Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Or Malware Called Zeno Search


  • This topic is locked This topic is locked
10 replies to this topic

#1 Cooley

Cooley

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 19 March 2006 - 02:19 AM

whenever im using internet explorer i get popups all ads and sometimes an alternate search engine pops up. I believe it is called zeno search or just zeno.


Logfile of HijackThis v1.99.1
Scan saved at 23 15 34, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\windows\system32\qmdsregq.exe
C:\WINDOWS\system32\sms_msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\nwinnrag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhscisco.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - {AD2DDC41-566D-0816-D681-CD40E20AF205} - C:\WINDOWS\jbomafns.dll (file missing)
O2 - BHO: (no name) - {05A1031C-AF99-D956-74FB-F32AE32F4F2F} - C:\WINDOWS\jbomafns.dll (file missing)
O2 - BHO: (no name) - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Search - {E398CFD6-920B-0303-A440-5B5816F34C3D} - C:\WINDOWS\jbomafns.dll (file missing)
O4 - HKLM\..\Run: [4HPKRNQ3R7MEGJ] C:\WINDOWS\System32\Dqk5Y.exe
O4 - HKLM\..\Run: [5ZXN#X72CE#PWK] C:\WINDOWS\System32\Xgf5Ow5.exe
O4 - HKLM\..\Run: [2M783@62YFCC@W] C:\WINDOWS\System32\Lxiv1Ua.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\system32\aupdate.exe
O4 - HKLM\..\Run: [{6D-D5-56-68-ZN}] C:\windows\system32\qmdsregq.exe FI002
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [cbwrsyrA] C:\WINDOWS\cbwrsyrA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [rkou] C:\Program Files\Common Files\rkou\rkoum.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\nwinnrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: RAV File Monitor (Server) (ravserver) - Unknown owner - C:\PROGRA~1\GeCAD\RAVFOR~1\ravssrv.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Thanks

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:32 AM

Posted 19 March 2006 - 06:29 AM

Hello and welcome to the site.. Let's get started:
  • Please download PeperFix.exe HERE
  • Save it to your desktop.
  • Double-click on Peperfix.exe to run it.
  • Reboot and run Peperfix.exe again.
Post back with a fresh HijackThis log. :thumbsup:

Edited by Rawe, 19 March 2006 - 06:29 AM.

Hi there, stranger!

#3 Cooley

Cooley
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 19 March 2006 - 02:27 PM

I ran the peperfix.exe before and after a reboot and both times it said "no peper files were detected"


Logfile of HijackThis v1.99.1
Scan saved at 11 22 51, on 3/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\sms_msn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\windows\system32\qodsregq.exe
C:\WINDOWS\system32\pwinprag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris Coulon\Desktop\PeperFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhscisco.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - {AD2DDC41-566D-0816-D681-CD40E20AF205} - C:\WINDOWS\jbomafns.dll (file missing)
O2 - BHO: (no name) - {05A1031C-AF99-D956-74FB-F32AE32F4F2F} - C:\WINDOWS\jbomafns.dll (file missing)
O2 - BHO: (no name) - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Search - {E398CFD6-920B-0303-A440-5B5816F34C3D} - C:\WINDOWS\jbomafns.dll (file missing)
O4 - HKLM\..\Run: [4HPKRNQ3R7MEGJ] C:\WINDOWS\System32\Dqk5Y.exe
O4 - HKLM\..\Run: [5ZXN#X72CE#PWK] C:\WINDOWS\System32\Xgf5Ow5.exe
O4 - HKLM\..\Run: [2M783@62YFCC@W] C:\WINDOWS\System32\Lxiv1Ua.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\system32\aupdate.exe
O4 - HKLM\..\Run: [{6D-D5-56-68-ZN}] c:\windows\system32\qodsregq.exe FI002
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [cbwrsyrA] C:\WINDOWS\cbwrsyrA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinprag.exe FI002
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [rkou] C:\Program Files\Common Files\rkou\rkoum.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinprag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qmdsregq.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: RAV File Monitor (Server) (ravserver) - Unknown owner - C:\PROGRA~1\GeCAD\RAVFOR~1\ravssrv.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:32 AM

Posted 20 March 2006 - 07:42 AM

I ran the peperfix.exe before and after a reboot and both times it said "no peper files were detected"

Interesting :thumbsup:

Lets try something else.. :flowers:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Please run a scan with Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
  • Close Ewido Anti-Malware.
==

Now, reboot back into Normal mode, open the Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log.
Hi there, stranger!

#5 Cooley

Cooley
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 21 March 2006 - 12:52 AM

I am still getting the pop ups for sure and im not sure about the alternate search engine. but here are the results:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21 27 29, 3/20/2006
+ Report-Checksum: 3427BC6C

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{392BAF48-A26A-45B5-9263-97128E429268} -> Adware.AdBlaster : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{279A1B41-6CAC-4ABF-B39C-72C8E489F685} -> Adware.AdBlaster : Cleaned with backup
C:\SaveInstCm.exe/Save.exe -> Adware.SaveNow : Cleaned with backup
C:\SaveInstCm.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup
C:\SaveInstCm.exe/Save.exe -> Adware.SaveNow : Cleaned with backup
C:\SaveInstCm.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup
C:\SaveInstCm.exe/Sync.exe -> Adware.SaveNow : Cleaned with backup
C:\SaveInstCm.exe/Uninst.exe -> Adware.SaveNow : Cleaned with backup
C:\SaveInstCm.exe/Sync.exe -> Adware.SaveNow : Cleaned with backup
C:\SaveInstCm.exe/Uninst.exe -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\grykfzus.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\inst_FI002.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\justin.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system\sngsh35.dll -> Adware.AdBlaster : Cleaned with backup
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\lwintsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\mwinmsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\ngsh35.dll -> Adware.AdBlaster : Cleaned with backup
C:\WINDOWS\system32\nwinqsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\qmdsregq.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\qodsregq.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rkdsregp.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rodsregm.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rpdsregp.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rsdsregs.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rwinpsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\sms_msn.exe -> Adware.AdBlaster : Cleaned with backup
C:\WINDOWS\system32\twinlsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\zlyragou.exe -> Adware.BookedSpace : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 21 49 20, on 3/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\pwinprag.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhscisco.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - {AD2DDC41-566D-0816-D681-CD40E20AF205} - C:\WINDOWS\jbomafns.dll (file missing)
O2 - BHO: (no name) - {05A1031C-AF99-D956-74FB-F32AE32F4F2F} - C:\WINDOWS\jbomafns.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Search - {E398CFD6-920B-0303-A440-5B5816F34C3D} - C:\WINDOWS\jbomafns.dll (file missing)
O4 - HKLM\..\Run: [4HPKRNQ3R7MEGJ] C:\WINDOWS\System32\Dqk5Y.exe
O4 - HKLM\..\Run: [5ZXN#X72CE#PWK] C:\WINDOWS\System32\Xgf5Ow5.exe
O4 - HKLM\..\Run: [2M783@62YFCC@W] C:\WINDOWS\System32\Lxiv1Ua.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\system32\aupdate.exe
O4 - HKLM\..\Run: [cbwrsyrA] C:\WINDOWS\cbwrsyrA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinprag.exe FI002
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [rkou] C:\Program Files\Common Files\rkou\rkoum.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinprag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qmdsregq.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: RAV File Monitor (Server) (ravserver) - Unknown owner - C:\PROGRA~1\GeCAD\RAVFOR~1\ravssrv.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:32 AM

Posted 21 March 2006 - 02:03 AM

Run a scan with HijackThis and check the following objects for removal:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - {AD2DDC41-566D-0816-D681-CD40E20AF205} - C:\WINDOWS\jbomafns.dll (file missing)
O2 - BHO: (no name) - {05A1031C-AF99-D956-74FB-F32AE32F4F2F} - C:\WINDOWS\jbomafns.dll (file missing)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Search - {E398CFD6-920B-0303-A440-5B5816F34C3D} - C:\WINDOWS\jbomafns.dll (file missing)
O4 - HKLM\..\Run: [4HPKRNQ3R7MEGJ] C:\WINDOWS\System32\Dqk5Y.exe
O4 - HKLM\..\Run: [5ZXN#X72CE#PWK] C:\WINDOWS\System32\Xgf5Ow5.exe
O4 - HKLM\..\Run: [2M783@62YFCC@W] C:\WINDOWS\System32\Lxiv1Ua.exe
O4 - HKLM\..\Run: [cbwrsyrA] C:\WINDOWS\cbwrsyrA.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinprag.exe FI002
O4 - HKCU\..\Run: [rkou] C:\Program Files\Common Files\rkou\rkoum.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinprag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qmdsregq.exe
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Please reboot.

==

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list. :thumbsup:
Hi there, stranger!

#7 Cooley

Cooley
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 23 March 2006 - 03:45 AM

Object "minibug Adware" found in File System! Action Taken: No Action Taken.
Object "mybar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "couponsandoffers Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "alset Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
File C:\WINDOWS\system32\GS2.exe infected by "Trojan-Dropper.Win32.VB.kk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\VB1.exe tagged as "not-a-virus:AdWare.Win32.VirtualBouncer.j". Action Taken: No Action Taken.
File C:\WINDOWS\system32\ventdd.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.e". Action Taken: No Action Taken.
File C:\couponsandoffers1.exe tagged as "not-a-virus:AdWare.Win32.HelpExpress". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\all_files3.exe tagged as "not-a-virus:AdWare.Win32.IEDriver.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\all_files3b.exe tagged as "not-a-virus:AdWare.Win32.180Solutions". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe tagged as "not-a-virus:AdWare.Win32.IEDriver.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3b.exe tagged as "not-a-virus:AdWare.Win32.180Solutions". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\Data\popinstlite.exe infected by "Trojan-Downloader.Win32.Poplite.a" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe infected by "Trojan-Downloader.Win32.Poplite.a" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Chris Coulon\My Documents\hl1110.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe tagged as "not-a-virus:AdWare.Win32.IEDriver.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe tagged as "not-a-virus:AdWare.Win32.180Solutions". Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe tagged as "not-a-virus:AdWare.Win32.IEDriver.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe tagged as "not-a-virus:AdWare.Win32.180Solutions". Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe infected by "Trojan-Downloader.Win32.Poplite.a" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe infected by "Trojan-Downloader.Win32.Poplite.a" Virus! Action Taken: No Action Taken.
File C:\HXDLAZWM.exe tagged as "not-a-virus:AdWare.Win32.HelpExpress". Action Taken: No Action Taken.
File C:\Program Files\wildmedia\KeenValueInstall_117.exe infected by "Trojan-Downloader.Win32.Keenval" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\GS2.exe infected by "Trojan-Dropper.Win32.VB.kk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\VB1.exe tagged as "not-a-virus:AdWare.Win32.VirtualBouncer.j". Action Taken: No Action Taken.
File C:\WINDOWS\system32\ventdd.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.e". Action Taken: No Action Taken.
File C:\couponsandoffers1.exe tagged as "not-a-virus:AdWare.Win32.HelpExpress". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\all_files3.exe tagged as "not-a-virus:AdWare.Win32.IEDriver.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\all_files3b.exe tagged as "not-a-virus:AdWare.Win32.180Solutions". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe tagged as "not-a-virus:AdWare.Win32.IEDriver.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3b.exe tagged as "not-a-virus:AdWare.Win32.180Solutions". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\Data\popinstlite.exe infected by "Trojan-Downloader.Win32.Poplite.a" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe infected by "Trojan-Downloader.Win32.Poplite.a" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Chris Coulon\My Documents\hl1110.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe tagged as "not-a-virus:AdWare.Win32.IEDriver.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe tagged as "not-a-virus:AdWare.Win32.180Solutions". Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe tagged as "not-a-virus:AdWare.Win32.IEDriver.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe tagged as "not-a-virus:AdWare.Win32.180Solutions". Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe infected by "Trojan-Downloader.Win32.Poplite.a" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe infected by "Trojan-Downloader.Win32.Poplite.a" Virus! Action Taken: No Action Taken.
File C:\HXDLAZWM.exe tagged as "not-a-virus:AdWare.Win32.HelpExpress". Action Taken: No Action Taken.
File C:\Program Files\wildmedia\KeenValueInstall_117.exe infected by "Trojan-Downloader.Win32.Keenval" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\GS2.exe infected by "Trojan-Dropper.Win32.VB.kk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\VB1.exe tagged as "not-a-virus:AdWare.Win32.VirtualBouncer.j". Action Taken: No Action Taken.
File C:\WINDOWS\system32\ventdd.exe tagged as "not-a-virus:AdWare.Win32.BookedSpace.e". Action Taken: No Action Taken.

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:32 AM

Posted 23 March 2006 - 08:38 AM

Ok.. Lets sort this out. :thumbsup:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract Avenger.exe to your desktop.
2. Copy all the text in bold contained in the quotebox below to a blank notepad file:

Files to delete:
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3b.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe
C:\couponsandoffers1.exe
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe
C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe
C:\Documents and Settings\Chris Coulon\My Documents\hl1110.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe
C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
C:\HXDLAZWM.exe
C:\Program Files\wildmedia\KeenValueInstall_117.exe
C:\WINDOWS\system32\GS2.exe
C:\WINDOWS\system32\VB1.exe
C:\WINDOWS\system32\ventdd.exe
C:\WINDOWS\System32\Dqk5Y.exe
C:\WINDOWS\System32\Xgf5Ow5.exe
C:\WINDOWS\System32\Lxiv1Ua.exe
C:\WINDOWS\cbwrsyrA.exe
C:\WINDOWS\system32\pwinprag.exe
C:\WINDOWS\system32\qmdsregq.exe

Folders to delete:
C:\Program Files\Common Files\rkou\


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to the notepad file into this window
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it briefly opens a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log by using AddReply. :flowers:
Hi there, stranger!

#9 Cooley

Cooley
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 23 March 2006 - 11:35 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\umjcopvq

*******************

Script file located at: \??\C:\Documents and Settings\virtunee.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3b.exe deleted successfully.
File C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe deleted successfully.
File C:\couponsandoffers1.exe deleted successfully.
File C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe deleted successfully.
File C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe deleted successfully.
File C:\Documents and Settings\Chris Coulon\My Documents\hl1110.exe deleted successfully.
File C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe deleted successfully.
File C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe deleted successfully.
File C:\HXDLAZWM.exe deleted successfully.
File C:\Program Files\wildmedia\KeenValueInstall_117.exe deleted successfully.
File C:\WINDOWS\system32\GS2.exe deleted successfully.
File C:\WINDOWS\system32\VB1.exe deleted successfully.
File C:\WINDOWS\system32\ventdd.exe deleted successfully.


File C:\WINDOWS\System32\Dqk5Y.exe not found!
Deletion of file C:\WINDOWS\System32\Dqk5Y.exe failed!

Could not process line:
C:\WINDOWS\System32\Dqk5Y.exe
Status: 0xc0000034



File C:\WINDOWS\System32\Xgf5Ow5.exe not found!
Deletion of file C:\WINDOWS\System32\Xgf5Ow5.exe failed!

Could not process line:
C:\WINDOWS\System32\Xgf5Ow5.exe
Status: 0xc0000034



File C:\WINDOWS\System32\Lxiv1Ua.exe not found!
Deletion of file C:\WINDOWS\System32\Lxiv1Ua.exe failed!

Could not process line:
C:\WINDOWS\System32\Lxiv1Ua.exe
Status: 0xc0000034



File C:\WINDOWS\cbwrsyrA.exe not found!
Deletion of file C:\WINDOWS\cbwrsyrA.exe failed!

Could not process line:
C:\WINDOWS\cbwrsyrA.exe
Status: 0xc0000034

File C:\WINDOWS\system32\pwinprag.exe deleted successfully.


File C:\WINDOWS\system32\qmdsregq.exe not found!
Deletion of file C:\WINDOWS\system32\qmdsregq.exe failed!

Could not process line:
C:\WINDOWS\system32\qmdsregq.exe
Status: 0xc0000034

Folder C:\Program Files\Common Files\rkou deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 20 33 47, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhscisco.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\system32\aupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: RAV File Monitor (Server) (ravserver) - Unknown owner - C:\PROGRA~1\GeCAD\RAVFOR~1\ravssrv.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:32 AM

Posted 24 March 2006 - 07:03 AM

Hi again :thumbsup:

Your log looks fine to me. Any problems at the moment?
Hi there, stranger!

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:32 AM

Posted 27 March 2006 - 09:22 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users