Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer, Winantispy And Other Popups


  • Please log in to reply
5 replies to this topic

#1 Dick1944

Dick1944

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 06 December 2005 - 03:08 PM

I have 3 problems that all started about the same time so they may be related:

1. I sometimers get an informational popup that looks like it come from Internet Explorer telling me that I should install winfixer to fix registry problems, and to click a button in the message box to do that.

2. The browser (Internet Explorer) sometimes gets hijacked to a site that displays a big red warning that my computer is sending confidential information to someone and to click a download button to download WinAntiSpy.

3. Sometimes a browser session suddenly opens up that is for a porn site or a gambling site. (I have 3 popup blockers turned on - Internet Explorer's, the one on the Google task bar and the one on the Yahoo task bar.

HijackThis log follows:
Logfile of HijackThis v1.99.1
Scan saved at 2:58:28 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - C:\WINDOWS\system32\geebb.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [\\DICK-2\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\DICK-2\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\PRINT SERVER\P1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P17 "\\PRINT SERVER\P1" /O17 "\\PRINT SERVER\P1" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\PRINT SERVER\P1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P17 "\\PRINT SERVER\P1" /M "Stylus Photo R300" /EF "HKCU"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: geebb - C:\WINDOWS\system32\geebb.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:10 PM

Posted 06 December 2005 - 03:14 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link for "SpySweeper" to download the program. NOTE: DO NOT click the Free Spyware Scan link.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log

David

#3 Dick1944

Dick1944
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 06 December 2005 - 03:52 PM

I went to the site. They don't seem to have a free trial version anymore. The only choices I saw were the free scan and to add the actual product to a shopping cart.

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:10 PM

Posted 07 December 2005 - 12:02 PM

http://www.webroot.com/consumer/

Look there, and see the spysweeper free trial link

David

#5 Dick1944

Dick1944
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 07 December 2005 - 08:06 PM

Thanks for the link. I ran SpySweeper. The system hung when it deleted what it found (which included Virtumonde, if I spelled that right). I rebooted and ran SpySweeper again. This time it was clean, and the log from that run follows. I rebooted again and ran hjt. That log comes last in what follows.

SpySweeper:

********
7:39 PM: | Start of Session, Wednesday, December 07, 2005 |
7:39 PM: Spy Sweeper started
7:39 PM: Sweep initiated using definitions version 580
7:39 PM: Starting Memory Sweep
7:41 PM: Memory Sweep Complete, Elapsed Time: 00:01:59
7:41 PM: Starting Registry Sweep
7:42 PM: Registry Sweep Complete, Elapsed Time:00:00:09
7:42 PM: Starting Cookie Sweep
7:42 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:42 PM: Starting File Sweep
7:48 PM: File Sweep Complete, Elapsed Time: 00:06:38
7:48 PM: Full Sweep has completed. Elapsed time 00:08:54
7:48 PM: Traces Found: 0
********
7:24 PM: | Start of Session, Wednesday, December 07, 2005 |
7:24 PM: Spy Sweeper started
7:24 PM: Sweep initiated using definitions version 580
7:24 PM: Starting Memory Sweep
7:25 PM: Found Adware: virtumonde
7:25 PM: Detected running threat: C:\WINDOWS\SYSTEM32\geebb.dll (ID = 77)
7:26 PM: Memory Sweep Complete, Elapsed Time: 00:02:09
7:26 PM: Starting Registry Sweep
7:26 PM: HKCR\atldistrib.atldistrib\ (5 subtraces) (ID = 1030533)
7:26 PM: HKCR\atldistrib.atldistrib\clsid\ (1 subtraces) (ID = 1030535)
7:26 PM: HKCR\atldistrib.atldistrib\curver\ (1 subtraces) (ID = 1030537)
7:26 PM: HKCR\atldistrib.atldistrib.1\ (3 subtraces) (ID = 1030539)
7:26 PM: HKCR\atldistrib.atldistrib.1\clsid\ (1 subtraces) (ID = 1030541)
7:26 PM: HKLM\software\classes\atldistrib.atldistrib\ (5 subtraces) (ID = 1030666)
7:26 PM: HKLM\software\classes\atldistrib.atldistrib\clsid\ (1 subtraces) (ID = 1030668)
7:26 PM: HKLM\software\classes\atldistrib.atldistrib\curver\ (1 subtraces) (ID = 1030670)
7:26 PM: HKLM\software\classes\atldistrib.atldistrib.1\ (3 subtraces) (ID = 1030672)
7:26 PM: HKLM\software\classes\atldistrib.atldistrib.1\clsid\ (1 subtraces) (ID = 1030674)
7:26 PM: HKCR\clsid\{3fe36807-69ed-45d1-b9be-85c0e3f75b6a}\ (12 subtraces) (ID = 1037004)
7:26 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{3fe36807-69ed-45d1-b9be-85c0e3f75b6a}\ (ID = 1037057)
7:26 PM: HKLM\software\classes\clsid\{3fe36807-69ed-45d1-b9be-85c0e3f75b6a}\ (12 subtraces) (ID = 1037059)
7:26 PM: Registry Sweep Complete, Elapsed Time:00:00:09
7:26 PM: Starting Cookie Sweep
7:26 PM: Found Spy Cookie: go.com cookie
7:26 PM: kathy@abclocal.go[1].txt (ID = 2729)
7:26 PM: kathy@abcnews.go[2].txt (ID = 2729)
7:26 PM: Found Spy Cookie: about cookie
7:26 PM: kathy@ancienthistory.about[2].txt (ID = 2038)
7:26 PM: kathy@artsandcrafts.about[2].txt (ID = 2038)
7:26 PM: Found Spy Cookie: belnk cookie
7:26 PM: kathy@ath.belnk[1].txt (ID = 2293)
7:26 PM: kathy@bbq.about[2].txt (ID = 2038)
7:26 PM: kathy@beadwork.about[2].txt (ID = 2038)
7:26 PM: kathy@bipolar.about[2].txt (ID = 2038)
7:26 PM: kathy@busycooks.about[1].txt (ID = 2038)
7:26 PM: Found Spy Cookie: goclick cookie
7:26 PM: kathy@c.goclick[1].txt (ID = 2733)
7:26 PM: Found Spy Cookie: gostats cookie
7:26 PM: kathy@c3.gostats[2].txt (ID = 2748)
7:26 PM: Found Spy Cookie: classmates cookie
7:26 PM: kathy@classmates[2].txt (ID = 2384)
7:26 PM: kathy@crochet.about[2].txt (ID = 2038)
7:26 PM: Found Spy Cookie: 360i cookie
7:26 PM: kathy@ct.360i[2].txt (ID = 1962)
7:26 PM: kathy@depression.about[1].txt (ID = 2038)
7:26 PM: Found Spy Cookie: did-it cookie
7:26 PM: kathy@did-it[2].txt (ID = 2523)
7:26 PM: kathy@espn.go[1].txt (ID = 2729)
7:26 PM: kathy@familycrafts.about[1].txt (ID = 2038)
7:26 PM: kathy@forums.about[1].txt (ID = 2038)
7:26 PM: kathy@gardening.about[1].txt (ID = 2038)
7:26 PM: Found Spy Cookie: go2net.com cookie
7:26 PM: kathy@go2net[1].txt (ID = 2730)
7:26 PM: kathy@gostats[2].txt (ID = 2747)
7:26 PM: kathy@hartford.about[1].txt (ID = 2038)
7:26 PM: kathy@home.about[1].txt (ID = 2038)
7:26 PM: kathy@homecooking.about[2].txt (ID = 2038)
7:26 PM: Found Spy Cookie: homestore cookie
7:26 PM: kathy@homestore[1].txt (ID = 2793)
7:26 PM: Found Spy Cookie: ic-live cookie
7:26 PM: kathy@ic-live[1].txt (ID = 2821)
7:26 PM: kathy@jewelrymaking.about[1].txt (ID = 2038)
7:26 PM: Found Spy Cookie: ugo cookie
7:26 PM: kathy@mediamgr.ugo[1].txt (ID = 3609)
7:26 PM: Found Spy Cookie: metareward.com cookie
7:26 PM: kathy@metareward[1].txt (ID = 2990)
7:26 PM: Found Spy Cookie: military cookie
7:26 PM: kathy@military[1].txt (ID = 2996)
7:26 PM: Found Spy Cookie: touchclarity cookie
7:26 PM: kathy@msn.touchclarity[1].txt (ID = 3566)
7:26 PM: Found Spy Cookie: nextag cookie
7:26 PM: kathy@nextag[1].txt (ID = 5014)
7:26 PM: Found Spy Cookie: pub cookie
7:26 PM: kathy@pub[1].txt (ID = 3205)
7:26 PM: kathy@rsi.abcnews.go[1].txt (ID = 2729)
7:26 PM: kathy@rsi.espn.go[1].txt (ID = 2729)
7:26 PM: Found Spy Cookie: tvguide cookie
7:26 PM: kathy@rsi.tvguide[1].txt (ID = 3600)
7:26 PM: kathy@sdc.tvguide[1].txt (ID = 3600)
7:26 PM: Found Spy Cookie: servlet cookie
7:26 PM: kathy@servlet[1].txt (ID = 3345)
7:26 PM: kathy@servlet[3].txt (ID = 3345)
7:26 PM: kathy@sewing.about[1].txt (ID = 2038)
7:26 PM: kathy@sports-att.espn.go[1].txt (ID = 2729)
7:26 PM: Found Spy Cookie: spykiller cookie
7:26 PM: kathy@spykiller[1].txt (ID = 3413)
7:26 PM: Found Spy Cookie: clicktracks cookie
7:26 PM: kathy@stats.clicktracks[1].txt (ID = 2407)
7:26 PM: Found Spy Cookie: reliablestats cookie
7:26 PM: kathy@stats1.reliablestats[2].txt (ID = 3254)
7:27 PM: Found Spy Cookie: stlyrics cookie
7:27 PM: kathy@stlyrics[1].txt (ID = 3461)
7:27 PM: kathy@swimming.about[1].txt (ID = 2038)
7:27 PM: Found Spy Cookie: tracking cookie
7:27 PM: kathy@tracking[2].txt (ID = 3571)
7:27 PM: kathy@travelwithkids.about[1].txt (ID = 2038)
7:27 PM: kathy@tvguide[2].txt (ID = 3599)
7:27 PM: kathy@weddings.about[2].txt (ID = 2038)
7:27 PM: Found Spy Cookie: burstnet cookie
7:27 PM: kathy@www.burstnet[1].txt (ID = 2337)
7:27 PM: kathy@www.military[1].txt (ID = 2997)
7:27 PM: Found Spy Cookie: xiti cookie
7:27 PM: kathy@xiti[1].txt (ID = 3717)
7:27 PM: Found Spy Cookie: qsrch cookie
7:27 PM: kathy@yzsearch.qsrch[1].txt (ID = 3216)
7:27 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
7:27 PM: Starting File Sweep
7:34 PM: File Sweep Complete, Elapsed Time: 00:07:23
7:34 PM: Full Sweep has completed. Elapsed time 00:09:52
7:34 PM: Traces Found: 115
7:35 PM: Removal process initiated
7:35 PM: Quarantining All Traces: virtumonde
7:35 PM: virtumonde is in use. It will be removed on reboot.
7:35 PM: C:\WINDOWS\SYSTEM32\geebb.dll is in use. It will be removed on reboot.
7:35 PM: Quarantining All Traces: 360i cookie
7:35 PM: Quarantining All Traces: about cookie
7:35 PM: Quarantining All Traces: belnk cookie
7:35 PM: Quarantining All Traces: burstnet cookie
7:35 PM: Quarantining All Traces: classmates cookie
7:35 PM: Quarantining All Traces: clicktracks cookie
7:35 PM: Quarantining All Traces: did-it cookie
7:35 PM: Quarantining All Traces: go.com cookie
7:35 PM: Quarantining All Traces: go2net.com cookie
7:35 PM: Quarantining All Traces: goclick cookie
7:35 PM: Quarantining All Traces: gostats cookie
7:35 PM: Quarantining All Traces: homestore cookie
7:35 PM: Quarantining All Traces: ic-live cookie
7:35 PM: Quarantining All Traces: metareward.com cookie
7:35 PM: Quarantining All Traces: military cookie
7:35 PM: Quarantining All Traces: nextag cookie
7:35 PM: Quarantining All Traces: pub cookie
7:35 PM: Quarantining All Traces: qsrch cookie
7:35 PM: Quarantining All Traces: reliablestats cookie
7:35 PM: Quarantining All Traces: servlet cookie
7:35 PM: Quarantining All Traces: spykiller cookie
7:35 PM: Quarantining All Traces: stlyrics cookie
7:35 PM: Quarantining All Traces: touchclarity cookie
7:35 PM: Quarantining All Traces: tracking cookie
7:35 PM: Quarantining All Traces: tvguide cookie
7:35 PM: Quarantining All Traces: ugo cookie
7:35 PM: Quarantining All Traces: xiti cookie
7:35 PM: Warning: Launched explorer.exe
7:35 PM: Warning: Quarantine process could not restart Explorer.
7:36 PM: Removal process completed. Elapsed time 00:00:55
********
7:23 PM: | Start of Session, Wednesday, December 07, 2005 |
7:23 PM: Spy Sweeper started
7:24 PM: Your spyware definitions have been updated.
7:24 PM: | End of Session, Wednesday, December 07, 2005 |


HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:59:41 PM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [\\DICK-2\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "\\DICK-2\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\PRINT SERVER\P1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P17 "\\PRINT SERVER\P1" /O17 "\\PRINT SERVER\P1" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\PRINT SERVER\P1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P17 "\\PRINT SERVER\P1" /M "Stylus Photo R300" /EF "HKCU"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:10 PM

Posted 08 December 2005 - 01:04 PM

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

Search Assistant - My Way

Clean Log!! Posted Image
How's everything running?

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users