ISearchTech and Popups

[little eagle]

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

[Thobson]

Here is the Aproposfix log:

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\thobson\Desktop\aproprsfix\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CuiU8AD5JU2m]
@="uHJVXIVeffeffgfUPj56ZGeffeuhfA 1v2A6fWcWXIQlkfHVMZIVWfWIGikRXngWcW"
"Device"="\\\\.\\ql1RSvc"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\sec02nt5.sys"
"DriverName"="Cdfrter"
"HideUninstallerName"="C:\\Program Files\\Neteting\\jviirdao.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\custepad.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{FE208787-844D-449A-8C1A-47770C19E12D}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\dnsqdvd.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X6e4868d-37e8-1ca9-b634-7603a9262637}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80

************

Removing hidden service:
Service Cdfrter removed.

Removing hidden folder:
Deletion of folder Neteting succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\sec02nt5.sys succeeded!
Deletion of file C:\WINDOWS\system32\p2bbdycc.exe succeeded!
Deletion of file C:\WINDOWS\system32\dnsqdvd.dll succeeded!
Deletion of file C:\WINDOWS\system32\custepad.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CuiU8AD5JU2m]
[-HKEY_LOCAL_MACHINE\Software\CuiU8AD5JU2m]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FE208787-844D-449A-8C1A-47770C19E12D}]

Done!

Finished!


Here is the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:21:50 AM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\SKYWARD\DDLC\bin\AdmSrvc.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mgabg.exe
C:\SKYWARD\DDLC\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
D:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\thobson\LOCALS~1\Temp\JobMonitor\JobMonitor.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Pumatech\Intellisync\AgentWCE.Exe
C:\SKYWARD\DDLC\jre\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
D:\downloads\hijacker\HijackThis.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\HPBPRO.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cdaschools.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.2.0.6:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [ScreenPrint32] D:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Program Files\Common Files\Pumatech Shared\5.3\LiveUpdate Client\PtLUWorker.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [EFI Job Monitor] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\efjm.dll,run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GroupWise Notify.lnk = D:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Intellisync Windows CE Configure.lnk = D:\Program Files\Pumatech\Intellisync\syncwce.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128005520750
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://adminsys-tom/website/install/...ndows-i586.exe
O16 - DPF: {9D887407-4690-45C0-9451-15CD63E615CA} (BOSIRichEditActiveX Control) - http://eldamar/tiweb65/downloads/BOS...emoControl.cab
O16 - DPF: {D636032F-E4DE-4851-AA0C-D5D6A66B8318} (BOSIActiveFormX Control) - http://eldamar/tiweb65/downloads/BOSIActiveXGrid.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emasupport.webex.com/client/...rt/ieatgpc.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb.com/pathways/pwa...b/pwlninst.cab
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - d:\Novell\Messenger\nmcg32.dll
O23 - Service: AdminService for PROGRESS 9.1D (AdminService9.1D) - Unknown owner - C:\SKYWARD\DDLC\bin\AdmSrvc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Let me know where we go from here. It looked like maybe it cleaned up the stuff that was found earlier!

Thanks
Tom

[little eagle]

This looks like a good place to start . http://forums.spybot.info/showthread.php?t=279

Not really seeing anything that needs fixing.

[Thobson]

Thank you for all you assistance. Everything looks good on this end. I will definitely be more careful even when I think I am on the trusted site (I was actually on a look alike site).

Thanks again
Tom

[little eagle]

SpoofStick is a simple browser extension that helps users detect spoofed (fake) websites. A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won't notice the incorrect URL and give away important information. This practice is sometimes known as “phishing".

Home Page

Download SpoofStick for Internet Explorer or for Firefox.

[tashi]

As the problem appears to be resolved this topic will be archived.
If you need the topic reopened please pm me.

Glad we could help.