doing the above, if you dont see it in the log dont worry about it
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\iufsj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,sqmwunk.exe
O4 - HKLM\..\Run: [epqazeh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\epqazeh.dll,pfzjooe
O4 - HKLM\..\Run: [rdsgjf] C:\WINDOWS\system32\rlookh.exe reg_run
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [win320946-21464268] C:\WINDOWS\win320946-21464268.exe
O4 - HKLM\..\Run: [dahomah.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dahomah.dll,ftrttbf
O4 - HKCU\..\Run: [naahl] C:\WINDOWS\system32\rlookh.exe reg_run
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - AppInit_DLLs: dxclib303562752.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
------------------------------------------------------------------------------
reboot normally. go out and download, install update and scan with AVG antivirus:
http://free.grisoft.com/doc/2/lng/us/tpl/v5
-------------------------------------------------------------------------------
then go grab combofix:
1. Download this file :
http://download.bleepingcomputer.com/sUBs/combofix.exe
or
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
-------------------------------------------------------------
please also scan and post a new hjt log and the combofix log.
shelf life
How is it going trumpetmix
:spider:
This topic is closed due to lack of a response to helper, if you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.