Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer And Internet Explorere That's Out Of Control


  • This topic is locked This topic is locked
8 replies to this topic

#1 celticross17

celticross17

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 07 February 2006 - 09:51 AM

On my husband's computer (the one that I'm on now), every time he brings up Internet Explorer to go to his home page or any other page, several new pages come up on the screen. The one that comes up most says something about "Costa Rica", another one says something about Hoowa.
He is also infected with WinFixer and we can't seem to get rid of that either.
Have taken all of the steps that are suggested here at bleepingcomputer.com and now are ready to post a log in hopes that someone can please help us figure this out.
Thank you!

Logfile of HijackThis v1.99.1
Scan saved at 9:17:53 AM, on 2/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\windows\system32\dwdsregt.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmwfgi.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinlsap.exe FI002
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [{31-11-1A-AF-ZN}] C:\windows\system32\dwdsregt.exe FI002
O4 - HKCU\..\Run: [uirm] C:\Program Files\Common Files\uirm\uirmm.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinlsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rldsregp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40443.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/pm/activex/eBay_E...l_v1-0-3-36.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab36107.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/in...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

Edited by celticross17, 07 February 2006 - 09:52 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:31 PM

Posted 07 February 2006 - 01:33 PM

Hello celticross17, and welcome to BleepingComputer,

Let's see how we can help you.
Please allow us some time to look over your log.

BMThor :thumbsup:
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:31 PM

Posted 08 February 2006 - 05:19 PM

Hello celticross17,

Would you be so kind as to upload this file: C:\WINDOWS\system32\irsmwfgi.dll to
this site: http://www.bleepingcomputer.com/submit-malware.php so our experts can take a closer look at it?
Just click the link, copy and paste the link to your topic (http://www.bleepingcomputer.com/forums/ind...16&#entry233716) in the first box,
then copy and paste this: C:\WINDOWS\system32\irsmwfgi.dll in the second box,
and click Send File.
Thank you. :thumbsup:
------------------------------------
Regarding the fix for the malware on your system:

Please follow these instructions very carefully.
It might be a good idea to print them or save them in a .txt file, because working in safe mode may leave you without internet connection.

1. First, let's remove as much malware as possible in the Software list:
Go to Start > Settings > Control Panel > Software, and by using Add/Remove programs remove if found:ZenoSearch
SafeSurfing

2. Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
3. Please download, install, and update the NEW free version of Ewido anti-malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close ewido. DO NOT RUN IT YET.
4. Reconfigure Windows XP to show hidden files:Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the Hide protected operating system files (recommended) option.
Uncheck the Hide file extensions for known file types option.
Click Yes to confirm. Click OK.
[/list]5. Run HijackThis v 1.99.1 and mark these entries, if still present:O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmwfgi.dll
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinlsap.exe FI002
O4 - HKLM\..\Run: [{31-11-1A-AF-ZN}] C:\windows\system32\dwdsregt.exe FI002
O4 - HKCU\..\Run: [uirm] C:\Program Files\Common Files\uirm\uirmm.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinlsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rldsregp.exe
O15 - Trusted Zone: <a href="http://click.getmirar.com" rel="nofollow" target="_blank">http://click.getmirar.com</a> (HKLM)
O15 - Trusted Zone: <a href="http://click.mirarsearch.com" rel="nofollow" target="_blank">http://click.mirarsearch.com</a> (HKLM)
O15 - Trusted Zone: <a href="http://redirect.mirarsearch.com" rel="nofollow" target="_blank">http://redirect.mirarsearch.com</a> (HKLM)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - <a href="http://cabs.elitemediagroup.net/cabs/mediaview.cab" rel="nofollow" target="_blank">http://cabs.elitemediagroup.net/cabs/mediaview.cab</a>
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - <a href="http://clubgames.pogo.com/online2/pogop/in...aploader_v6.cab" rel="nofollow" target="_blank">http://clubgames.pogo.com/online2/pogop/in...aploader_v6.cab</a>

Close all open windows and click Fix Checked. Close HijackThis.

6. Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8.
A menu should come up where you will be given the option to enter Safe Mode.

7. Using Windows Explorer, search and remove, if present, this files/folders (only the one in bold!):C:\WINDOWS\system32\irsmwfgi.dll
C:\WINDOWS\system32\pwinlsap.exe
C:\windows\system32\dwdsregt.exe
C:\Program Files\Common Files\uirm ==> entire folder
C:\WINDOWS\system32\irssyncd.exe
C:\WINDOWS\system32\rldsregp.exe
8. Run CCleaner, click the Windows tab and select the following:Internet Explorer:Temp Internet
History
Recently Typed URLs
Delete Index.dat files
System:Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data
Next: click Options, click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click OK
Then click Run Cleaner (bottom right), then Exit
[/list]9. Run Ewido anti-malware:
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • You will be prompted to clean the first infection.
  • DO NOT Select Perform action on all infections, it's better to remove manually to avoid false positives.
    If you're not sure, select none for now.
  • When the scan finishes, click on Save Report. This will create a text file. Save it on your Desktop.
10. Restart your computer in normal mode

11. Please post a new HijackThis log, as well as the contents of C:\vundofix.txt and the ewido log.
Please make sure to post all mentioned logs.

Good luck,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 celticross17

celticross17
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 09 February 2006 - 06:55 AM

Thank you very much, I will work on all of these this morning. I appreciate your time and help.
Wish me luck!
Tiffany

#5 celticross17

celticross17
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 09 February 2006 - 08:08 AM

Just a note that I have uploaded the file that you requested.
Thank you,
Tiffany

#6 celticross17

celticross17
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 09 February 2006 - 09:09 AM

Okay, I have taken all of the steps that you suggested and am now posting the log results, as requested.

Hijacked:
Logfile of HijackThis v1.99.1
Scan saved at 9:07:04 AM, on 2/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40443.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/pm/activex/eBay_E...l_v1-0-3-36.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab36107.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

Ewido:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:03:49 AM, 2/9/2006
+ Report-Checksum: F4AE32B4

+ Scan result:

C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc101.txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc103.txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc112.txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc114.txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc116.txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc117.txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc123.txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc126.txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc166.txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc19.txt -> TrackingCookie.Enhance : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc24.txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc27.txt -> TrackingCookie.Com : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc30.txt -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc31.txt -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc32.txt -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc47.txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc48.txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc49.txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc50.txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc69.txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc75.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc78.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc86.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-725345543-1078145449-2147208981-1004\Dc94.txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\inst_FI002.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\justin.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\b2search.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\irismon.dll -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\kwinmsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\kwinssap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\lwinlsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\lwinmsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\lwinqsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\lwintsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\mwinnsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\nsbF9.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\nwinnsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pwintsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\qwinmsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rastmon.dll_tobedeleted -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\rkdsregm.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rkdsregn.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rldsregk.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rldsregp.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rrdsregk.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rrdsregn.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rrdsregs.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\swinssap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\twinmsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup


::Report End

And there was nothing in Vundo to make a report from, it says it didn't find anything and wouldn't give me the option to save a report. If I am doing something wrong with this, please let me know.

Looking forward to hearing from you again.
Thank you!
Tiffany

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:31 PM

Posted 09 February 2006 - 03:09 PM

Hello Tiffany,

It looks like you did just fine. :huh:

One more thing:
This line: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
is indicative for a restricted use of the Internet Explorer.
If you, an administrator or your firewall did not lock it down, you can check and fix it in HijackThis as well.

If you like to fix it, you can post another log to check if it's gone. :thumbsup:

Do you experience any more problems?

Since the ewido antispyware program you installed is only a trial version and can only be used during a limited time,
you can uninstall it in the Software list: go to Start > Settings > Control Panel > Software and remove ewido from the list.
Below I listed a few antispyware programs you can use instead.


You can hide the hidden files and folders again:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading deselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.
-----------------

Below I have included some recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously ; these few simple steps can stave off the vast majority of spyware problems.

1. Please navigate to http://windowsupdate.microsoft.com/ on a regular basis and download all the "critical updates" for Windows, including the latest version of Internet Explorer.
This can patch many of the security holes through which attackers can gain access to your computer.

2. It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and instal one of these excellent (and free) products: Sygate
Kerio
Tiny Personal Firewall
Outpost
It is important to note that you should only have one firewall installed at a time.
A tutorial on understanding and using firewalls may be found here.

3. In order to protect yourself better against spyware, you should consider installing and running some of the following free programs:Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

IE/Spyad
Places over 5000 dubious websites and domains in your IE's restricted zone.
Make sure to keep your antispyware programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

4. Please consider using an alternate browser. Mozilla's Firefox browser is very good and more secure than Internet Explorer, immune to almost all known browser hijackers, and also has a built-in popup blocker (as an added benefit!) . If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed
Hopefully this should take care of your problems! Good luck :flowers:

BMThor :huh:
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 celticross17

celticross17
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 09 February 2006 - 04:26 PM

BMThor, I would like to thank you for all of your help, it looks like everything we did took care of the problem! Now to make sure all of his programs are up to date and that his firewall is working correctly.
Thank you so much for everything, your help is much appreciated!

Sincerely,
Tiffany

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:31 PM

Posted 11 February 2006 - 06:02 AM

You're very welcome Tiffany,
glad we could help you. :thumbsup:

One more thing though:
you might want to consider uninstalling Earthlink TotalAccess.
It's not needed and brings the performance of your system down.
However, uninstalling is not that easy: the thing is it stores IE Favorites in its own Application Data folder
instead of the default one in Documents and Settings. Also cookies.
If you want to uninstall, probably the best thing to do is to go to Earthlink phone support
and have them walk you thru it and make sure to let them know you want to save your Favorites.
http://support.earthlink.net/support/

Mind you, it's not malware, but if you want to have a smooth running system ...
The choice is yours. :flowers:

Since your problem is solved, this topic will be closed.
If you need this topic reopened, please email the moderating team -
be sure to include the address of the thread and the name you posted under.


BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users