Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Virtual Bouncer And Numerous Popups


  • This topic is locked This topic is locked
16 replies to this topic

#1 bradboy010605

bradboy010605

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 23 January 2006 - 10:04 PM

I have gone through and downloaded everything on the preperation guide and cannot get rid of this virtual bouncer. On most all webpaages I go to there are some words that are colored green. When I scroll over them it says "sponsored link" in the lower left address bar. Sometimes a little gray popup box comes up telling me more about the so called "sponsored link." I don't think these are true sponsored links because I have not seen them before getting this virtual bouncer on my machine. I am getting www2 through www7 popup searches Lastly, the Online anti-virus products from step 5, Panda software and bitdefender did not work at all. May be something I did wrong but everything else worked. Here is my log. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 9:54:09 PM, on 1/23/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\rlvknlg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\6835002\6835002.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin Wood\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
F3 - REG:win.ini: run=,
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\System32\nsoF.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: (no name) - {A00B3988-760E-FB07-504E-4C1F48FB4EC0} - C:\WINDOWS\Amssrsuq.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Start Upping] spoolnt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\rlvknlg.exe -boot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [6835002] C:\PROGRA~1\6835002\6835002.exe
O4 - HKCU\..\Run: [owom] C:\Program Files\Common Files\owom\owomm.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {52454909-B15F-11D3-83A3-000083613743} (SCMDir Class) - https://go7d.wspan.com/secure/DLLs/SCMDirCtl.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6DD584C4-79F4-4F46-8F81-C26AA75D8467} (ComboBox.UserControl1) - https://go7f.wspan.com/Secure/DLLs/WSCombo.CAB
O16 - DPF: {6FC2871E-004B-4141-B9C0-59708BD96CCE} (WSEmul Control 3) - https://go7f.wspan.com/Secure/DLLs/WSEMUL3.CAB
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://gonow.wspan.com/Secure/DLLs/WSFileIO3.cab
O16 - DPF: {7DB7E238-1425-4434-8B05-6453AD6A49C6} (WSPrint3 Control) - https://go7f.wspan.com/secure/DLLs/WSPrint3.CAB
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37540.cab
O16 - DPF: {85788258-6ACF-4FC1-A2CD-3BD248065AB9} (WSKeyboardMap Class) - https://go7d.wspan.com/Secure/DLLs/WSKeyboardTranslator.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go1f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A4D41E3A-613D-11D3-85B2-400011500081} (WSCustInst Class) - https://go7d.wspan.com/Secure/DLLs/WSCustInst.CAB
O16 - DPF: {CCB125B9-6C37-4F76-858E-5F8DD6C96681} (SCM Class 2) - https://go7d.wspan.com/Secure/DLLs/WSSCM2.CAB
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go3d.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go7d.wspan.com/Secure/DLLs/WSFileIO.cab
O16 - DPF: {EFFFC7A6-4D95-4A18-8A14-FEB082D9C67D} (SCM Class1) - https://go7f.wspan.com/Secure/DLLs/WSSCM1.CAB
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3054FB03-412D-4C37-91A3-9933E5E75CEE}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{3054FB03-412D-4C37-91A3-9933E5E75CEE}: NameServer = 64.136.20.121 64.136.28.121
O20 - AppInit_DLLs: dldjnmag.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Edited by bradboy010605, 23 January 2006 - 10:46 PM.


BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:57 PM

Posted 24 January 2006 - 08:49 AM

Hello,

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloa...p1/network.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

I also see no antivirus present on your system. :thumbsup:

That's why i also want you to install an antivirus first.

AVG, AntiVirŪ OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!

Let your antivirus perform a full scan and let it delete everything it is finding!!
Reboot afterwards and post a new hijackthislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bradboy010605

bradboy010605
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 24 January 2006 - 08:27 PM

OK. I will do what you ask. I do have a couple more questions first.

1. I have Spy Ware Doctor. Is that not anitvirus software? I got it off of the Spy Ware Doctor website and I thought I was purchasing Anti Virus software. When I downloaded the Zone Alarm fire wall it said the same thing you are.

2. I guess I don't have the security 1 pack because I have never ran into this problem before. Is there a faster way to download it? I am on dial up (as of now, 8:21pm est, I have been doing this for over an hour and have 16% downloaded) and it seems to take forever. Also, and I am sorry for my ignorance, is it ok to download it to my desktop and then install it?

3. And just to be sure, you want me to download the Security pack 1, download real anti virus software and scan and delete where necessary, and finally download Security pack 2?

Again, I apologize for my ignorance and really do appreciate your help. Thank you so much.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:57 PM

Posted 25 January 2006 - 01:35 AM

Hi,

No Spyware Doctor is not an antivirus but an antispyware program. So it won't protect you from viruses.

Leave the updates part for now.. because now when your system is so badly infected, everything is a lot more slower, and since you're on dialup.... When I say your computer is clean again, then we can immediately update to SP2.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 bradboy010605

bradboy010605
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 28 January 2006 - 09:30 PM

OK. Here goes nothing.

New HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 9:21:25 PM, on 1/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\rlvknlg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\6835002\6835002.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin Wood\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
F3 - REG:win.ini: run=,
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\System32\nsa4.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: (no name) - {A00B3988-760E-FB07-504E-4C1F48FB4EC0} - C:\WINDOWS\Amssrsuq.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Start Upping] spoolnt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\rlvknlg.exe -boot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [6835002] C:\PROGRA~1\6835002\6835002.exe
O4 - HKCU\..\Run: [owom] C:\Program Files\Common Files\owom\owomm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {52454909-B15F-11D3-83A3-000083613743} (SCMDir Class) - https://go7d.wspan.com/secure/DLLs/SCMDirCtl.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6DD584C4-79F4-4F46-8F81-C26AA75D8467} (ComboBox.UserControl1) - https://go7f.wspan.com/Secure/DLLs/WSCombo.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138470537992
O16 - DPF: {6FC2871E-004B-4141-B9C0-59708BD96CCE} (WSEmul Control 3) - https://go7f.wspan.com/Secure/DLLs/WSEMUL3.CAB
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://gonow.wspan.com/Secure/DLLs/WSFileIO3.cab
O16 - DPF: {7DB7E238-1425-4434-8B05-6453AD6A49C6} (WSPrint3 Control) - https://go7f.wspan.com/secure/DLLs/WSPrint3.CAB
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37540.cab
O16 - DPF: {85788258-6ACF-4FC1-A2CD-3BD248065AB9} (WSKeyboardMap Class) - https://go7d.wspan.com/Secure/DLLs/WSKeyboardTranslator.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go1f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A4D41E3A-613D-11D3-85B2-400011500081} (WSCustInst Class) - https://go7d.wspan.com/Secure/DLLs/WSCustInst.CAB
O16 - DPF: {CCB125B9-6C37-4F76-858E-5F8DD6C96681} (SCM Class 2) - https://go7d.wspan.com/Secure/DLLs/WSSCM2.CAB
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go3d.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go7d.wspan.com/Secure/DLLs/WSFileIO.cab
O16 - DPF: {EFFFC7A6-4D95-4A18-8A14-FEB082D9C67D} (SCM Class1) - https://go7f.wspan.com/Secure/DLLs/WSSCM1.CAB
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O20 - AppInit_DLLs: dldjnmag.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:57 PM

Posted 29 January 2006 - 04:13 AM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Please set your system to show all files; please see here if you're unsure how to do this.

* Please download ATF Cleaner by Atribune to your desktop.
Do not use it yet.

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
F3 - REG:win.ini: run=,
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\System32\nsa4.dll
O2 - BHO: (no name) - {A00B3988-760E-FB07-504E-4C1F48FB4EC0} - C:\WINDOWS\Amssrsuq.dll (file missing)
O4 - HKLM\..\Run: [Start Upping] spoolnt.exe
O4 - HKLM\..\Run: [RelevantKnowledge] c:\windows\rlvknlg.exe -boot
O4 - HKLM\..\RunServices: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [6835002] C:\PROGRA~1\6835002\6835002.exe
O4 - HKCU\..\Run: [owom] C:\Program Files\Common Files\owom\owomm.exe
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - AppInit_DLLs: dldjnmag.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\windows\rlvknlg.exe
C:\PROGRAM FILES\6835002 <== folder
C:\Program Files\Common Files\owom <== folder
C:\Windows\system32\dldjnmag.dll

* Still in safe mode Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply
together a fresh HijackThis log and the ewido-log so I can take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 bradboy010605

bradboy010605
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 29 January 2006 - 08:38 PM

OK. I have set my system to show all files, download and installed both ATF Cleaner and Ewido anti-malware, ran the HJT, put a check mark by the files you suggested and fix checked them. Here is where I get confused.

I have rebooted into safe mode. To get to Windows Explorer do I right click on the start button and select "Explore all users?" I went ahead and searched for the four files and this is what I found in each:

Name In Folder Type
rlvknlg C:\WINDOWS Application
rlvknlg.EXE-20C48382.pf C:\WINDOWS\Prefetch PF File

6835002 C:\Program Files File Folder
68350021 C:\windows\system32 Application
68350021.EXE-0DF15E24.pf C:\windows\Prefetch PF File
68350021.EXE-2F8C6F07.pf C:\windows\Prefetch PF File
6835002Inner C:\Program Files\6835002 Application
6835002 C:\Program Files\6835002 Application
6835002 C:\Documents and Setings\All Users\Application Data File Folder

owom C:\windows Application
owom C:\windows\owom DAT File
owom C:\Program Files\Common Files File Folder
owomd C:\Program Files\Common Files\owom File Folder

dldjnmag.dll C:\Documents and Settings\All useres\Application Data\ Application Extension
Spybot-Search and Destroy\Recovery\CASClient.zip
dldjnmag.dll C:\Documents and Settings\All users\Application Data\ DLL_TOBEDELETED FILE
Spybot-Search and Destroy\Recovery\CASClient5.zip

Which one/s of these am I supposed to delete. I am thinking I should just click on the "Folders" button on the toolbar and just search manually on the left side of the page and find exactly what you typed and delete that but I am not confident enough in my skills to be able just to do that. I appreciate the help. I am learning so much. Thanks for everything.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:57 PM

Posted 30 January 2006 - 01:23 AM

These ones you have to delete:

rlvknlg C:\WINDOWS Application
6835002 C:\Program Files File Folder
68350021 C:\windows\system32 Application
6835002 C:\Documents and Setings\All Users\Application Data File Folder
owom C:\Program Files\Common Files File Folder
dldjnmag.dll C:\Documents and Settings\All useres\Application Data\ Application Extension
dldjnmag.dll C:\Documents and Settings\All users\Application Data\ DLL_TOBEDELETED FILE

Just perform my steps in the right order, if you can"'t find a file to delete, don't worry, Panda will show them afterwards.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 bradboy010605

bradboy010605
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 31 January 2006 - 07:36 PM

Me again!!!

1. The address to Pandaware on the Prep Guide before using HJT is different from the link you gave me. I was reading other people posts and they seemed to have been having the same problem as me in trying to run Pandascan before using HJT. Just thought you might want to know.

2. This computer is running almost perfect compared to where I was a few days ago. No more green words on any websites. The only question I have is it seems really slow to start up when I turn it on. Is there anything I can do to speed this up?

3. Here are the logs you requested. Thanks for all your help. I will do my part in spreading the word about how great you guys are. Thanks again and thanks for putting up with a novice like me.




Logfile of HijackThis v1.99.1
Scan saved at 7:17:58 PM, on 1/31/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Kevin Wood\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [6835002] C:\Program Files\6835002\6835002.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {52454909-B15F-11D3-83A3-000083613743} (SCMDir Class) - https://go7d.wspan.com/secure/DLLs/SCMDirCtl.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6DD584C4-79F4-4F46-8F81-C26AA75D8467} (ComboBox.UserControl1) - https://go7f.wspan.com/Secure/DLLs/WSCombo.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138470537992
O16 - DPF: {6FC2871E-004B-4141-B9C0-59708BD96CCE} (WSEmul Control 3) - https://go7f.wspan.com/Secure/DLLs/WSEMUL3.CAB
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://gonow.wspan.com/Secure/DLLs/WSFileIO3.cab
O16 - DPF: {7DB7E238-1425-4434-8B05-6453AD6A49C6} (WSPrint3 Control) - https://go7f.wspan.com/secure/DLLs/WSPrint3.CAB
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37540.cab
O16 - DPF: {85788258-6ACF-4FC1-A2CD-3BD248065AB9} (WSKeyboardMap Class) - https://go7d.wspan.com/Secure/DLLs/WSKeyboardTranslator.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go1f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A4D41E3A-613D-11D3-85B2-400011500081} (WSCustInst Class) - https://go7d.wspan.com/Secure/DLLs/WSCustInst.CAB
O16 - DPF: {CCB125B9-6C37-4F76-858E-5F8DD6C96681} (SCM Class 2) - https://go7d.wspan.com/Secure/DLLs/WSSCM2.CAB
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go3d.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go7d.wspan.com/Secure/DLLs/WSFileIO.cab
O16 - DPF: {EFFFC7A6-4D95-4A18-8A14-FEB082D9C67D} (SCM Class1) - https://go7f.wspan.com/Secure/DLLs/WSSCM1.CAB
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe




---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:46:53 PM, 1/30/2006
+ Report-Checksum: 502F054

+ Scan result:

C:\WINDOWS\SYSTEM32\b2search.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\nss219.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\TFTP2492 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\cpbrkpie.ocx -> Spyware.Coupons : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\System Volume Information\_restore{6016EC4A-4AF8-4FA4-B3D8-328ED51C13A3}\RP365\A0044071.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{6016EC4A-4AF8-4FA4-B3D8-328ED51C13A3}\RP365\A0044081.dll -> Spyware.Ihbo : Cleaned with backup
C:\System Volume Information\_restore{6016EC4A-4AF8-4FA4-B3D8-328ED51C13A3}\RP367\A0044219.exe -> Logger.Legmir : Cleaned with backup
C:\System Volume Information\_restore{6016EC4A-4AF8-4FA4-B3D8-328ED51C13A3}\RP369\A0044331.DLL -> Adware.Agent : Cleaned with backup


::Report End





Incident Status Location

Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\GS2.exe
Adware:adware/adsmart Not disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/cws.yexe Not disinfected C:\messanger.ini
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Kevin Wood\Application Data\Mozilla\Firefox\Profiles\sjvdvyuu.default\cookies.txt[]

Thanks again!!!!!!!!!!!!!!!!!!!!!!!!!!!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:57 PM

Posted 31 January 2006 - 08:07 PM

Ok, check and fix next leftover in hijackthis:

O4 - HKCU\..\Run: [6835002] C:\Program Files\6835002\6835002.exe

Then delete next files:

C:\WINDOWS\SYSTEM32\GS2.exe
C:\WINDOWS\SYSTEM32\vx.tll
C:\messanger.ini

don't delete similar looking files!

For the slow startup... well, it is normal when an antivirus and firewall is running in the background, it slows down the startup.
You didn't have them before, that's why you notice the difference now. But, you can NOT without them, because you won't stay protected otherwise.

Concerning Ewido, I see you did install the background guard, while I gave in my instructions not to install it. So in this case, open Ewido, main pane and choose the option to uninstall/disable background guard. This will make your startup a littlebit faster.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Happy surfing again! :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 bradboy010605

bradboy010605
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 01 February 2006 - 08:52 AM

Do I need to be in safe mode to perform any of these last steps?

Am I ready to install Microsoft SP2?

Do you want to see a new HJT log before installing Microsoft SP2?

I thought I did check or uncheck to not install Ewido background guard but I will uninstall/disable as you have instructed.

There is more maintainance on computers now then there are on vehicles. Too many idiots out there to deal with nothing better to do with their time I guess.

Heres to you miekiemoes :huh: :huh: :huh: :huh: :) :o :thumbsup: :flowers: :huh: :)

Thanks so much!!!!!!!!!

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:57 PM

Posted 01 February 2006 - 08:55 AM

Hello,

No, no need to delete those files in safe mode, because they can be deleted in normal mode.

Yes, you may post a new hijackthislog as a final checkup. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 bradboy010605

bradboy010605
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 01 February 2006 - 07:03 PM

1. You told me not to delete similar files so I thought you should know that C:\messanger.ini did not show up in the Windows Explorer search. Instead a file named C:\messanger did.

2. My version of Ewido does not have an option to install or uninstall the background guard. I guess I could manually uninstall and reinstall myself.

3. I seem to now have a problem logging onto the net. I am on dialup and it will load and dial and connect and log onto Netzero and when the browser opens it bumps me offline.

4. Am I OK to now download the Microsoft SP2?

5. Here is my updated HJT log

Logfile of HijackThis v1.99.1
Scan saved at 6:58:30 PM, on 2/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Kevin Wood\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.worldspan.com
O15 - Trusted Zone: http://*.wspan.com
O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSy...Information.cab
O16 - DPF: {52454909-B15F-11D3-83A3-000083613743} (SCMDir Class) - https://go7d.wspan.com/secure/DLLs/SCMDirCtl.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6DD584C4-79F4-4F46-8F81-C26AA75D8467} (ComboBox.UserControl1) - https://go7f.wspan.com/Secure/DLLs/WSCombo.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138470537992
O16 - DPF: {6FC2871E-004B-4141-B9C0-59708BD96CCE} (WSEmul Control 3) - https://go7f.wspan.com/Secure/DLLs/WSEMUL3.CAB
O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://gonow.wspan.com/Secure/DLLs/WSFileIO3.cab
O16 - DPF: {7DB7E238-1425-4434-8B05-6453AD6A49C6} (WSPrint3 Control) - https://go7f.wspan.com/secure/DLLs/WSPrint3.CAB
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37540.cab
O16 - DPF: {85788258-6ACF-4FC1-A2CD-3BD248065AB9} (WSKeyboardMap Class) - https://go7d.wspan.com/Secure/DLLs/WSKeyboardTranslator.cab
O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go1f.wspan.com/secure/DLLs/WSFileIO2.cab
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A4D41E3A-613D-11D3-85B2-400011500081} (WSCustInst Class) - https://go7d.wspan.com/Secure/DLLs/WSCustInst.CAB
O16 - DPF: {CCB125B9-6C37-4F76-858E-5F8DD6C96681} (SCM Class 2) - https://go7d.wspan.com/Secure/DLLs/WSSCM2.CAB
O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://go3d.wspan.com/scripts/us/bin/WSCAL.CAB
O16 - DPF: {E474D8A6-9BAF-11D1-9C74-400011900013} (Wsploadctrl Control) - http://home.wspan.com/control/wfwload.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go7d.wspan.com/Secure/DLLs/WSFileIO.cab
O16 - DPF: {EFFFC7A6-4D95-4A18-8A14-FEB082D9C67D} (SCM Class1) - https://go7f.wspan.com/Secure/DLLs/WSSCM1.CAB
O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3054FB03-412D-4C37-91A3-9933E5E75CEE}: NameServer = 64.136.28.120 64.136.20.120
O17 - HKLM\System\CS1\Services\Tcpip\..\{3054FB03-412D-4C37-91A3-9933E5E75CEE}: NameServer = 64.136.28.120 64.136.20.120
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:57 PM

Posted 02 February 2006 - 01:10 AM

Hello,

Most probably your extensions are not shown, that explains why you only see messanger. So yes, delete that one.

Concerning your dialup.. odd it went good after we cleaned it and suddenly you have that problem now. Can you disable your Zonealarm and see if that makes any change?

What I also noticed is... In your first log I see some O17 entries present in your log, then further, those entries are gone without me asking to chack and fix them.

Now they are present again:

O17 - HKLM\System\CCS\Services\Tcpip\..\{3054FB03-412D-4C37-91A3-9933E5E75CEE}: NameServer = 64.136.28.120 64.136.20.120
O17 - HKLM\System\CS1\Services\Tcpip\..\{3054FB03-412D-4C37-91A3-9933E5E75CEE}: NameServer = 64.136.28.120 64.136.20.120

So, is lax-dns.lax.untd.com your ISP? I don't really think it is though...

If there are connection problems
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 bradboy010605

bradboy010605
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 03 February 2006 - 11:22 AM

OK. I deleted messanger.

I am sorry but I forgot to mention in the last post was that I thought we were done so I went ahead and set up my NEW and IMPROVED maintainance schedule and updated and ran Adaware, Spybot, Ewido, AVG, and installed Spywareblaster. Everything came back clean except Ewido which found and fixed 5 things.

I went ahead and ran a new HJT log and noticed that the O17 entries were gone. I will run another one later in the week to see if they are present and if so I will check 'em and fix'em.

Everything seems to have been corrected after running Ewido as far as the connection problems go. Hopefully what Ewido fixed has solved that little hiccup.

There was nothing to change with respect to the directions you gave me concerning the Internet protocol.

Now, am I finally ready to update to Microsoft SP2?

What does your name mean? I noticed you are from/in Belgium. Is that a derivitive spelling of Mickey Mouse? Just curious.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users